How SIEM correlation rules work

How SIEM correlation rules work

SIEM is a powerful security tool when implemented correctly. Network security devices such as IDS devices, IPS devices and firewalls generate a large number of logs. A well-configured SIEM will alert security administrators to what events and trends they should pay attention to. Otherwise, they will be too lost in the noise of event logging to effectively manage potential security threats to the network.

One of the key components that a well-functioning SIEM requires is practical and sensible SIEM correlation rules. Let’s learn how SIEM correlation rules work!

What is a correlation rule?

The various devices on the network constantly generate event logs that are fed into the SIEM system. A SIEM correlation rule tells the SIEM system which sequences of events could be indicative of anomalies that may suggest security weaknesses or cyber attacks. When “x” and “y” or “x” and “y” plus “z” happen, administrators should be notified.

For example, here are some examples of SIEM correlation rules that reflect this concept.

  • Detection of new DHCP servers on the network taking into account that internal or external connections using UDP packets (“x”) have port 67 as destination (“y”) and the destination IP address is not in the list of registered IPs (“Z”).

In this first example it could indicate that a cyber attacker sets up a DHCP server to gain malicious access to your network. Any authorized DHCP server would use one of your registered IP addresses!

 

  • Warning to administrators if there are projected to be five failed login attempts with different usernames from the same IP to the same machine within fifteen minutes (“x”) and also if that event is followed by a successful login from that same IP address to any machine within the network (“Y”).

In this second example it could indicate that a cyber attacker applies brute force to an authentication vector and then successfully acquires authentication on your network. This could be a possible privilege escalation attack.

Both SIEM correlation rules could be triggered by reasonable mistakes and simple user errors or technical failures. But they are also key indicators of cyberattacks and security administrators should check for them immediately.

SIEM correlation in a nutshell

Properly designed SIEM correlation rules remove all irrelevant and empty content from your network event logs to detect which event sequences are likely indications of a cyberattack. Therefore, care should be taken when developing SIEM correlation rules. SIEM is device driven and devices will simply execute whatever instructions you give them. Any user should devise practical SIEM correlation rules so that the SIEM system can wake it up when there is a possible cyber attack that should be heeded.

What is standardization in SIEM?

Several different vendors of software, hardware and network components use their own event log formats. An event log will have different fields of information. A SIEM system will do its best to read the various event log formats to understand them. If you create Excel spreadsheets, imagine all the different ways someone could decide what the fields should be to organize the same data. Should IP addresses be logged in column A or column D? Should the IP address column be labeled “IP,” “IP address,” “IP addresses,” “gateway IP,” or “public IP”? Should UDP ports have one column and TCP ports have a different column, or should all UDP and TCP ports be in the same column?

Event log standardization is an effort to change the event log formats of different vendors and network components to be as universal as possible within your network. Obviously, an antivirus event log will look very different from a firewall event log. But if the network has firewalls from more than one vendor, it is possible that the event logs will have the same format.

Event log normalization can make SIEM and its SIEM correlation rules run much more efficiently. If you can improve event log normalization, SIEM will be less likely to make mistakes or miss events that should be of concern to a security administrator.

SIEM Correlation Rule Challenges

SIEM correlation rules can generate false positives like any type of event monitoring algorithm. Too many false positives can cause security administrators to waste their efforts, which could be applied to responding to real threats and attacks. It is impossible to have zero false positives in a properly functioning SIEM. When configuring SIEM correlation rules, a balance must be struck between reducing false positive alerts and not missing any possible anomalies that could indicate a cyber attack.

Some out-of-the-box SIEM correlation rules may not be applicable to a specific network. Deciding which preconfigured rules to disable and knowing which rules to write from scratch is another challenge.

Incorrectly filtered SIEM rules can make slow execution time-consuming for a SIEM system. Administrators must filter the application of rules to determine what data is relevant and what data is irrelevant in their event pipeline.

Another factor is that not all SIEMs are the same. Some have built-in threat prevention analysis out-of-the-box, which makes them much more valuable, as is the case with redborder.

redborder SIEM provides all the information, alerts and automation needed to stay two steps ahead of online threats. It collects, normalizes, enriches, correlates and stores logs in a highly scalable, secure and intelligent way, so that the data is valuable both on its own and in cooperation with other modules or applications.

Share this post