APT Shaping SIEM
Security information and event management tools must catch up with the elusive advanced persistent threat
October 3, 2011
Traditional security information event management (SIEM) systems typically don't detect a relentless targeted attack designed to avoid raising any red flags: They're tuned to catch unusual activity, not stealthy attacks that hide behind legitimate user credentials or normal traffic.
But with more and more commercial organizations now in the bull's eye of cyberespionage conducted by so-called advanced persistent threat (APT) actors, victim organizations are increasingly demanding more from their security management tools to help them better defend against these silent attackers. And there are signs that SIEM technology is gradually being forced to evolve to address these more stealthy attacks.
"The biggest challenge with SIEM in dealing with the more sophisticated adversary has to do with the 'E' in SIEM. These technologies are designed to alert on events, meaning they must recognize something in order to get the sec ops team's attention," says Scott Crawford, managing research director at Enterprise Management Associates. "This is, of course, something that a more adept adversary seeks to avoid, which means that often they are exploiting a legitimate user's privileges and keeping their activity as unremarkable or difficult to distinguish from normal user activity as possible. This makes it challenging to write alert rules: How do you alert on what appears to be normal user activity?"
Signs of a new generation of SIEM features to help sniff out APT attackers have begun emerging during the past few months. HP, which sells the popular ArcSight ESM SIEM platform, recently integrated its product with Solera Networks' DeepSee forensics and analytics system, and RSA this summer rolled out RSA NetWitness Panorama, which combines network forensic and log data into a common system for analysis on RSA's enVision SIEM system.
Eddie Schwartz, CSO at RSA, says this helps bring together all of the clues that an APT actor has infiltrated a network. "If you get an indicator, such as a domain name or file name or user credential in an investigation ... you want to understand across the entire organization where this particular object appeared. Historically, you would have had to touch hundreds of different data sets," Schwartz says. "Every data set is asking a slightly different question. Now there's a single place with a single question, and you can quickly get a single answer that spans all data sets" about the rogue object associated with the attack, he says.
Security teams running traditional SIEM systems or security products can't effectively close the targeted attack window as well as those who are running products with broader and deeper analysis, Schwartz says. "There is a gap. A better SIEM with faster results and operationalizing security data in a way that closes that window and risk in a more timely manner limits the amount of time the attacker" has to steal information, he says.
"This is a vision of what SIEM can become. It's got to become a better data management framework for security management people," he says.
But SIEM products today generally fall short when it comes to providing details about security events. "ArcSight is good at correlating basic information," says Joe Gottlieb, CEO and president of SenSage. "But the limitation is that they are working with a constrained dataset that's normalized, so it's a lowest common denominator provided by different vendors, and they don't have the ability to drill into the details. Doing this [integration] with Solera offers details underneath what they are pointing to in their alerts."
Solera CTO Joe Levy says his firm's technology fills a gap in SIEM by detecting unknown types of events. "The area where SIEM is most deficient is when there's no clear indicator of compromise," Levy says.
Narayan Makaram, HP ArcSight product manager, says while ArcSight collects any malware activity that was detected, Solera drills down on those events: "As the malware moves to various assets using, for example, nmap, anomalous network traffic gets detected and then collected by ArcSight," Makaram says. "Solera shows you who was where on the network and what they did ... For forensics analysis, blacklisting and whitelisting alone cannot address the APT. This helps you address that type of attack."
SIEM technology is evolving into more of a security intelligence and business risk management platform, he says.
Next Page: SIEM configuration -- not technology -- as the problem But part of the problem with SIEM missing APT attackers isn't necessarily due to the technology, but in how it's configured. "Most of the deployments we have today of log management and SIEM are virtually useless for detecting an APT [threat]," says Matt Mosley, senior product manager at NetIQ. "It's not necessarily the limitations of the technology, but on how it has been deployed in a lot of cases. The fact is, a lot of these products take a long time to configure [such that] you would be able to pick up on this type of attack."
Contributing to that is over the past couple of years, SIEM and log management purchases were driven largely by compliance requirements, such as PCI DSS. While that has helped spur adoption of security monitoring, in most cases it has resulted in huge, centralized databases of logs without much context.
"I think the promise of security event management is the ability not just to filter, but to tell us what's important. APT is a particularly tough case there," NetIQ's Mosley says. "Even where you've configured event management to correlate and look for certain types of attacks, the most sinister APTs are those that involve zero-days."
Look for more advanced behavioral analysis for SIEM platforms, too, where you can specify what behavior is normal for a particular user or computer resource, security experts say.
"We have to stop looking at SIEM as a problem of finding the bad guy, and start looking more at modeling behavior and understanding what's acceptable and what's not," Mosley says.
How can you really tell what's normal when the attackers are hellbent on blending in? That depends on what you know about a user who logged into a particular database, for example: "If it's from a secretary's laptop, maybe that's not normal because that's not where it should be coming from," Mosley says, adding that the time of day and other factors also must be weighed.
"An activity that shows up in the system logs as authorized usually gets filtered out and ignored. [But] often that's where the evidence really is," he says.
Tying SIEM into identity management systems, NetIQ's Mosley says, can help with the behavioral analysis part of the investigation. "SIEM can then track the human being rather than the user ID to get better information" about a particular event or activity and who it's associated with, he says.
And while SIEM began as a way to correlate IDS and other network logs, that's no longer a true picture of the threat. It must also be able to detect those intrusions or threats that get around the perimeter because spearphishing attacks that dupe users and zero-day attacks are the favorite tools of the APT attacker.
"You need to see what happens when they get inside. And you have to respond quickly," says Chris Petersen, CTO and co-founder of LogRhythm.
And keep an eye on the "big data" space, EMA's Crawford says. "The technologies for collecting and managing large volumes of information more effectively become more responsive and adept at finding some of the more subtle needles that may otherwise go undetected in very large haystacks," he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like