Cloud scale correlation and investigation with Cloud SIEM

Virtually every organization is a victim of cybercrime today. As the threat landscape evolves and proliferates, it’s necessary to prioritize the protection of data, customers’ privacy and brand reputation. Security directors must be prepared and equipped with the necessary tools to detect security events and address them accordingly at all times. This cannot be achieved without security investigation and correlation, and with the latest technologies, these can be performed at cloud-scale with ease.

In this article, we will learn:

• What is SIEM investigation?
• What is SIEM correlation?
• What are the limitations of both tasks?
• How does Sumo Logic's Cloud SIEM rectify all the challenges stemming from investigation and correlation?

What is security investigation in SIEM all about?

Security investigation is a core function of security defense and it aims to identify threats and determine the nature and scope of security issues. It covers events - suspected intrusion events, in particular - to indicate what happened and how to act upon it quickly.

For security analysts, security investigation means analyzing massive amounts of data and patterns of behavior and making informed decisions based on the evidence they find. Typical methods of discovering a threat include rule-based algorithms, dashboard activity, obvious damage and threat intelligence.

There are two main points of focus in the investigation:

1. Grouping common events for analysis.
2. Understanding the attack by gathering information about the full context of the potential attack.

The process is oriented at answering the following five Who-What-Where-When-Why questions:

• Who is the attacker?
• What did they try to accomplish?
• Where did they attack?
• When did they make the attempt?
• Why did they attempt the attack?

Answering these questions should lead analysts to an informed decision on actions required to remediate the attack and eliminate further threats.

What is the correlation in SIEM all about?

Correlation is one of the key components of any SIEM tool. It helps to decide what to pay attention to in an avalanche of highlighted threats. SIEM absorbs vast amounts of data from your entire digital environment and compares sequences of activities against predefined rules to identify possible issues; that’s correlation. The rules may be predefined by your SIEM vendor or be custom modified as needed.

If your SIEM tool has appropriate rules in place, it will able to identify a potential threat from a series of failed log-in attempts. Most SIEM products available on the market come with pre-defined correlation rules. It is recommended to sift through them and decide which ones will be useful for your business and create new rules as needed.

You should also be aware that if you implement too many rules, you may end up with a significant amount of false positives, so it’s important to strike the right balance.

What are the challenges of SIEM investigation?

In many cases, less than 10% of high priority threats are fully investigated because threat investigation in SIEM is extremely challenging. Here are the limitations security directors will have to address, and what security directors will need to tackle:

1. Siloed investigation workflows
   The data needed to pursue an investigation is often split between two groups: security analysts, who understand the process of investigation and the broad context; and IT ops, who understand the essential specific context needed to interpret and hypothesize at different steps in a security investigation. This gap in understanding makes real-time collaboration difficult to achieve, though it is essential. In any case, it’s necessary to prevent exploding backlogs, partial investigations, and bias toward more solvable on-prem alerts, as these are likely to occur.
2. Infrastructure vs. Application Insight security bias
   To maximize security, cloud providers have taken on some of the infrastructure defense previously done by individual companies and created targets that were harder to reach for the attackers, which led them to look for softer targets. At the same time, much of the traditional infrastructure defense from the on-prem world has not yet been replicated in the cloud, so often, application layer assessment is the only investigation method available. That’s why it’s necessary and good for cloud deployments to add insight from the application layer, but integrating this insight quickly with infrastructure insight is better. In the cloud world the application layer “nice to have” becomes a “must have.”
3. Investigation Times Measured in 10s of Minutes and Hours
   Many SOCs operating in traditional environments face a breaking point with growing backlogs of investigations and reactive prioritization. Achieving investigation times in minutes to keep pace in the cloud requires breakthrough innovation in getting rapid insight from vast data sets. In addition, dynamic and transient data, entities, and nomenclature make the traditionally straightforward workflows extremely challenging in the cloud. Finally, the collaboration will require new models of distributed knowledge transfer since investigation workflows will be shared across both security and IT ops.

What are the limitations of SIEM correlation?

If you implement too many correlation rules, you will likely end up with a significant number of false positives, just like with any other monitoring algorithm. You don’t want to waste the efforts of your security administrators on nonexistent threats, so it’s important to strike the right balance. Bear in mind, however, that even if your SIEM is working properly, you will have some false positives generated anyway.

Achieving this balance is a challenge in itself because you will have to decide which pre-configured correlation rules are not applicable to your environment and which rules you will have to configure by yourself. If these are not applied properly, you will end up with an overall slow and inefficient SIEM system.

How to remedy the investigation challenges with cloud SIEM?

We’ve established that to investigate threats effectively, data must be analyzed in real-time and in unified workflows. Unlike other analytics solutions, Sumo Logic makes it quick and easy to get started with advanced analytics that unify logs and metrics data. Our solution helps make sense of petabytes of data (unstructured, semi-structured or structured) by using statistical, index, filtering and machine learning techniques. The cloud-native platform analyzes logs and metrics on a large scale to drive actionable insights in real-time, which allows you to isolate problems quickly with outlier detection and machine learning algorithms.

How cloud SIEM removes the correlation challenges?

The Sumo Logic SIEM solution offers cloud scale correlation based on rules for known threats and subquery-based correlation for new threats that emerge. This means the solution allows you to identify users with compromised credentials, understand the extent of a compromise, identify an attacker and automate the response going forward; all of these are easy to track via the app dashboard.

In the example below we look at the Alert Center Investigations dashboard in our integration with the G Suite App:

By filtering out all activities performed by the compromised user, the dashboard will display (among others):

• Various G Suite applications used by the compromised user (look at the G Suite Apps Accessed by Compromised Users panel)
• The activities they performed in the G Suite Activity (see Users with Compromised Credentials panel)

There are more functionalities of this integration; to find out more about them, please refer to this post.

Another useful functionality of our platform is the sub-query. These can be instrumental in preventing future attack scenarios. Sumo Logic sub-queries can be used to develop a search to automatically correlate alerts with user activity on other data sources such as Salesforce.com; see the example below.

You are now ready to convert this search to a scheduled search to automate the creation of an incident in your incident response tool.

Once you’ve identified the user and the extent of their activity after the compromise, you can then investigate how this user could have been compromised in the first place.

Key takeaways:

• Implement security investigation to identify threats and determine the nature and scope of security issues
• Implement appropriate correlation rules to decide which highlighted threats need to be taken care of immediately
• Analytics and workflow need to be unified to enable the seamless collaboration required for effective investigation
• Add insights from your application layer
• Achieve the shortest possible investigation time to keep pace in the cloud
• With Sumo Logic, you can quickly correlate and contextualize logs and time-series metrics on a cloud scale for better visualization and faster root cause analysis