ReZaAdineH

The hive 

In today’s world, cybersecurity threats are more prevalent than ever before. Companies are facing a growing number of threats, including malware, phishing attacks, ransomware, and more. To combat these threats, many companies are turning to Security Information and Event Management (SIEM) systems to monitor their networks and detect potential threats in real-time. However, simply deploying a SIEM is not enough. Companies must ensure that their SIEM is working effectively and efficiently to protect their organization from cyber threats.

The Goals of a SIEM

According to Gartner, SIEM technology supports threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of events and contextual data sources. The main goals of a SIEM are to:

• Collect a variety of events
• Establish context
• Implement capabilities for real-time analysis
• Implement capabilities for historical analysis

While a SIEM is a core product in a cybersecurity program, it is important to note that it is just one piece of the puzzle. A comprehensive security solution must include a combination of the SIEM, sensor placement, threat intelligence, and more to improve visibility, detection, and response capabilities.

Threat-Informed Security Monitoring

To ensure that a SIEM is working effectively, it is important to implement threat-informed security monitoring. This approach involves monitoring for known threat indicators and behaviors, which can be derived from publicly available threat intelligence feeds or in-house research, to detect potential security incidents. Threat-informed security monitoring is based on the concept of knowing your enemy and their tactics, techniques, and procedures (TTPs).

The MITRE ATT&CK framework is a widely recognized and adopted methodology for threat-informed security monitoring. This framework provides a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. By implementing the MITRE ATT&CK framework, security teams can map their defensive capabilities against known adversary behaviors and identify gaps in their security posture.

Architecture for Threat-Informed Security Monitoring

A well-designed architecture is critical to ensure that a SIEM is effective in threat-informed security monitoring. The following are some of the key architectural requirements:

• Data Collection: The SIEM must be capable of collecting a wide variety of security events from a range of sources, including network traffic, system logs, cloud services, and more. Open-source solutions such as Sysmon, Zeek, and Suricata can be used to enhance data collection capabilities.
• Threat Intelligence: A reliable source of threat intelligence feeds must be established and integrated into the SIEM to enrich the security events with contextual information. Open-source solutions such as MISP, TheHive, and STIX/TAXII can be used for this purpose.
• Detection Rules: Detection rules based on the MITRE ATT&CK framework must be established and continuously updated to detect adversary behaviors and TTPs. Open-source solutions such as Sigma, Atomic Red Team, and YARA can be used to develop detection rules.
• Correlation: The SIEM must have the ability to correlate security events across different sources to identify related security incidents. Open-source solutions such as Elasticsearch and Apache Kafka can be used to enhance correlation capabilities.
• Analytics: The SIEM must have the ability to analyze security events and identify anomalies and patterns that could indicate a security incident. Open-source solutions such as Apache Spark and Jupyter Notebook can be used for this purpose.
• Response: The SIEM must have the ability to initiate a response action in real-time once a security incident is identified. Open-source solutions such as Osquery and Wazuh can be used for this purpose.

Automation and Response using TheHive and Cortex

TheHive is a free and open-source security incident response platform

Automation and Response using TheHive and Cortex

To improve response capabilities, automation should be implemented within the SIEM to reduce the response time to security incidents. TheHive is an open-source security incident response platform that can be used to automate security incident response processes. It provides a web-based interface for security teams to manage security incidents and track the progress of their investigations. TheHive integrates with Cortex, a powerful tool that provides automated and on-demand security orchestration, enrichment, and response. By integrating Cortex with TheHive, security teams can automate the response to security incidents, thereby reducing the response time and the risk of data loss.

The following are the key features of TheHive and Cortex:

• TheHive: TheHive provides a web-based interface for security teams to manage security incidents. It allows security teams to:
  • Create, track, and manage security incidents
  • Collaborate with other team members to investigate and respond to security incidents
  • Use templates to quickly create standard responses to security incidents
  • Generate reports to track the progress of investigations
• Cortex: Cortex provides automated and on-demand security orchestration, enrichment, and response. It allows security teams to:
  • Automate the collection and enrichment of security events using a range of pre-built and customizable analyzers
  • Automate the execution of response actions to security incidents
  • Integrate with a range of third-party security tools to extend the functionality of the SIEM

By integrating TheHive and Cortex with the SIEM, security teams can:

• Automate the investigation and response to security incidents
• Reduce the response time to security incidents
• Ensure consistency in the response to security incidents
• Free up security personnel to focus on high-value tasks

Conclusion

In conclusion, a SIEM is a critical component of a comprehensive cybersecurity program. To ensure that a SIEM is effective in protecting an organization from cyber threats, it must be implemented with a threat-informed security monitoring approach. The MITRE ATT&CK framework is a widely recognized methodology for threat-informed security monitoring. In addition, automation and response using TheHive and Cortex can be implemented to reduce the response time to security incidents and improve the effectiveness of the SIEM. By implementing these best practices, organizations can improve their cybersecurity posture and better protect themselves from cyber threats.