Instead of harping on the perceived inadequacies or issues, organizations that are serious about establishing their security posture are demanding better from their SIEM platform. They acknowledge that it is something they need and can be improved to achieve the desired outcomes. One aspect where SIEM systems have wide room for improvement is in correlation. Many SIEM platforms end up generating overwhelming amounts of alerts or security data that make it difficult to promptly address the most important and urgent ones, as they are concealed or overrun by unsorted security data. This is something addressed by proper correlation. However, correlation is not just a predefined or pre-configured function. It is something organizations need to understand thoroughly, since they may need to be involved in the configuration process. It helps to have a good grasp of it to come up with correlation rules that can detect actual cyberattacks, especially novel and unidentified ones. Discussed below are five of the common cases for which correlation rules are set. These instances show how important correlation is in security information and event management.
Brute force attempts
Brute force attacks, simply put, are attempts to guess a variable. These attacks usually refer to the repeated attempts of hackers to guess passwords or other login credentials. However, they can also be about guessing certain URLs to access pages on a website, particularly login/admin pages and those that contain sensitive information.
Brute force attemptsUnusually frequent file copying and movingDistributed Denial of Service (DDoS) attacksImpossible travelFile integrity changesIn summary
Brute-forcing URLs can be a step in cross-site scripting, which exploits website vulnerabilities that enable the injection of client-side scripts to bypass access controls or obtain data that is supposedly not meant for public access. These attempts can be undertaken manually or in an automated manner with the help of special software tools. Organizations can create correlation rules that differentiate legitimate login mistakes, for example, from abnormally repetitive login attempts.
Unusually frequent file copying and moving
The duplication and movement of files is not inherently anomalous activity. Employees do it numerous times within the day. Some employees regularly take home data, so they can continue working on certain tasks at home during the weekends. This typical activity, though, can conceal ongoing efforts by threat actors to steal business data or prepare sensitive corporate data to be sold in the dark net. Organizations need to establish patterns of file copying and movement based on activities that are considered regular or usual. For example, employees could be making copies of the files they need at around four to five in the afternoon and the files they copy rarely exceed 20 MB. Based on these details, the organization can create correlation rules that flag file copying and moving activities at unusual times (or continuous instances) and with greater-than-usual volumes. This is an oversimplified example, but it shows how correlation can enable automatic threat detection based on patterns of file copying and movement activities. It helps catch incidence of data theft and spot possible attempts of employees to collect and sell sensitive corporate data.
Distributed Denial of Service (DDoS) attacks
DDoS attacks seek to achieve various goals. The most common of which is the interruption of business operations. It can also be used to inflict reputational damage. Businesses that have been halted by a cyberattack tend to be viewed unfavorably by customers, as they appear to have an unreliable security posture. Additionally, DDoS may also be employed to conceal other cyberattacks. As early as 2015, cybersecurity experts warned about the more sinister motivations behind DDoS attacks. They are not only aimed at downing websites or web services. They may also be used as a decoy or a misdirection tool for more serious attacks such as the installation of malicious software. DDoS attacks are not impossible to prevent, though. With thoughtfully crafted correlation rules within the SIEM platform, DDoS attacks can be detected early and prevented from wreaking havoc on business activities and reputation.
Impossible travel
The phrase impossible travel in cybersecurity refers to highly suspicious activities because of their physical and logical impossibility. For example, when an account suddenly someone who has just logged out of their account in one location logs back in using a new device in a very distant location. A logout or account activity recorded in one country followed by a login in a different country after a few minutes is practically impossible, hence suspicious or potentially malicious. Different activities such as account logins are pegged to specific timestamps and generate other related data such as the device and device OS used, IP address, GPS address, and the number of failed login attempts. This information makes it possible to create correlation rules that distinguish legitimate or regular activities from suspicious or anomalous actions. They can indicate potential account takeovers and other cyber offenses exposed by the logical impossibility of recorded actions.
File integrity changes
Security teams in enterprises conduct file integrity monitoring (FIM) as part of the cybersecurity auditing process to verify and validate an organization’s files, system and app files in particular. FIM sees to it that files are their latest versions and are not altered, compromised, or updated outside a regular update schedule. Correlation rules can be written to ensure that all the files in an organization’s network are just the way they are expected to be. Unexpected changes or updates will trigger alerts or the sending of notifications to concerned individuals or teams. Also, the presence of unexpected files in hard drives or cloud storage can be detected as anomalous and possible indicators of malware infections or other forms of cyberattacks.
In summary
Correlation is not a new concept, but it has only been somewhat honed in recent years. It is encouraging to know that even SIEM system users can now create their own correlation rules aside from using predefined ones to bolster their security posture. Organizations can create hundreds or thousands of correlation rules depending on their situational requirements. False positives may be encountered–inevitable even–but they do not invalidate the benefits of correlation and its importance in security information and event management.