You are here

Dog on the hunt

How to use SIEM and hunt techniques to prepare for cyber threats

public://pictures/Mike-Perrow-Chief-Editor-TechBeacon.png
Mike Perrow, Freelance writer

Are you keeping up with the continual changes on the security landscape? These days, with ransomware, distributed denial-of-service attacks (DDoS), spearphishing, and other attacks on the rise, it's hard. 

An organization’s threat detection and response capabilities are critical to the integrity of data and business applications. With that in mind, many organizations are establishing intelligent security operations centers (SOCs) as a way to focus defensive efforts. Not only do SOCs offer a defense against intrusive threats, but they can also help your organization keep in line with compliance mandates.

If you’re new to the concept of an SOC, here's what one looks like, its primary functions, what you need to know about building and operating one, and how to use it to detect threats and anticipate attacks.

[ Understand what's driving the next-generation SOC with TechBeacon's guide. Plus: Download ESG's report on the state of cloud-based security analytics and operations ]

Introducing TechBeacon Learn

Our new site, TechBeacon Learn, offers a track on Security Information Event Management (SIEM) systems, which serve as an intelligent, always-on engine at the heart of a SOC. Based on the ability of security log data to record malicious intrusions within microseconds, a SIEM gives you a way to isolate and analyze recorded incidents so your security team can quickly learn the level of threat detected and best determine what to do about it.

There’s much more that the new TechBeacon Learn SIEM track offers. We cover basic to advanced topics to help you learn how to use SIEM systems to safeguard your business. Here are a few highlights and takeaways.

Key elements of intelligent security

Most larger organizations have a variety of network infrastructure components and related security controls. A SIEM system not only provides a “single pane of glass” for viewing and correlating data gathered from these sources; it also cuts through the noise generated by massive volumes of log data to show you actual, potential threats that your team can then investigate and triage.

To do this, security administrators set up rules to generate alerts on significant, or potentially significant, events. They can use additional rules to categorize threats and prioritize them. 

As noted earlier, a SIEM system is the brains inside a security operations center. A SOC can range from a small, single-person operation to a large, well-resourced security hub with a team of analysts. The primary job of a SOC is to continuously monitor networks and host systems for vulnerabilities.

"People have different definitions of a SOC," says Joseph Blankenship, an analyst at Forrester Research. "To some people, it is like NASA mission control, where you have a bunch of people staring at big screens," he says. "At other organizations, a SOC might have a much less overt physical presence."

For more on the organization of a SOC and security team interaction with a SIEM system, see the tutorial “What does an intelligent security operations center look like?

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]

Essential SIEM processes

How do you know if you need a SIEM system? If you’re a small to mid-size organization, you may be able to accomplish the bare-bones capabilities of a SIEM with other systems. However, they won't likely allow you to automate the processes the way a SIEM system can. And if you have to observe the requirements of one or more compliance mandates, a SIEM will serve as an excellent, automated watchdog when processes, or their results, go out of spec.

Log data management is another critical SIEM function. Once data from disparate sources is normalized (made uniform through automated protocols), indexed, and correlated with other datasets, you can query that data for signs of compromise. You can find affected users and systems and then prompt remediation teams into action.

Well-designed SIEM dashboards give you real-time information and provide drill-down capabilities to better assess the seriousness of an alert or potential threat. The query powers of a good SIEM can even allow your web application team to look at web server logs to identify performance and other kinds of issues there.

Using analytics to hunt for unknown threats

With a SIEM system in place, security teams have a critical tool to protect their organization from the dangers of cyber intrusion. But the team cannot rely solely on a tool to safeguard data and applications. Mitigating risk requires training and techniques—including the development and training of “hunt teams” that can go beyond known risks and behaviors to detect previously unknown threats.

Advanced detection capabilities represent the current frontier of development, both in the vendor community and in advanced enterprise security programs. That involves big data. Hunt operations teams need enterprise security experts to become experts in data analytics, using detection analytics to identify unknown attack types, new malicious behaviors, and insider threats. 

In many cases, your existing technology can amplify the capabilities of a SIEM system. What’s important is to make the effort to begin practicing security analytics, starting with the data you have on hand, and developing skills that can keep your assets safe, or at least safer, from the bad guys.

Explore the new TechBeacon Learn SIEM track

The landscape of cybersecurity is not just a morass of warning signs; it’s also a network of new highways that can lead to excellent threat detection and rapid remediation techniques.

Read a single learning unit within the new TechBeacon Learn SIEM track, or consume the entire track. Then tell your colleagues about TechBeacon Learn. Sponsored by Hewlett Packard Enterprise Software, TechBeacon Learn is designed to help software practitioners learn and experience the techniques that solve real-world problems in IT.  

Each track will provide frequent updates, and more tracks are in the works.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]