ChaosSearch Blog - Tips for Wrestling Your Data Chaos

SIEM Logging for Enterprise Security Operations and Threat Hunting

Written by Dave Armlin | Oct 19, 2023

Today’s enterprise networks are diverse and complex. Rather than the simple network perimeter of old, bad actors can attack through multiple entry points, including cloud-based applications. Not to mention, these networks generate massive amounts of transactional data.

Because enterprise networks have become larger, they’re more difficult to secure and manage. As a result, IT operations teams and security analysts seek better ways to deal with the massive influx of information to improve security and observability.

Network security tools like firewalls, antivirus, and endpoint protection continue to play an important role. However, each of these solutions on its own provides just a glimpse into the network’s overall security posture. While integrating multiple security tools can deliver a complete view, doing so successfully is often a difficult challenge.

Security teams need solutions like Security Information and Event Management (SIEM) tools to safeguard complex IT environments. These solutions are otherwise known as security information management (SIM) or security event management (SEM). Combined with log analytics tools, teams can use SIEM platforms to achieve comprehensive network observability at scale. They can integrate huge volumes of data from multiple sources, and correlate network events in real-time to identify potential cyber threats and vulnerabilities. This approach is often referred to as a security data lake (including Amazon Security Lake and others).

This blog post explores how cybersecurity teams can secure complex enterprise IT environments by combining SIEM software solutions and Log Analytics for security operations and threat hunting.

You’ll discover how SIEM and log management solutions work together to satisfy use cases including:

  • Real-time anomaly and threat detection
  • Compliance management
  • Threat hunting
  • Forensic analysis
  • And more.

Download the Solutions Brief: Scalable Log Analytics for Security Operations and Threat Hunting

 

 

Cybersecurity Analytics Tools: SIEM and Log Management

Although SIEM and Log Analytics tools take different approaches to analysis, using them together improves the security posture of complex networks.

SIEM and log analysis overlap in several areas when it comes to achieving visibility. Understanding where these technologies differ and how they complement each other is key to maintaining the cyber hygiene of any enterprise.

Let’s get started!

 

SIEM Analytics: Strengths and Weaknesses

SIEM tools collect and aggregate log data from network and security devices in real-time. They then analyze SIEM logs to detect correlations that could indicate a potential cybersecurity threat or system vulnerability.

The defining capabilities of a SIEM software solution are:

  • Logs, Metrics, and Event Data Collection - SIEM tools can monitor networks in real time. The tool collects, centralizes and stores log and event data from network devices, security tools, and other applications.
  • Data Analysis and Event Correlation - SIEM tools analyze aggregated logs and event data, searching for events with common attributes that could indicate malicious activity on the network. SIEM tools can have thousands of correlation rules informed by the latest enterprise threat intelligence.
  • Notifications and Alerting - When a correlation is detected that indicates a possible security breach or incident, SIEM tools can generate security alerts and send notifications to security analysts.
  • Automated Security Incident Response - SIEM tools can be configured to automatically respond to security incidents by consolidating relevant data and initiating actions on third-party systems. This feature helps eliminate slow, manual processes and reduces mean-time-to-resolution (MTTR) for security events.
  • Visualization, Dashboards, and Reports - SIEM tools offer visualization and dashboarding capabilities that make it easier for SecOps teams to consume data. They also offer reporting capabilities that categorize security-related events such as failed logins, potential malware activity, and potential data exfiltration.

SIEM tools have many strengths that make them effective security solutions for enterprise SecOps teams. They are effective at delivering real-time network observability and threat detection. Most solutions can work with numerous data sources and include advanced automation tools. Some SIEM tools even use machine learning to strengthen their anomaly and outlier detection capabilities over time.

But despite their strong performance in threat detection, SIEM solutions fall short when it comes to complex or advanced persistent threats.

 

 

Where are the Performance Gaps for SIEM Logging?

SIEM tools are optimized for real-time network observability and alerting on security threats, but those optimizations come at a cost.

Trade-offs for SecOps teams deploying an SIEM solution:

  • Limited Data Sources - SIEM tools are often optimized for gathering logs from security appliances only. That means other devices on the network may not be included in the analysis. Many SIEM vendors charge per data source, giving users a budgetary incentive to limit integrations and restrict the scope of their data collection and monitoring.
  • Limited Data Retention - Most SIEM tools offer limited retention periods for log data with high costs for long-term data storage. As a result, they’re good for active threat-hunting but inefficient at analyzing historical trend data to discover long-term or persistent threats.
  • Limits on Reporting - SIEM tools often have predefined reports that focus purely on security events, limiting their applicability for more in-depth forensic analysis.
  • Costly Integration Challenges - SIEM tools frequently require custom integration to work with cloud or on-premise security appliances. If an appliance is not natively supported, a custom-coded solution may be required to capture data and include it in security analytics.
  • False Positives - The complexity of SIEM tools, along with the predictable integration challenges, can lead to missed security events or generate false positives. Without the full context of a security event, SIEM tools can deliver misleading reports that are time-consuming to investigate.
  • Complexity - Effectively using a SIEM may require extensive training and hiring additional cybersecurity staff.

SIEM tools require considerable integration, customizations, and the right expertise to be effective - and they still won’t satisfy every single cybersecurity use case.

Thankfully, alternatives have emerged to address these shortfalls. For example, many teams choose to use a cybersecurity data lake combined with an extended detection and response (XDR) system, or a SIEM with an intrusion detection system (IDS). SecOps teams can also supplement their SIEM tool with a security lake and log analytics solution that covers those key performance gaps.

 

 

Leveraging Log Analytics for Security

Log Analytics software solutions are used for collecting and aggregating logs. Enterprise SecOps teams are increasingly adopting log analytics for security operations and threat-hunting applications. A log analytics solution brings together security and event data from throughout the network, giving SecOps teams increased visibility of potential threats and vulnerabilities. Many emerging solutions like OpenSearch security analytics combine the best of low-cost storage and log analytics.

The defining capabilities of log analytics solutions are:

  • Log Data Collection and Aggregation - Just like SIEM tools, log analytics solutions also collect, aggregate, and centralize log data for analysis. But while SIEM tools are often only integrated with security appliances, log analytics solutions gather log data from a broader spectrum of sources that includes operating systems, network infrastructure, applications, and endpoint devices.
  • Log Data Normalization - Most log analytics solutions offer a means of normalizing log data from different sources. That means a single unified index can be used for analysis.
  • Log Indexing, Storage, and Retention - Normalized log data must be indexed before it can be searched, queried, and analyzed. While log analytics solutions don’t offer the same level of real-time monitoring that SIEM tools do, they may offer more cost-effective long-term data storage.
  • Querying and Analytics - Log analytics tools allow security operations teams to run queries and perform security log analysis on indexed data to discover potential threats and vulnerabilities.
  • Visualization and Dashboarding - Just like with SIEM tools, log analytics solutions offer visualization and dashboarding features that make it easier for SecOps teams to consume data or create reports.

Log analytics platforms are especially useful for forensic analysis and understanding how data moves across the network. Cybersecurity professionals can use these platforms to delve into events that may have happened days, weeks, or even months ago.

 

 

SIEM + Log Analysis Use Cases

SIEM tools and Log Analytics solutions have some different use cases. They are complementary to each other when it comes to the critical function of enterprise cybersecurity.

For each of the following use cases, we’ll review the benefits of each option and how teams can deploy both SIEM and Log Analytics for SecOps use cases.

 

Network Observability

In a cybersecurity context, network observability allows SecOps teams to assess the security posture of the enterprise network based on metrics, traces, and log data.

  • SIEM tools collect logs, metrics, and traces, then aggregate the data and correlate events in real-time. This delivers up-to-the-second observability into active threats and the network’s overall security posture.
  • Log analytics solutions collect, aggregate, and normalize log files before placing the data into a searchable index. This process delivers enhanced observability of retroactive log data that can be queried and analyzed by SecOps teams to recreate a security incident or hunt for long-term threats.

 

Anomaly and Threat Detection

Detecting cyber threats and identifying anomalous events on the network are among the most important capabilities for enterprise security teams.

  • SIEM tools are optimized for active threat detection and may even be used to detect polymorphic code attacks and zero-day vulnerabilities.
  • Log analytics solutions are optimized for retroactive threat detection. Their ability to retain data for longer periods makes them better suited for detecting long-term and advanced persistent threats.

 

Compliance Management

Organizations that operate in highly regulated industries may be required to comply with data security and privacy regulations. These regulations create specific requirements for retaining and securely storing certain types of records and sensitive data.

  • SIEM tools can be customized to generate compliance reports that demonstrate adherence to regulatory compliance requirements. They also supply steps to remediate or correct compliance failures.
  • Log analytics solutions provide forensic data that demonstrates a historical view of actual events related to compliance.

 

Threat Hunting

Threat hunting is the process of proactively searching for cyber threats within the network that may have avoided detection by traditional security tools.

 

 

Forensic Analysis

Forensic analysis refers to the investigative process conducted by SecOps teams. It uncovers and documents the course, culprits, causes, and consequences of a cyber security incident.

  • Most SIEM tools are cost-optimized for less than 30 days of data retention. SecOps teams who wish to retain data for longer periods of time to support forensic analysis are likely to face prohibitive costs.
  • Log analytics solutions like ChaosSearch allow SecOps teams to fully index and search log data in long-term storage, making them the ideal solution for forensic analysis applications. ChaosSearch uses proprietary indexing technology to massively compress log files, then transform Amazon S3 and Google GCS into a fully activated data lake with full querying capabilities and cost-effective unlimited data retention.

 

Using SIEM and Log Analytics for SecOps

Enterprise SecOps teams can benefit from deploying both a SIEM tool and log analytics for security operations and threat hunting. These technologies play complementary roles when it comes to securing enterprise networks against cyber threats.

SIEM tools like Splunk are optimized for monitoring the here and now. They deliver real-time observability and alerting on network events, giving SecOps teams the ability to rapidly detect and respond to IoCs and active threats.

Log analytics solutions are optimized for monitoring data from the past. They deliver a more cost-effective choice for exploring historical trends, hunting down persistent threat attacks, or conducting a forensic analysis.

Organizations who use SIEM tools to detect and respond to threats in the present, and log analytics to uncover trends from the past, will successfully safeguard their IT infrastructure into the future.