WHAT ARE SIEM SOLUTIONS?
Security Information and Event Management (SIEM) solutions make investigating large amounts of data easier and faster for administrators.
SIEM solutions collect logs and traffic from across the enterprise and format the data to allow for efficient searching and correlation. Additionally, SIEMs can provide alerting, basic incident response (IR), dashboards, and reporting, and integrations for data enrichment.
Without a SIEM solution, analysts would have to log in to multiple devices to manually search and correlate hundreds of logs and events.
But SIEM solutions oversee an organization’s most critical network and host data, and a compromised SIEM allows a threat actor to monitor defenders in order to stay in.
As a critical nerve-center of the network, a SIEM must be properly secured.
RISK
Although SIEMs are great for log aggregation and correlation, threat detection, and incident response, they can also pose a security risk if not properly hardened.
A 2018 report from Carbon Black reported that 72% of IR professionals saw log destruction—such as deletion of antivirus and security logs—during attacks [1].
While a SIEM can help mitigate log destruction by exporting logs from their original locations, if poorly secured it can be an attractive target for an attacker looking to delete critical logs to cover their tracks.
If an attacker gains access to an organization’s SIEM solution or collects unencrypted traffic from it, then the organization’s critical network information is exposed.
This critical network information can be IP addresses and domain names of critical assets, usernames, operating systems (OS), services running, etc.
Many SIEMs integrate with vulnerability scanners to import and correlate device vulnerability data with event data. The attacker will know what attacks are most likely to work because the SIEM has told them what assets the organization has, the location of each asset, and what vulnerabilities it may have.
Additionally, they may cover their tracks by deleting certain logs or events.
They will also be privy to any actions in the SIEM indicative of incident response actions such as evictions, allowing them to take evasive action.
Advanced attackers are very difficult to prevent, detect, and evict. Each security measure taken can be circumvented in one way or another, therefore, one security measure is not enough to protect against an attacker.
Securing an organization’s SIEM solution is important to protect the organization and its assets.
