Technology has come a long way from when 3 incorrect login attempts used to indicate a malicious person getting access to your network.
These days systems and networks, especially commercial ones, collect vast amounts of logs. In fact, on more than one occasion we’ve seen tools where the log files take up considerably more space than the actual software itself.
This large data collection means that SIEM has been able to rise to a new level and improve the security of networks and systems considerably. Of course, it’s important that the SIEM correlation rules are sensible and useful since any threat detection system is only as useful as the logic behind it.
Unified threat detection and cybersecurity could be the answer to your problems and you can even get started for free.
Let’s dive in and have a look at how SIEM correlation rules work, and how they are the backbone of any SIEM tools.
What is SIEM?
SIEM is short for Security Information and Event Management. In short, it’s an evolution of log collection and management. A SIEM system uses the logs collected to keep track of the IT environment and help avoid harm coming to your system.
What is a Correlation Rule?
Correlation is a mathematical relationship between variables. It states that if one thing happens to data one then another will happen to data 2. For example, if you press the gas pedal your car will speed up. The relationship can be more complex but any two data sets where a relationship can be determined are said to be correlated.
Data Aggregation and Normalization
Computer networks and systems are made up of a large range of hardware and software. Each of these has its own way of recording data and displaying it. Log data from different applications need to be uniform in order for the SIEM system to be able to parse and handle them effectively. The process of converting different log files to a standardized template is known as normalization.
Of course, it’s also important that data is collected in a single place, and this is called data aggregation. It’s important that data is in a single location as it makes it quicker and easier to process and keep track of everything. If a system had to pull in data logs from all across the network and analyze them every time it ran, it would be extremely ineffective and bandwidth-intensive.
Common SIEM Correlation Rules
SIEM systems can have hundreds and thousands of correlation rules. In fact, at UTMStack our SIEM has over 128,000 correlation rules which are regularly checked. Some of these are simple, and some are more complex. Writing an article about all of these rules would bore anyone, however, here are some of the most common correlation rules.
Once a correlation rule is triggered the system can take appropriate steps to mitigate a cyber attack. Usually, this includes sending a notification to a user and then possibly limiting or even shutting down the system.
Brute Force Detection
Brute force detection is relatively straightforward. Brute forcing relates to continually trying to guess a variable. It most commonly refers to someone trying to constantly guess your password – either manually or with a tool. However, it can refer to trying to guess URLs or important file locations on your system.
An automated brute force is easy to detect as someone trying to enter their password 60 times in a minute is impossible.
When a user logs in to a system, generally speaking, it creates a timestamp of the event. Alongside the time, the system may often record other useful information such as the device used, GPS address, IP address, incorrect login attempts, etc. The more data is collected the more use can be gathered from it. For impossible travel, the system looks at the current and last login date/time and the difference between the recorded distances. If it deems it’s not possible for this to happen, for example traveling hundreds of miles within a minute, then it will set off a warning.
Unfortunately, many employees and users are now using VPN services, therefore this should be taken into consideration when setting up such a rule.
Excessive File Copying
If you think about your day-to-day activities, you most likely don’t copy or move around a lot of files on your system. Therefore any excessive file copying on a system can be attributed to some wanting to cause harm to your company. Unfortunately, it’s not as simple as stating someone has gained access to your network illegally and they want to steal confidential information. It could also be an employee looking to sell company information, or they could just want to take home some files for the weekend.
A DDoS (Distributed Denial of Service) Attack would cause an issue for pretty much any company. A DDoS attack can not only take your web properties offline, it can also make your system weaker. With suitable correlation rules in place, your SIEM should trigger an alert right at the start of the attack so that you can take the necessary precautionary measures to protect your systems.
File Integrity Change
File Integrity and Change Monitoring (FIM) is the process of monitoring the files on your system. Unexpected changes in your system files will trigger an alert as it’s a likely indication of a cyber attack.
Handling False Positives
Unfortunately, false positives appear in all walks of life, and this holds true for SIEM. All tools and systems have the possibility to produce a false-positive result. For example, too many failed login attempts can just be an employee forgetting their password and not someone trying to break into the system. It’s important that for any triggered events the steps taken are justifiable and of an appropriate measure as you wouldn’t want employees getting locked out for hours in such scenarios.
Alongside correlation rules, it’s also possible for SIEM to have models. Models differ somewhat from correlation rules but if implemented correctly can be just as useful. Instead of using a one-to-one correlation, a model requires a number of steps to happen in order to trigger an alert. This usually means a first-time rule followed by an anomalous behavior. This can be as simple as a user logging in from a different location than usual and then carry out a large file transfer.
This can be extremely useful as a single event does not necessarily mean a compromisation of an organization’s servers or network, it could just be a team member working from a cafe for a change in scenery.
How do I create a rule alert in SIEM?
As mentioned, UTMStack already has over 128,000 SIEM correlation rules to help with your cybersecurity. To keep our system as secure and optimal as possible, we do not allow the addition of any new rules by the user. However, if you have any correlation rules or events that you’d like added then we are able to have a look at these and implement them as required within a short time frame.
With other SIEM and security tools, it may be possible to add your own manually. However, for our customers, we do not believe that this is the right protocol.
Importance for Compliance
Having a great SIEM with solid correlation rules is extremely important for the compliance of different regulatory needs such as HIPAA, GDPR, GLBA, and SOC. In fact, by using a unified threat management UTMStack you can meet a number of requirements set out by these laws and have peace of mind when it comes to your network security.
There you have it. We hope that we’ve helped you understand SIEM correlation rules and their importance when it comes to detecting threats and protecting your network. If you haven’t yet, then we’d recommend that you get UTMStack to help protect you