The SIEM-ple way to spot a data breach as it’s happening
Last July, the Office of Personnel Management announced it had discovered a huge data breach: The background check records of current, former, and prospective federal employees and contractors were stolen, including 21.5 million Social Security numbers. Like many security breaches, this one could have been averted with the right tools in place.
In its 2012 Data Breach Investigations Report, Verizon found that 84 percent of organizations that suffered a security breach the previous year had evidence of that breach in their logs. Every action your employees — or nefarious outsiders — take generates a kernel of information, which can become evidence of unusual behavior, or a trail of crumbs to follow after an attack to see how it was carried out.
But with so many logs and so much information to sift through, most organizations don’t tap the information these logs contain.
If, however, you string together multiple logs and automate log monitoring, you can paint a full picture of what happened in an IT environment. Access to logs isn’t enough – organizations must connect the dots to prevent breaches or stop them in their tracks. Here’s how organizations can do just that with log correlation.
How to connect the dots
Everything (firewalls, endpoint devices, Internet of Things widgets, applications, etc.) in an IT environment generates logs, but usually articulates that information differently. If you’ve ever tried to analyze those logs, you know it’s time consuming and costly. Not to mention that logs from a single technology fail to paint the entire picture of what’s happening in an IT environment.
But another strategy is log correlation, pulling data from each source to spot connections and anomalies, a process made simpler and more efficient with Security Information and Event Management (SIEM) tools.
SIEM solutions automatically gather logs so IT can monitor activity through a single pane of glass, where they’re grouped to offer more context. Some organizations use log data to analyze performance; the auto racing team Schmidt Peterson Motorsports used Splunk’s SIEM to gather, crunch, and analyze real-time data from three cars competing in this year’s Indianapolis 500. But the security applications are just as intriguing.
Instead of just showing the most basic information (“User1 logged onto workstation”), a SIEM system provides more detail (“User1 from marketing logged on successfully at a workstation in human resources.”) With that additional information, IT can investigate why a user from marketing is using a human resources workstation and what the user did while signed in.
Raising red flags
These tools are also designed to spot patterns or inconsistencies. SIEM programs warn IT if unusual activity (as defined by rules and policies) are recognized in the logs. For example, a simple sign-in notification – User A has logged into a workstation at your London office – might seem normal. But 10 minutes prior to that, the same user profile also logged into a workstation in New York City. Seeing these two conflicting logs, the system would raise a red flag and notify an IT manager.
If you have proper policies and rules in place, a SIEM will learn the baseline activities for your organization, allowing it to quickly spot anomalies. These tools help prevent data breaches and other attacks by alerting IT once an inconsistency is identified. IT can use log correlation tools to pinpoint how and where a security breach started, too, and fix the weakness in the future.
Another part of a log correlation strategy is initiating at least one method of alerting IT to a situation. Different events require different notifications, so organizations may opt for alerts via email, RSS feed, or even a custom script, depending on the event.
Here’s an example of what the entire process looks like: Every time User B logs onto a workstation in accounting, large amounts of information are copied onto a thumb drive. Because the SIEM recognizes that copying those types of files to a removable device isn’t normal, it warns IT about this suspicious behavior and the organization can take corrective action, if necessary.
Everything produces logs – but what are you doing with them?
Many organizations use SIEM tools to get deeper insights into their security, but there’s also value in understanding the effectiveness of marketing and customer interactions.
Log correlation tools and SIEMs sort through the noise and provide a realistic understanding of what’s happening in an IT environment through a single interface. These programs give you time back to tackle other pressing IT issues. If a problem is found, no worries – the system will tell you.
To learn more about log correlation and SIEM solutions, contact your SHI account executive.