Top Five SIEM Use Cases For Active Threat Detection
Abstract: A critical tool that an IT department and their SOC needs to rely on is their Security and Information Event Management (SIEM) tool. This collects, stores, and analyzes log data from the entire IT infrastructure to detect suspicious activities and respond to threats. But to work effectively, it needs use cases to provide data and context for the event, to cut down on false alerts over legitimate activity, or to highlight events that are trying to hide under the radar.
Within the variety of tools that an IT department and their SOC need to rely on is their Security and Information Event Management (SIEM) tool. This software platform collects, stores, and analyzes log data from the entire IT infrastructure to detect suspicious activities and suggest a response to threats. Much like a security solution that relies on an AI or Machine Learning to provide anomaly detection, the SIEM filters through all the data, looking for specific criteria of data. Similarly, there are perfectly legitimate activities that result in false positives.
Generally, an organization will purchase SIEM tools expecting quick implementation and reliable security threat alerts, but the reality is more complex. To cut down on false positives over perfectly legitimate actions, an organization needs to develop strong SEIM use cases; developed from libraries of proven rules and scenarios from historical data and industry-wide knowledge. An organization needs to write the rules and define its baselines and thresholds based on its knowledge of its own IT department, threat landscape, and bad actor behavior. On top of that, new use cases and correlation rules should always be in the pipeline to address the ever-evolving threat scenarios.
In this blog, we’ll be looking at the top 5 examples of use cases that will focus on the active and incredibly malicious use cases seen in security threat management and negation.
- Unusual Behavior on Privileged Accounts
This is easily the most straightforward and common example. Privileged accounts are used for some of the most critical parts of any business, such as managing infrastructure or accessing sensitive data for day-to-day activities. Since they offer unlimited access and permissions to systems, endpoints, or data, anyone with access to this account effectively has the keys to your entire organization.
Hence, as an example, the SOC should have a use case and workflow in place that can flag any activity that deviates from the norm, such as detecting any attempt to compromise user credentials, accessing confidential files, or logging in outside of working hours. Keep in mind, however, that there are also legitimate occasions for unexpected behavior on privileged accounts, so the use case should be as detailed as possible.
- Defense Evasion
A hack or breach is rarely a straightforward intrusion with one or two suspicious activities in the logs. Instead, bad actors rely on techniques such as brute force attacks, uninstalling security software, or altering or circumventing a challenge-response authentication protocol, then hide their tracks behind them. Any unauthorized action that seeks to disable protection controls, obfuscate scripts, change configurations, or delete audit trails is an example of defense evasion.
The intent is to avoid detection during the compromise, so the use case requires specific correlation rules and data points to flag it as an attempt at a cyber attack - for example, unauthorized program deletions, intentional misspellings, and unexpected log changes.
The DDoS, or Distributed Denial of Service, is a broad class of cyberattack that disrupts online services and resources by overwhelming them with traffic. The most common attribute of the DDoS is that the suspicious traffic comes from distributed sources, with odd traffic patterns, which generally originate from compromised machines from all over the globe. The online service is rendered useless during the attack due to the overwhelming traffic.
Given the importance of ensuring that an organization’s machines are available, DDoS protections are paramount. The use cases should include awareness of a sudden increase in simultaneous queries and traffic and be mindful that some web-facing systems may need to be accessed simultaneously by customers and partners. The use case should serve as the first line of defense, with your security protocols to monitor and detect early signs of DDoS attacks before they get out of hand. This way, SOC analysts can begin to remediate and verify the attack and return traffic loads to normal levels before it gets out of hand.
- Traffic to Malicious Domains
In recent times, malicious and newly registered domains (NRDs) have become a fundamental way for bad actors to commit credential theft and data extraction. Given that domain names are meant to be out signposts on the information superhighway, domain names are inherently trusted and a key brand asset for any organization. Bad actors generally create slight variations of legitimate brand domains in the hopes that users will be fooled. They only exist for a certain amount of time, are used in attacks, then cease to exist, usually focusing on phishing attacks, data exfiltration, and malware distribution.
A detection system should be programmed with use cases that can flag malicious and newly registered domains so that it can intelligently predict if the intent is genuine or malicious. Then, the system would either automatically block the domain or flag an analyst who can investigate further and determine the path forward.
- Data Exfiltration
Generally, data exfiltration is one of the key objectives of the other use cases listed above. Done either manually or automatically, this is the illegal transfer of sensitive data to unauthorized parties and is the most important objective of any cyberattack. The data can then be sold on the Dark Web or ‘ransomed’ back to the organization. In some cases, it’s even just released publicly.
What makes data exfiltration challenging to detect is that regardless of whether it’s an internal or external attack, it involves moving data within and outside a company’s network - which is normal daily operations in most companies. The challenge is differentiating it from normal traffic, such as transferring files to an FTP for processing or troubleshooting.
Any use case applied to this event should include a comprehensive inventory of all the endpoints where the data lives and monitor any anomalies in user and entity behavior and suspicious traffic at the endpoints.
SIEM Needs AI-Assisted Cybersecurity
There are a lot of gray areas when it comes to accurately detecting a malicious cyber-attack, as evidenced by the use cases shown above. There is a fine line between normal traffic/daily activities and suspicious traffic, and, sometimes, it’s difficult for a machine to figure it out. This will then lead to an excess of alerts and false positives. Hence, to truly execute your SIEM to its potential, you need to adopt an AI-Assisted Cybersecurity (AICS) platform as a hybrid model with analysts. A robust and secure SOC can emerge by combining an AI capable of deep learning via use cases and anomaly detection with the extra input of human creativity, common sense, and knowledge from analysts.
False positives occur when the detection methods flag a specific example that’s been programmed from rules, previous attacks, and other data points. If the activity checks all the boxes, an alert is triggered, regardless if it’s accurate or not. The software won’t always know that. But an analyst will.
When an alert is triggered by an AI-Assisted Cybersecurity system such as Arcanna.ai, the system analyzes it and determines a course of action, creates a ticket, adds threat intel, and an analyst reviews the outcome, and feedback is given. The system then adds this learning into its processes, continuing the cycle, and further deepening its understanding and database of use cases.
The best tool an organization can use to mitigate threats is to adopt a supervised anomaly detection model continuously trained by SOC analysts. Their institutionalized knowledge and historical data are continually integrated with the AICS to get the most out of the algorithm.
Contact us today to learn more about how Arcanna.ai can help fine-tune your SIEM processes.