SIEM Plus correlation = security?


Whether working from a SANS 20 Security Best Practices approach or working with a SOX Compliance Auditor or QSA for PCI Compliance, you are implementing a logging solution.

Keeping an audit trail on key security events is the only way to understand what ‘regular’ surgery looks like. Why is this important? Because it is only when you are clear that you can begin to identify irregular and unusual activity that may be indicative of a security breach. Better yet, once you get the picture of what things should be like when everything is normal and safe, an intelligent log analysis system, aka SIM or SIEM, can automatically assess events, event volumes and patterns to intelligently judge on your behalf if potentially something fishy is going on.

Security threat or potential security event? Only with event correlation!

The promise of SIEM systems is that once you install one of these systems, you can continue with your day job, and if a security incident occurs, it will tell you about it and what to do to take care of it .

The latest ‘must have’ feature set is coherent, but this has to be one of the most widely used and abused technology concepts ever!

The concept is straightforward: isolated events that are potential security events (for example, ‘IPS Intrusion Detected event’) are noteworthy but not as critical as seeing a number of events all correlated with the same session, e.g. An IPS Alert, followed by unsuccessful login, followed by a successful admin login.

In reality, these advanced, true correlation rules are rarely as effective. Unless you are in a very active security situation bridge, with a company made up of thousands of devices, standard single event / single alarm operation should work well enough for you.

For example. In the scenario above, it should be the case that you do NOT have many burglar alarms from your IPS (if you do, you should really look at your firewall and IPS defenses as they do not provide adequate protection). Likewise, if you get unsuccessful login from external users to critical devices, spend your time and effort on better network design and firewall configuration instead of experimenting with ‘smart, smart’ correlation rules. It is the KISS * principle used to manage security events.

As such, when you get one of the critical alerts from IPS, this should be enough to initiate an emergency investigation, rather than wait until you see if the intruder is successful in forcing a logon to one of the Your hosts (making it too late to leave!)

Correlation rules are perfect – but the system has already been hacked …

In fact, you need to consider this last point further, as this is where certainty for best practices differs sharply from the pitch of SIEM product managers. Everyone knows that prevention is better than cure, so why is there so much hype around the need for correlated SIEM events? Of course, should the focus be on protecting our information assets rather than implementing an expensive and complicated device that may or may not sound an alarm when systems are under attack?

Security Best practices tell you that you need to implement – thoroughly – the basics. The easiest and most accessible security best practice is to harden systems and then operate a robust change management process.

By eliminating known vulnerabilities from your systems (primarily configuration-based vulnerabilities, but of course software-related security vulnerabilities also via patch), you provide a basic, well-protected system. Also add other defense measures, such as antivirus (deficient as a comprehensive defense system, but still useful against mainstream malware threat), firewall with IPS, and of course everything supported by real-time monitoring and file integrity logging, so if infiltration takes place, you will immediately become aware to it.


Modern SIEM solutions provide much promise as the intelligent security defense system. However, the experience and evidence of an ever-increasing number of successful security breaches tells us that there will never be a ‘silver bullet’ in defense of our IT infrastructure. Of course, tools and automation can help, but true security of systems only comes from operating best practices with security with the necessary attention and discipline to expect the unexpected.

* KISS – Keep It Super Simple