Depths of SIEM: Correlations "out of the box". Part 1: Pure marketing or an unsolvable problem?
How often do you hear the statement that the correlation rules supplied by the manufacturer are GOST ???-90 , with all its processes, people and technologies. This is an important point, we will return to it later in the following articles.
The word "mutation" here is not chosen by chance. Let us recall that in biology, mutations are understood as persistent changes in the genome. What is the AC gene? Within the framework of this article series, under the AS genome, I will understand its architecture and structure. And "persistent changes" are nothing more than the daily work of system administrators, network engineers, and information security engineers. Under the actions of these changes, the AU switches from one state to another every minute. Some states are characterized by a greater level of security, some less. But, now for us it does not matter.
It is important to understand that the AC model is not static, all parameters of which are described in the technical and working documentation, but a living, constantly mutating object. SIEM, building a protection object model within it, must take this into account and be able to update it in a timely and timely manner, keeping pace with the mutation rates. And, if we want to force the correlation rules to "work out of the box", it is necessary that they take into account these mutations and operate always with the most relevant picture of the "world".
Methodology for the development of correlation rules
From the above "Pyramids" it is clear that by developing the rules of correlation we are forced to fight against all the problems that lie at the lower levels. In the fight against these problems, rules give extra logic: additional filtering of events, checking for empty values, converting data types and transforming these data (for example, extracting the domain name from the full name of the domain user), extracting information about who and with whom interacts in framework of the event.
After all this, rules get so many catch phrases, searching for substrings and regular expressions, that the logic of their work becomes clear only to their authors and then, until their next vacation. Moreover, constant changes in the automated system - mutations require regular updating of the rules for combating the falsi. A familiar picture?
As a result,
Within this article series, we will try to understand how to make the correlation rules work out of the box.
To solve the task, we face the following problems:
Loss of data during the transformation of the "peace" model at the stage of normalization.
Absence of clear certain methodology of normalization.
Permanent mutation of the object of protection under the influence of people and processes.
Absence of a methodology for writing correlation rules.
Many of these problems lie in the plane of constructing the correct scheme of the event-the set of fields and the process of normalizing events-the foundation of correlation rules. Another part of the problems is solved by organizational and methodological methods. If we manage to find a solution to these problems, then the concept of working out of the box rules will have a wide positive effect and will raise the expertise laid in SIEM by producers to a new level.
What's next? In the next article we will try to understand the loss of data during the transformation of the "world" model and think about how the set of fields necessary for our task should look like a diagram.
The article is almost ready, t.ch. I will publish it in the near future.
It may be interesting
Situs QQ Online
Situs QQ Online