Monday, August 24, 2009

Security Information Event Monitoring

Rocky over at Decurity blog has done a good writeup titled 'Back to School - SIEM 101'. SIEM (security information event monitoring) is often heralded as an essential network monitoring technology, and from a conceptual point of view it is almost impossible argue with that position.

The basic function of a SIEM is to collect logs from as many endpoints as possible, analyze them and alert an operator of suspicious activity. The analysis can take on many different forms, but usually boils down to a form of normalization and allows for event correlation.

In my perfect world, event normalization would eliminate most of the syntactic differences between different applications and operating systems.

Aug 24 08:45:57 hostname sshd[29358]: Failed password for user from 127.0.0.1 port 13273 ssh2

and Windows event 529 (Logon Failure - Unknown user name or bad password) are pretty much the same. Sure; they can be parameterized differently, but if I see repeated bad logon attempts for the same user across platforms, I would like to know about it. The normalization process should take care of this.

With event correlation, the SIEM is transformed from a collector/normalizer into an expert systems, which allows detailed specifications of rules like: if I see 3 or more failed logon attempts for the same user within 10 minutes, followed by a successful logon, I need to be notified.

Again, from a fairly conceptual level, SIEMs are much like a hybrid network-based IDS/host-based IDS, but with added functionality. 

To learn more about basic SIEM technology, go check out Rocky's post.



No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.