SIEM packages collect system log messages and also generate their own live traffic metrics to look for signs of malicious activity.
A next-gen SIEM looks beyond the protected network for additional information. These extra information sources pool attack information from many networks.
The idea of pulling in threat information from external sources is a typical technique used in next-gen antivirus systems. It uses the experiences of other computer systems to identify common attack vectors.
A hacker team discovers a new trick to get into a network, to move around a system undetected, to break authentication systems, or to damage or steal data. Once that new technique has been proven, that team will implement the new strategy over and over again against many targets. They might also share this method with other hackers or other hacker teams might hear about the possibility of this new system and guess it for themselves.
Because of the many new methods of attack that keep being invented, antivirus systems needed to be updated on a daily basis. As AVs became more advanced, hackers found ways to use existing, legitimate software and services to break into systems and move around undetected. Thus, Intrusion Detection Systems (IDSs) and SIEM services were invented to block malicious activity rather than specific pieces of malware.
One problem with AVs, IDSs, and SIEMs is that they need to know what to look for. The technicians of a cybersecurity service work quickly in order to identify a new attack and propagate its identifiers to installations of their service. However, their work is never fast enough. Brand new attacks, called “zero-day,” can cause damage or gain access to a lot of systems while that process of discovery and mediation is going on.
Next-Gen threat intelligence
The “next-gen” concept, whether applied to AVs or SIEM services is an attempt to cut out the middle man. Users of security systems can alert each other to the presence of a new attack. However, the mechanism for sharing attack information needs to be automated.
A big problem with AV database updates in the past is that users didn’t keep constantly connected to the internet and preferred to manually command an update. This opened up the possibility of some installations becoming out-of-date very quickly and left systems vulnerable to attack. Next-Gen SIEM systems stay connected to the internet all of the time so that they can receive attack signature updates without the need for manual intervention.
The Next-Gen system is a peer-to-peer operation. Just like with file-sharing systems, the SIEM package acts as an information network client. It is like there is a built-in uTorrent client in there. The information-sharing system is often called a “threat intelligence feed.” The client for this information-sharing network is able to both read in new updates and post information for others to access.
Not only does this threat intelligence system remove the need for a central lab to formulate threat signatures, but it also takes the system administrator out of the process.
The threat intelligence manager within the SIEM follows a common reporting format. Once a new attack strategy is detected within the SIEM, the threat intelligence client formats this information and uploads it to the information exchange. All other SIEM systems in the world that subscribe to the same threat intelligence feed regularly poll the data source for new posts and then download them.
Through the peer-to-peer threat intelligence model, SIEM systems can get warnings of new attacks almost as soon as a hacker team tries out its method for the first time. This has a double benefit. First of all, the number of systems that a zero-day attack can actually damage is drastically reduced. A secondary benefit of this system is that it cuts down the opportunities for hacker teams to recover the cost of developing a new attack vector. Thus, as next-gen systems become more common, hacking becomes less profitable.
Although there are a number of bored teenagers in the world that try to break into IT systems just for fun, the most damage that is caused to IT security is from professional teams of hackers who make a good living out of the business. Removing their profitability reduces the incentives for hacking and cuts the amount of time and money that can be spent developing new hacking strategies.
Anomaly detection
The common pool of threat intelligence is the mediating system that makes next-gen SIEM systems so effective. However, that rapid distribution of information wouldn’t be much use if the subscribing cybersecurity packages weren’t able to spot unexpected attack strategies.
Anomaly detection is a key source of new information for threat intelligence feeds. Although the information on what behavior to look out for helps SIEM systems react rapidly to new attacks, it isn’t the only method these systems use to block malicious activity.
Next-gen SIEM services use a system of activity tracking that is based on machine learning – a strategy that was developed for Artificial Intelligence. This tracks all activity on a network and on endpoints over time. It looks for regular patterns in behavior and creates a baseline from that pattern.
When a user account suddenly performs different actions to the normal activity expected from that user group, the SIEM system pays closer attention. This is a method called “triage.” It cuts down the amount of processing that a SIEM system needs to do. Special routines only kick in once a candidate for surveillance is identified by the anomaly detection systems that look for deviations from the baseline of normal activity.
As the investigation deepens, suspicious patterns of behavior can then be checked against the intelligence feed. Further anomalies cause that pattern of activity to be uploaded to the threat intelligence system. Thus, many implementations of the same SIEM system will start to research that activity even before it is proven to be caused by an intruder or new malware.
Threat intelligence data sources
Cybersecurity systems producers run their own threat intelligence networks, which is simply a common data store for all threat information gathered by each implementation. Many vendors make their threat intelligence pools available to non-customers as well. There are vendor-neutral threat intelligence systems as well. Some cyber threat intelligence (CTI) systems are open-source and free to access, while others are only available to those who pay a subscription.
In all probability, when you buy or subscribe to a next-gen SIEM, the decision of which CTI feeds the service will take has already been made for you. The supplier of your SIEM will probably already run an in-house CTI for information sharing among customers. These services might also include access to some open-source CTIs.
There are two widely used data exchange formats for CTI systems:
- Collective Intelligence Framework
- Structured Threat Information Expression
If a cybersecurity firm creates its intelligence feed along with one of these standards, many other systems will be able to receive data from the information pool.
Collective Intelligence Framework
The Collective Intelligence Framework (CIF) is an open-source formatting and management system for threat intelligence feeds. It assigns a type to each notification, such as Botnet, Phishing, or Malware, and it also has a Confidence factor field, which will be a number up to 100 with 75 to 84 indicating “reliable,” 85 to 94 being “very reliable.”
You can learn more about this system at its home on the CSIRT Gadgets website.
Structured Threat Information Expression
Structured Threat Information Expression (STIX CTI) is another free, open-source system for managing threat intelligence pools. This system has its own message communication and storage protocol. This system is a little more complicated than CIF because it is structured as objects that gain meaning through connections. Rather than a single record format, the STIX database contains a number of TTP objects. TTP stands for “tactics, techniques, and procedures.”
In order to process a threat intelligence notification, you would need to load in a TTP object, such a Malware, and that bring through all of the linked objects, such as “Indicator” or “Course of Action.” Each object contains further information.
You can learn more about the STIX project on its GitHub page.
Next-gen SIEM use cases
In SIEM, a use case is a specification of technical rules. It is a set of events that if detected in combination will trigger an alert or some other action. The list of actions to implement also form part of the use case. In other words, it is a number of things to look out for.
The triggering events in a use case don’t necessarily need to occur in a specific order. The next-gen SIEM will be shipped with a number of use cases to get it started. However, the point of the “next-gen” part of these systems is that they adapt to evolving events. Thus, they are able to build new use cases from information that is pulled in from the threat intelligence feed.
Use cases can be slanted according to specific security goals. For example, if the business needs to comply with specific security standards, such as HIPAA or PCI DSS, the emphasis of the threat detection system will need to have event detection rules around a particular type of data, which is held in specific locations.
The concept of “triage” is expressed in the use cases of the next-gen SIEM. For example, if the SIEM detection system is working with a specific use case that contains four different events, the detection of one of those four will cause the SIEM tool to gather deeper intel on the actions of the user account that performed that action, looking for signs of the other three linked events.
In the above action, deeper tracking of an account is an action in the use case. The use case might specify a lower-level alert to notify operators if just one or two linked actions are detected. The combination of all events in the use case occurring can be set to trip an automated action, such as locking an account or instructing the network firewall to block all access from a specific IP address. In all events, the staged encounter of elements in a use case will be logged.
Pros & cons of next-gen SIEM
Apart from the pros and cons of using a SIEM system, there are specific advantages and disadvantages to next-gen SIEMs.
Next-Gen SIEM Pros
- Fewer false-positive alarms due to machine-learning adjusting normal activity baselines
- Faster communication between threat intelligence feed subscribers of new attack vectors
- The integration and collaboration with existing protection systems, such as firewalls and access rights management systems for threat mitigation
- Faster detection of potential threats through the use of heuristics that identify partial matches to known threats
- Less processing of data through staged reaction levels to normal activity tracking through suspicion to focused tracking
Next-Gen SIEM Cons
- The loss of the internet connection reduces the effectiveness of the SIEM system, which creates a point of weakness
- The system is autonomous and is, therefore, difficult to understand or manage
- The next-gen SIEM service is difficult to benchmark – is your SIEM working well or have you just not been subjected to many attack attempts?
- The dependency on a remote threat intelligence feed creates a vulnerability – if hackers can manipulate the feed source, many dependent systems could be attacked
Implementing next-gen SIEM
More than any other cybersecurity system, next-gen SIEMs are interdependent packages of many specialist modules. These services are highly automated and very autonomous. This means that the quality of the service is very important, particularly the quality of the associated threat intelligence feed. You can read our recommendations on excellent next-gen SIEMs to consider in the Best Next-Gen SIEMs.