SIEM Tools Don’t Have to Be Hard, Here’s How.

July 13, 2016

In today’s Whiteboard Wednesday, Spencer Engleson, Sales Engineer at Rapid7, will talk about a new approach to SIEM tools.

Spencer talks about the three main areas involved in a SIEM solution:

  • Indexing and correlating log files
  • Building out alert rules to detect malicious behavior
  • Incident investigation and response

While security professionals spend most of their time deploying a SIEM and building alerts, they really want to be focused on incident investigation and response. Spencer will tell you about some of the latest SIEM tools that can help you index and correlate your log files quickly, and get out of the box detections and alerts so that your team can focus on the actual incident response.

Watch this week’s Whiteboard Wednesday to learn more.


Video Transcript

Hi, everyone. Welcome to this week's Whiteboard Wednesday. My name is Spencer Engleson and I work on the security and sales engineering team here at Rapid7. Today, we're going to be talking about SIEM tools and why they don't have to be so hard. Now, when we're talking about SIEM's, there are really 3 stages to this process. The initial configuration and deployment, which involves indexing and correlating all of your logs. The second stage is building meaningful detections and alerts out of that correlation engine. And lastly, the part that we're really focusing on, is the actual response and detecting incidents, investigating them, and closing them out.

Show more Show less

Now traditionally, the challenge that SIEM tools have is that most of your time is spent in steps one and two when we really want to be in step three. When we first configure a SIEM, you have to basically configure all of these different event sources and push data from active directory, from your firewall, from individual applications, all the way into the SIEM system. You then have to train the system how to index and correlate that data. Now, some SIEM tools do this better than others automatically but from what I've seen, pretty much across the board, there is some manual effort here to correlate different events. And only once you've correlated those events can you build meaningful alerts. Without correlation, you end up building alerts based on individual events from say, a firewall or from an authentication log. But those tend to be very noisy because there's no correlation behind it to really teach the system something that is actually malicious rather than anomalous. 

Now once you're into the detection and alerting phase, there's also a lot of tuning and maintenance that goes into this process. And it's kind of a neverending cycle where you continually teach the system how to respond to different iterations of an alert and it's really never ending. Now, the last phase is actually incident response, where you receive an alert and actually act on it by investigating the incident. Again, the challenge here is time. When we want to be spending our time in incident response and we find ourselves stuck in correlation and detection.

Now, an ideal SIEM tool would really automate most of these first two phases allowing you spend your time in incident response. Basically, we want to be able to understand different logs, automatically correlate them so that they come together and have meaningful context in the interface. And then we're automatically detecting and alerting on activity based on out of the box preconfigured alerts that are understanding user context and attacker behavior. This allows us to basically stand up, deploy the SIEM quickly, have meaningful alerts coming out of the system automatically, and spend most of our time responding to actual incidents. 

Now, one of the most time-consuming aspects of incident response is mapping asset-centric data back to the users who are actually responsible. As we've seen in the wild, attackers are using legitimate user credentials during their attacks more and more frequently. So a huge aspect of incident response is not only knowing which assets are compromised but which users and which accounts have been compromised. This is really the driving force behind the user behavior analytics platforms that are currently be brought to market. And the value of those tools is basically automating your understanding of asset data and events and correlating them back to the user who is responsible. 

With Rapid7's InsightIDR solution, we've basically designed a user behavior analytics platform as the basis of our incident detection response tool. And that helps automate your indexing correlation by automatically ingesting logs, correlating them, as well as providing meaningful out of the box alerts that are designed to detect attackers as they use compromised credentials. We've built alerts looking for things like lateral movement, administrator impersonation, pass the hash attacks, malware, really the full range of attacker techniques are covered in our automated alerts and we've designed that based off an attacker's kill chain. So that we're not receiving alerts for one specific point in an attack, we're receiving alerts across the entire spectrum as the attacker moves from the exterior to the inside of the organization and finally reaches critical assets and sensitive data. 

So if that sounds interesting to you and you want to learn more, then please visit the Rapid7 website and check out InsightIDR. We believe it's the SIEM we've always wanted. That's it for this week's Whiteboard Wednesday. We'll talk to you next week.