SIEM 3.0
Technology is evolving and evolving fast, the processor and
computation speed are enhancing cloud and mobile devices which has made data anywhere
possible. IaaS, PaaS, SaaS has brought integration of data to different
application and platform along with new security challenges. IIOT, OT, IOT
further bring high velocity, varsity, and volume of data which when converted
to information with analysis brings in high value to companies and takes them
toward digitalization and Industrial revolution 4.0. Cyber Security too has to
evolve and so has the Security Operation Center.
We can no longer rely on Descriptive analytics but need predictive and prescriptive analytics of Security landscape.
As per Gartner, 30% of global enterprises would have been directly been compromised by cybercrimes by 2020.
There has been a serious information security breach in
recent years and hacking- as-a-service has further lead to the organization in
need of more effective tools. These platform service providers to hackers have
sophisticated tools already, leave lone the state-sponsored attacks. So even if
your mission is to put a sign that hacker a not welcome as against a
sophisticated infrastructure to protect your business the door and lock should
be visibly giving the message to the hacker that you are prepared and they are
not welcome. The hacker is constantly coming with a higher ladder and you need
to have higher walls.
A typical organisation would have logs coming from the
firewall, IPS/IDS, Antivirus, Email Gateway, Web Gateway, DLP, IDAM, PAM etc.
These would be real-time log in a different format about internal and external
threats. The incident source needs to be identified, along with type, weigh the
consequences, target system, the priority of handling and countermeasures and
mitigation solution with the impact. The 13 years since SIEM is been rated by
Gartner has seen two evolutions of SIEM – SIEM 1 and SIEM 2.
SIEM system is ruled based or policy based. Rule-based are
time-consuming as hundreds of rules need to be kept updated with too many false
positive/negatives due to innovative techniques used by hackers. The Policy based
on the other hand everything is based on timelines and correctness of writing
policy alternatively they have statistical correlation engine to establish the
relationship between event logs entries.
A typical architecture is mentioned below:
Credit: Designing blockchain -Natalia Miloslavskaya
There are two opposing approaches for SIEM, Agentless where logs are
directly transmitted to SIEM or agent-based with software agent installed on
each host that generates a log.
SIEM 1.0 was log-centric and detected IS events through preset rules
and correlation implemented for IP address and less often for ports, protocols,
and users. Log file lack details to understand what truly was happening.
Another drawback of SIEM 1.0 is the usage of a relational database with a
limitation like a very simple structure, little semantic richness, no support
for recursion and inheritance, lack of processing/triggers. These had led to
the need of second-generation SIEM system – SIEM 2.0.
SIEM 2.0 includes integration of Security Intelligence Center – SIC with Security Operation Center – SOC allowing organization to get tailored predictive network security management. This help companies to align IS risk management with business needs, constant monitoring of users and application. Real-time detection a collection of data on event form all sources, tracking the complete lifecycle of IS incidents, automation in the generation of reports and recommendation. Usage of big data and analytics. SIC and SOC now work together were SIC is the brain and SOC is the management Eyes. We further integrate the OT and IIOT data now to SIEM for Security Monitoring.
SIEM 2.0 includes integration of Security Intelligence Center – SIC with Security Operation Center – SOC allowing organization to get tailored predictive network security management. This help companies to align IS risk management with business needs, constant monitoring of users and application. Real-time detection a collection of data on event form all sources, tracking the complete lifecycle of IS incidents, automation in the generation of reports and recommendation. Usage of big data and analytics. SIC and SOC now work together were SIC is the brain and SOC is the management Eyes. We further integrate the OT and IIOT data now to SIEM for Security Monitoring.
SIEM 3.0
Digitization, Cloud, Platform and Industry 4.0 has meant
data is distributed and event taking place are distributed and scattered. Those
lead to 4 silos data locked in disparate security devices, application and DB,
Data from endpoints products, application – email, phone records, web-based
content, digitized audio and video, GPS location etc., data in streams like
network traffic, website clickstreams and data segregation by organization
business units and working groups. Apart from this the configuration of Network
devices, confirmation etc. The correlation between various Silos needs to be
established and there has to be an extract that leads to discovering knowledge.
We already know that most of the OT or plant attack originated from Spear
Phishing enter the plant, hackers took control of plant HMI and SCADA system
and remediation was further blocked by DDoS Attacks. There are similar case studies when it comes to confidentiality for data for banks or availability for Telecom companies when considering CIA triangle of cyber security - Confidentiality, Integrity and Availably. Hence historic data of the
company along with deep dark web and social engineering too has to be monitored
for insider threat and with threat intel for external attacks and threat
hunting with the use of machine learning and Artificial intelligence. The most
important component would be block chain the distributed ledger that can
record various events and correlate to formulate an incident, these would
include IOT, OT, IIOT devices like CCTV cameras, access control cards, PLC,
sensors, Wi-Fi, IDAM, DLP, IPS/IDS etc logs.'
SIEM 3.0 is need of the hour and companies need to plan their roadmaps from SIEM 1.0 or SIEM 2.0 toward SIEM 3.0 and ride the benefits of Digitalization and Industrial 4.0 while securing their organization.
