Security information and event management (SIEM) systems

 

Introduction

Security Information and Event Manager (SIEM) is the term for software and services combining security information management and security event management. SIEM is an approach to security management that combines event, threat and risk data into a single system to improve the detection and remediation of security issues and provide an extra layer of in depth defense. Employing a SIEM can help immensely, but requires consideration of security business processes and data to leverage the SIEM tool in the most effective manner.

Deploying the SIEM with default settings will generate substantial data and alerts, but tailoring the tool to the agency’s systems, data protection requirements and operational environment will yield improved results. This process involves gathering requirements from a variety of organizational resources and departments, including business units, human resources, IT operations and security groups, reviewing hardware and software systems, understanding policy requirements and incorporating efficient and effective responses to security events and incidents.

Use of audit data

Audit logging and review is a crucial component of an effective strategy to operate and secure vital IT assets and data. Many organizations generate audit log data, but fail to effectively extract relevant information due to the volume and complexity of the data collected.

The proper use of log data supports multiple security purposes, including:

  • Detecting known and emerging threats,
  • Identifying vulnerabilities,
  • Accelerating incident response,
  • Identifying policy violations and
  • Providing system troubleshooting or forensic evidence in the event a security breach occurs.

In addition, Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies (Pub. 1075), requires security-relevant events must enable the detection of unauthorized access to Federal Tax Information (FTI) data. Auditing must also be enabled to the greatest extent possible to capture access, modification, deletion, and movement of FTI by each unique user.

Understanding and evaluating SIEM systems

A SIEM system is designed to support and facilitate data collection, analysis, response and remediation processes and procedures. SIEM systems can collect most event types and configuration data available, thus the volume of data can be massive. If the collection and compilation of that data is unstructured, the ability to evaluate the data is diminished, resulting in the failure to deliver the actionable information critical to strengthen and improve the organization's security posture.

SIEM systems have become a relied-upon feature of security programs, serving operations, compliance and security and risk groups with valuable information to support business and security functions. These tools can provide a comprehensive view of activity on their networks.

Their capabilities include:

Scale: Not only have the number of events increased, but also the number of applications, users and devices generating logs. Internal stakeholders want additional event types captured to aid in reporting and analysis. The resultant explosion in event data means consideration of appropriate implementation and management is critical to success.

Forensics: SIEM system capabilities should provide automated data analysis, notification and data enrichment to provide needed reference data to reduce the workload on operations staff. Platforms should offer a much greater set of pre-built analysis policies, and far better linkage of events for drill-down capabilities.

Speed: A SIEM system should be expected to produce near real-time results. It is no longer viewed as an "after-the-fact" repository of data, but a frontline security tool for the continuous monitoring and detection of misuse of and attacks against IT assets and capabilities. Alerts and actionable information should be available as close to real-time as possible.

Ease of use: Quick ramp-up, reduced training and overall task automation should be built into a SIEM platform. However, these tools will require an ongoing investment of resources (budget and manpower). SIEM vendors have greatly improved their platforms' ability to automate rules, have re-worked User Interfaces (UI), and added threat and policy management dashboards to simplify day-to-day use and ease some burden.

Implementing Publication 1075 controls through SIEM

A SIEM solution may support the agency’s successful implementation of the Audit and Accountability controls identified in Pub. 1075, Section 4.3.

The agency should refer to the following guidance when implementing such a tool to support audit log data review.

 Audit and Accountability Policy and Procedures (AU-1) - Implementing a significant tool such as SIEM may require changes or updates to policy and procedures for audit-related topics. Well-defined policies and procedures will support the collection, correlation and reporting of audit log data by defining requirements, roles and responsibilities and standards to be used. These policies and procedures should be regularly reviewed to ensure continued relevance. Policies should be reviewed and updated at least every three years; procedures should be reviewed annually.

Audit Events (AU-2) - Auditing must be enabled to the greatest extent necessary to capture access, modification, deletion and movement of FTI by each unique user. Therefore, the agency must capture all security and administrative actions, as well as user activity relative to FTI. This includes, but is not limited to, logging onto/off a system, use of administrator commands, changes to permissions and all interactions with FTI. Agencies should also refer to platform specific auditing requirements contained in the Safeguards Computer Security Evaluation Matrices (SCSEMs).

The agency must also coordinate with other agency entities requiring audit-related information to help establish appropriate auditable events required for their purposes.

Once established and defined in the SIEM environment, these events should be reviewed at least annually to ensure their capture effectively supports the agency’s information security requirements.

Content of Audit Records (AU-3) - Any system feeding log data to the SIEM must provide sufficient data to establish what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event and the identity of any individuals or subjects.

The SIEM solution may be employed to standardize the content and format to facilitate review and correlation of the log data, but administrators must ensure that appropriate log data elements are captured.

Audit Storage Capacity (AU-4) - Centralizing the capture and storage of audit log data from a large number of systems across the enterprise requires sufficient storage for the data. Pub. 1075 requires seven years of data be retained for all systems that store, transmit, process and/or receive FTI.

Response to Audit Processing Failures (AU-5) - The SIEM solution should be configured to produce a real-time alert whenever audit processing has failed on a connected system. Additionally, storage should be carefully monitored to ensure sufficient space for current logs and to prevent the loss of any audit data.

Audit Review, Analysis and Reporting (AU-6) - Even with the use of a SIEM solution to correlate and provide automated alerts, the need for weekly manual review by administrators, security groups and business managers is not fully removed. For example, employee accesses of FTI to ensure only appropriate accesses were made cannot be easily evaluated in an automated manner. However, the SIEM solution may be customized to provide reports of this data and manage its review. Reports may be designed for various organizational needs, automatically distributed and their review logged.

Staff may require training on the content and use of both alert resolution, as well as proper review and use of standardized and ad hoc reports for both security and access-related events.

Audit Reduction and Report Generation (AU-7) - One of the defining characteristics of a SIEM solution is its ability to correlate logs across multiple systems and analyze data for signs of anomalies and threats. To this end, agencies must define the thresholds for which administrators and/or security staff receive real-time alerts. This may require fine-tuning as the SIEM solution moves forward, as consideration must be given to the resources available to review and clear these alerts. For all alerts generated, the alert must be logged, acknowledged by an administrator and the disposition of the alert by the administrator captured.

Additionally, the log data should be available to select personnel to generate on-demand review, as well as to support after-the-fact investigation.

Time Stamps (AU-8) - To appropriately correlate log data, the agency must ensure all systems are synchronized to a standard, authoritative time server (e.g., NIST, Naval Observatory).

Protection of Audit (AU-9) - While a powerful tool that allows for access to and monitoring of large amounts of data, it is important to recognize the sensitivity of the audit log data, especially if any FTI is captured in the logs. Only appropriate staff should have access, and any modifications to or deletions of the data must also be logged.

Cross-Organizational Auditing Logging(AU-16) - An agency must maintain awareness of all systems that store, transmit, process and/or receive FTI, even if those systems are operated by a third party on the agency’s behalf. External data, from outsourced data centers or cloud providers, may be incorporated into the SIEM solution to provide support for additional analysis.

Resources