As a part of our SIEM Best Practices Series, today we look at how you can work towards bridging the gap between or adding to missing sources. For a more holistic outlook on managing your SIEM System, check out this free resource by Advoqt, a White Paper on SIEM Best Practices.
Seeking the right bridge
There will be times when you’ll need to integrate log sources that are not easily available. However, it is important that you remain flexible in such instances. Don’t limit yourself to off-the-shelf plug-ins. Sometimes creating a python script that collects local information from a server and sends it over to your SIEM has a significant impact on your monitoring program.
Let’s look at an example of how some of the biggest companies in the US detect malware.
Have you ever been compromised by an APT (Advanced Persistent Threat)? APT is what we call malware that was specifically designed to attack your organization. Such an attack is tough to detect because your standard antivirus software is not equipped to pick up on it. In such a case, what do you? Let’s start by understanding the goal of the attacker. Attackers will always try to maintain privilege somehow, so they typically look for a way to make their malicious software persist in your systems by executing once the computer boots up. How can we detect every single software that will auto-start within our computers? Sysinternals Autorun is one of the most useful tools for such purposes. It is free, and you can run it on all your Windows-based end-points with just a GPO (Group Policy). This is a super-effective mechanism for detecting every program that is trying to become persistent in your infrastructure. The cost to store this volume of logs is insignificant compared with more complicated log sources while proving to be extremely vital in threat detection (Yet most SIEM tools don’t have an off-the-shelf plug-in).
Another reason why you may need to add more log sources is compliance. In those cases, it’s very important to create dashboards that allow you to identify where is the GAP and which logs are you missing. When possible, we also suggest you hire Security Experts with Malware Research expertise that can deploy advanced mechanisms to detect malware.
Such an alignment is an ongoing process that will reap results in the medium and long term. But, we’re just scratching the surface There are EIGHT more aspects to consider as you work towards implementing a full-proof SIEM system. Which is why we recently released our SIEM Best Practices White Paper to allow you to set-up/revise your SIEM System. Click here to access your free copy.
Solutions for a fast-paced and large enterprise may need tailored consultation and improvisation, beyond what can be conveyed in a white-paper. We invite you to get in touch with us to know how we can help maximize the benefits of your security efforts.