In today’s world, cybersecurity threats are more prevalent than ever before. Companies are facing a growing number of threats, including malware, phishing attacks, ransomware, and more. To combat these threats, many companies are turning to Security Information and Event Management (SIEM) systems to monitor their networks and detect potential threats in real-time. However, simply deploying a SIEM is not enough. Companies must ensure that their SIEM is working effectively and efficiently to protect their organization from cyber threats.
The Goals of a SIEM
According to Gartner, SIEM technology supports threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of events and contextual data sources. The main goals of a SIEM are to:
Collect a variety of events
Establish context
Implement capabilities for real-time analysis
Implement capabilities for historical analysis
While a SIEM is a core product in a cybersecurity program, it is important to note that it is just one piece of the puzzle. A comprehensive security solution must include a combination of the SIEM, sensor-placement, threat intelligence, and more to improve visibility, detection, and response capabilities.
Threat-Informed Security Monitoring
To ensure that a SIEM is working effectively, it is important to implement threat-informed security monitoring. This approach involves monitoring for known threat indicators and behaviors, which can be derived from publicly available threat intelligence feeds or in-house research, to detect potential security incidents. Threat-informed security monitoring is based on the concept of knowing your enemy and their tactics, techniques, and procedures (TTPs).
The MITRE ATT&CK framework is a widely recognized and adopted methodology for threat-informed security monitoring. This framework provides a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. By implementing the MITRE ATT&CK framework, security teams can map their defensive capabilities against known adversary behaviors and identify gaps in their security posture.
Architecture for Threat-Informed Security Monitoring
A well-designed architecture is critical to ensure that a SIEM is effective in threat-informed security monitoring. The following are some of the key architectural requirements:
Data Collection: The SIEM must be capable of collecting a wide variety of security events from a range of sources, including network traffic, system logs, cloud services, and more. Open-source solutions such as Sysmon, Zeek, and Suricata can be used to enhance data collection capabilities.
Threat Intelligence: A reliable source of threat intelligence feeds must be established and integrated into the SIEM to enrich the security events with contextual information. Open-source solutions such as MISP, TheHive, and STIX/TAXII can be used for this purpose.
Detection Rules: Detection rules based on the MITRE ATT&CK framework must be established and continuously updated to detect adversary behaviors and TTPs. Open-source solutions such as Sigma, Atomic Red Team, and YARA can be used to develop detection rules.
Correlation: The SIEM must have the ability to correlate security events across different sources to identify related security incidents. Open-source solutions such as Elasticsearch and Apache Kafka can be used to enhance correlation capabilities.
Analytics: The SIEM must have the ability to analyze security events and identify anomalies and patterns that could indicate a security incident. Open-source solutions such as Apache Spark and Jupyter Notebook can be used for this purpose.
Response: The SIEM must have the ability to initiate a response action in real-time once a security incident is identified. Open-source solutions such as Osquery and Wazuh can be used to automate response actions.
Benefits of Threat-Informed Security Monitoring
Implementing threat-informed security monitoring in a SIEM can provide a range of benefits, including:
Improved detection capabilities: By monitoring for known threat indicators and behaviors, security teams can detect potential security incidents in real-time.
Reduced false positives: By correlating security events across different sources, security teams can reduce the number of false positives and focus on actual security incidents.
Improved response times: By automating response actions, security teams can respond to security incidents faster and reduce the impact of a breach.
Improved visibility: By collecting a wide variety of security events from different sources, security teams can improve their visibility into the organization’s security posture.
Conclusion
A SIEM is a core component of a comprehensive security solution, but simply deploying a SIEM is not enough to protect an organization from cyber threats. To ensure that a SIEM is working effectively, companies should implement threat-informed security monitoring, which involves monitoring for known threat indicators and behaviors to detect potential security incidents. The MITRE ATT&CK framework is a widely recognized methodology for threat-informed security monitoring, and a well-designed architecture is critical to ensure that a SIEM is effective in threat-informed security monitoring. By implementing threat-informed security monitoring in a SIEM, companies can improve their detection capabilities, reduce false positives, improve response times, and improve their visibility into their organization’s security posture.
ReZaAdineH 
Leave a comment