As a part of our SIEM Best Practices Series, today we look at how you can work towards bridging the gap between logs and adding missing sources. For a more holistic outlook on managing your SIEM System, check out this free resource by Advoqt, a White Paper on SIEM Best Practices.
Seeking the right bridge
There will be times when you’ll need to integrate log sources that are not easily available. It is important that you remain flexible in such instances and don’t limit yourself to off-the-shelf plug-ins. Sometimes creating a python script that collects local information from a server and sends it over to your SIEM has a significant impact on your monitoring program.
Let’s look at an example of how some of the biggest companies in the US detect malware.
Have you ever been compromised by an APT (Advanced Persistent Threat)? APT is what we call malware that was specifically designed to attack your organization. Such an attack is tough to detect because your standard antivirus software is not equipped to pick up on it. In such a case, what do you do? Let’s start by understanding the goal of the attacker. Attackers will always try to maintain privilege somehow, so they typically look for a way to make their malicious software persist in your systems by executing once the computer boots up. How can we detect every single software that will auto-start within our computers? Sysinternals Autorun is one of the most useful tools for such purposes. It is free, and you can run it on all your Windows-based end-points with just a GPO (Group Policy). This is a super-effective mechanism for detecting every program that is trying to become persistent in your infrastructure. The cost to store this volume of logs is relatively insignificant while still proving to be extremely useful in threat detection.
Another reason why you may need to add more log sources is compliance. In those cases, it’s very important to create dashboards that allow you to identify where is the GAP and which logs are you missing. When possible, we also suggest you hire Security Experts with Malware Research expertise that can deploy advanced mechanisms to detect malware.
There are EIGHT more aspects to consider as you work towards implementing a full-proof SIEM system. Our SIEM Best Practices White Paper gives you a clear roadmap. We invite you to get in touch with us to learn how we can help maximize the return on investment of your security program.