Set up and operate security monitoring throughout the enterprise

Seeing Eye

Creating Meaningful Rulesets

In addition to a precisely defining your own infrastructure and asset management, you will either need to modify what are typically large numbers of correlation rules provided by the SIEM solution's vendor to suit your own environment and specific scenarios or to create your own enterprise-specific rulesets (Figure 4). Put simply, correlation rules describe the conditions that a reported incident must meet as well as the automatically triggered response of the SIEM solution if all conditions of a rule are met.

Figure 4: Rule wizard.

A very simple condition could be the number of a specific incident type, such as communication with a command-and-control server on a known botnet, identified by an IDS and forwarded to the SIEM, from the same IP source address within a specific period of time.

If the incident count exceeds the threshold defined in the correlation rules, the response described in the same rule is triggered – for example, notifying the responsible administrator by email, calling a script, or generating a new event that is, in turn, passed to the solution for additional correlation steps. Beyond simple counters, complex and nested conditions can be grouped to create a rule (Figure 5).

Figure 5: Complex and nested conditions can be grouped to create rules.

To avoid the risk of an email flood, the threshold parameter can be used to reduce the number of notification email sent per minute based on the target IP address. In practice, signature-based detection methods that evaluate the content transferred between two systems on the fly have several weaknesses. The communication between a malware-infected IT system and the control server will typically be encrypted. The payload transferred here is thus not visible as clear text, and the security-relevant event is not easy to identify. Net flow-based correlation, as offered by one SIEM solution, is a detection option that alerts the system operator when the SIEM-defined threshold is exceeded or in case of deviation from the typical communication behavior as self-taught by the SIEM solution.

Alerting can also occur in multiple stages. For example, the first occurrence of a specific anomaly only generates another event, although this can already be correlated. If the same anomaly occurs multiple times within a specific period or in combination with other correlated events, then it triggers an email or text message to the system owner. Different responses can be defined depending on the time of day by evaluating the point of time at which the incident occurred. For example, the system administrator can be notified by email during office hours, whereas nighttime communication can be stopped automatically by a script-controlled reconfiguration of the switch port or creation of specific firewall rules.

Precisely Planning Updates

In addition to updating all connected data sources, it is important to update the SIEM solution regularly – particularly for security updates or new software versions. In addition to providing bug fixes and resolving existing vulnerabilities, the changes will typically focus on processing new or modified log formats or supporting a more efficient option for integrating data sources. Before you upgrade your SIEM solution, you will want to think through your approach. Backing up all events and the current SIEM configuration before the update is no more than best practice. Because the upgrade can take some time, you will want to ensure that data sources can briefly cache incidents that occur while the SIEM solution is temporarily unavailable.

You will need a robust response to interruptions caused by updates but also to memory leaks existing in software or buffer overflows caused by programming errors. With this in mind, you should establish integrated system monitoring mechanisms and, above all, remote system monitoring to keep track of the current system status and to be able to take appropriate actions in good time.


The importance of SIEM systems for the safe operation of large, heterogeneous and distributed infrastructures is increasing. With their ability to correlate, prepare, and automatically process security messages from various services, systems, and components, SIEM systems are a powerful tool. However, introducing a SIEM system and going live is not something to be taken lightly because of the complexity involved. On the contrary, you will need to invest time and care in choosing a product, planning the basic configuration, integrating data sources, and configuring analysis rules and automated mechanisms to leverage the full potential of your SIEM.

Although many products are maturing, the downside is that the ability to control downstream systems still needs to be scripted in-house to a great extent. It is hoped that the products will continue to develop in this respect in the future.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus