Many of those who know about SIEM are familiar with the development of correlation rules. Manufacturers of SIEM solutions, commercial SOC, integrators – all propose their own rules and claim that they are better than others. Is it really like this? How to choose a provider of rules? What is SIEM expertise? Let’s think about these in our topic below.
Whose correlation rules are better
As always, the conclusion contains all the key points of the article.
Any specialist in information security sooner or later begins to use SIEM systems or some individual elements of this class systems.
An important part of SIEM is the correlation of rules – knowledge that allows you to solve the problem of identifying information security incidents. They can be developed by themselves, delegated to the integrator, or, if connected to a commercial SOC, used the knowledge of their specialists. As you can see, there are many sources of correlation rules in SIEM, so the question of choice arises naturally. This task is especially relevant if your company doesn’t have dedicated specialists for SIEM tasks. In this case, you or your colleagues have to administer several security tools at once and additionally SIEM.
About a month after the implementation of SIEM, it comes to understanding that this class of solutions requires significant costs. The art of attacks on information systems is constantly evolving. It takes time to track modern trends, analyze them, assess the applicability to their infrastructure, and also write correlation rules to identify attacks. Normally, specialists don’t have enough time for this.
Faced with similar problems, companies decide either to build their SOC and attract dedicated specialists, or to find external suppliers of correlation rules. Next, we will discuss how to choose a supplier and if only correlation rules are enough for the end customer.
Examination and its properties
By expertise we mean a set of correlation rules, expert knowledge and data that are minimally necessary for identifying and responding to incidents. Expertise is provided by the supplier (the manufacturer of the SIEM solution or SOC), and the customer is its consumer.
Correlation rules can be provided by SIEM developers, MSSP providers / SOCs, integrators and the community. Everyone postulates that their correlation rules are qualitative. But very often the concept of quality is simply replaced by the number of available rules. Is quantity an indicator of quality? In the general case, this is a controversial statement. Qualitative examination has the following properties:
- Accurately identifies violations in a specific customer infrastructure.
- Identifies current world-class threats. Identifies threats specific to a exact country and industry of customer.
- It has both a reactive and a proactive component.
- Explains to the customer the results of its logical conclusion.
- Provides clarification on the next steps in responding to an identified incident.
Some of these properties impose requirements on the developer of the examination, and some on the result of his work – the rules of correlation and related materials.
Developer of expertise and his competencies
Based on which criteria to choose a supplier? We have formulated six basic properties that characterize quality expertise. To ensure this, the rule provider must:
- Identify current world-class threats. These may be suppliers who have their own analytical centers specializing in detecting and analyzing attacks. They should regularly monitor the latest types of attacks and approaches to violating the information security of systems.
- Identify threats specific to a specific country and industry of the customer. In each country, the threat landscape and the list of attack types may have their own specifics. Therefore, for choosing a supplier, it is important that its analytical center has a clear focus on tracking threats inherent in exactly the country in which your company’s infrastructure is located. The center’s specialists must not only understand the specifics of threats in a particular country, but also be able to quickly respond to them. It should not be that the supplier responds to a new regional threat a week after its occurrence, only because your region is not a priority for it in terms of doing business.
- Have both a reactive and a proactive component. It is not enough to recruit Pentester analysts at the center. It is important that these experts not only understand and know how to crack systems, but also know how to detect hacking attempts and prevent them, or stop them in the early stages. Practice shows that a very little attention is paid to this aspect: often analytical centers are built from experts, either only in the field of attack, or only in the field of defense, which will certainly affect the level of their expertise.
- Accurately identify violations in a specific customer infrastructure. The supplier must have a methodology for developing correlation rules that can be adapted to a specific customer infrastructure. This is necessary in order to minimize the number of false positives for rules. A large series of articles entitled “Correlation rules that work out of the box” was devoted to this issue. It is important to remember that the process of precisely “industrial development” of correlation rules should be built by the supplier. It means that:
- rules should be tested on live systems, not synthetic ones;
- during the testing process, should be reproduced live types of attacks, to the detection of which is directed the tested correlation rule;
- stress and regression tests should be performed to confirm compatibility of the rules with SIEM;
- the supplier must issue updates for previously issued rules if it turns out that the rules have a large number of false positives;
- SIEM and the supplier must have channels for the prompt delivery of updates and new correlation rules to the end customers.
The set of requirements is quite wide. Unfortunately, if we single out one specialist who will spend 2 hours a day on this activity to develop correlation rules, this will not allow to achieve the same high-quality examination level.