Where Does a SIEM Fit In?

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 41 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire. Thanks for joining us. In today’s episode, we’re talking SIEMs. That’s short for security information and event management, and it typically describes software or services that provide real-time logging and analysis of security alerts. A SIEM can gather information from a variety of network software and devices and correlates, aggregates, and alerts users of issues requiring attention.

Monzy Merza is head of security research at Splunk, a well-known SIEM provider, and he joins us to share his thoughts on SIEMs, how they fit into the security lifecycle, and how successful organizations are best utilizing them. Stay with us.

Monzy Merza:

I used to work in government. I did that for about 15 years, doing a bunch of different things around security research, both developing tools and using tools with hardware and software technology development for security. Somewhere along the path, I built something as part of a team that was very close to what Splunk was, and then someone said, “Hey, that looks like Splunk,” and that stuck with me. Ultimately, I ended up downloading Splunk, and then buying Splunk, and then, eventually, coming to Splunk, because I felt that there was a lot of opportunity to share that style and that kind of analytics capability with a broader community, a broader sense of audiences. I’ve been at Splunk now for almost seven years.

Dave Bittner:

Now, when you were growing up, when you were coming up through school, what were your interests? Were you always technically minded?

Monzy Merza:

Yeah, very much so. I started programming in BASIC when I was probably in fifth grade. I was always a tinkerer, I think. My mom used to call me a reverse engineer, even before reverse engineering was a formal security discipline. She would say that I would always take my toys apart and then I would try to put them back together, even as a child. I guess I always had that, and just generally speaking, I don’t like mysteries. So, anytime somebody says, “Oh, just take it for granted,” I don’t like that answer. I like to learn and get in there.

Dave Bittner:

For our listeners who are not familiar with what Splunk does and where Splunk fits in to the ecosystem, tell us what we need to know.

Monzy Merza:

So, I think when most people think of Splunk, they think of it as the log aggregation engine, and that is correct, but incomplete. I would like for people to think of Splunk as — and this is the way I used it as a customer, and many of our customers use it like this — is they treat Splunk for security, as their nerve center. So, where data not only comes into Splunk from a variety of different sources, but then, information goes out of Splunk in the form of data, or in the form of telemetry, or in the form of action. So, you signal something … For example, if data is collected and you want to tell the firewall to take some action, whether it’s for evidence preservation, or whether you would talk to a forensics system for evidence preservation, or whether you want to enrich context to the existing system, for example, maybe with an HR system. If you want to do some configuration management, you want to reduce somebody’s privileges as a consequence of some analytic.

So, Splunk is that nerve center that allows you to collect everything from a lot of different places, process that information, and then be able to make faster decisions through the analyst.

Dave Bittner:

In terms of the practical uses for an analyst — in terms of saving time, improving their ability to make the decisions they need to make — can you give us some examples of how that would work?

Monzy Merza:

Yeah, sure. I think it’s in the broader context of the overall security operations lifecycle. So, essentially, from detection, investigation, and response, and even if you want to take a broader definition of the missed guidance and go all the way to identify, and go to the edge to mitigate. Splunk is used across all of that. So, let’s take a specific example. Let’s say that you’re in a business and you want to protect your web application services. As a defender, then, you want to ensure that your web application services are not under attack. You want to detect certain types of attacks. Now, of course, you have an ecosystem of products, whether there are firewalls, or whether there are authentication services that send in information from Splunk.

What Splunk does is, you can have analytics that are prebuilt using our enterprise security platform, or our user behavior analytics platform, to detect those things. Once you detect that, you create an alert. Now that you have an alert, you want to investigate something. Then, you may go back in to fetch more data, or maybe scope the problem. Is it really a threat? Is this a high priority, is this a low priority? What are the assets involved? Then, once you understand that you want to respond to it, maybe you want to do some sort of cleanup activity, or raise a ticket and be able to communicate with somebody and really start an official incident, if you will. That is how an analyst would use Splunk. And even to collaborate with other analysts or create some sort of a timeline to describe to somebody how this threat manifested itself.

Then, the other persona for usage is someone like a security operations manager, or a SOC manager, who might want to see the different things the teams are working on. Or even at a higher level, if you’re the director or you’re the chief information security officer, you might want to know what the threats are. How are you responding, how well are you working, what parts of your technology instrumentation and your ecosystem is benefiting your operation, both from the perspective of performance and from the perspective of effectiveness.

Dave Bittner:

Over time, as the need has grown and changed, what sorts of changes have you seen in the functionality of these SIEMs?

Monzy Merza:

I think if we look back, back in the day, the whole idea of when SIEMs were first introduced … when I first heard the term, it was probably about 12 years ago, maybe longer. The idea was this whole notion of correlation from multiple types of devices, or multiple types of sensors to create alerts. I think what practitioners realized over time was that there were way too many alerts. It was not sufficient just to have an alert, I think. Also, what practitioners realized was, they needed more. It wasn’t just an alert — they needed the ability to investigate, they needed the ability to automate, and the ability to respond to threats. Also, what they realized was, all data is security-relevant. So, DNS data is security-relevant, something from an application server is security-relevant.

Authentication logs … It’s obvious they are security-relevant, but database events are also security-relevant. I think the maturity of the SIEM has come across from just being this point solution for “traditional” enterprise security, or correlating things from security-specific devices, to taking this broader view of security operations as an enterprise environment. I think a lot of the movement toward cloud, a lot of the acceleration toward mobility, and all those kinds of things, have added to the expectation that a SIEM has to encompass a lot of different things. I think now, when we look at it in 2018, security operations look at themselves and say, “We need to be able to enable the business and not just be the people who say ‘no.'”

In order to enable the business, there are requirements for developing understanding, regardless of the footprint, or regardless of the types of problems they are trying to solve. They need broader analytical capabilities, they need broader actioning and automation capability. I think, as a consequence, SIEM is really evolving to the point where those are the requirements. It’s not just enough to collect something from an endpoint solution or a firewall. SIEM has evolved to — or at least the Splunk system has evolved to — this much bigger view of serving the entire security operations lifecycle with an eye toward risk and business enablement.

Dave Bittner:

It’s something we talk about quite a bit here, how the transition from data, to knowledge, to intelligence, is sort of that combination of the machine and the human, that the human still has that ability to say, “Something doesn’t seem quite right here. I need to dig in here.”

Monzy Merza:

At least how I view the world, personally — and this is not my own sort of rocket science assumption — in talking to hundreds and hundreds of customers, whether they are chief information security officers, whether they are malware reverse engineers, or whether they are frontline tier-one analysts, to me, one thing is absolutely clear: the human being is central to security operations.

It doesn’t matter how much machine learning and how much automation goes on, I think that the stance that is useful is for us to understand, as product builders and members of the security community, is that all of these machines serve the human analyst, or the human being, whether it is an analyst, a CSO, or a manager, to make decisions faster. That human is going to be able to synthesize and develop context across all of these different things to serve the business better, more than the machine is going to be able to do so. I think it’s important to design products and it’s useful to orchestrate your own security ecosystem within a security operations center, or within a security environment, for the business to enable the human analyst to make faster decisions.

Dave Bittner:

As you look toward the future, are there any functions you wish SIEMs could have that they don’t have now?

Monzy Merza:

Oh, man, I think the biggest one is around … We really ought to switch the conversation of the programmatic nature of security operations, and I think SIEMs should enable that. Most security operation centers have these checklists that an analyst is supposed to follow. For me, as a person who studied psychology in undergraduate school, that is a job of a machine. A person should not be doing checklist activities. If there is anything that is check-listed, that belongs to the machine. So, what the conversation has to flip to say is, let’s stop focusing so much on making people do these rudimentary tasks that are check-listed, and trying to make people behave more like machines, and flip that and say, let’s try to make it so people can behave more like people and exert their intuition. Make the products and make the solution more intuitive for the human being, to exert their intuition, to exert their own context, rather than try to follow these artificial contexts.

I think the other element of that, and maybe a contributing factor, is that security products, and products in general that are within the infrastructure of a business, from an IT point of view, is these products have to be open. This is so they can be connected to each other, because if there is open connectivity between these different products, then the integrations can be done, and that is the pathway — whether you are a security leader or whether you are an analyst — to take better advantage and exert your intuition and your context on top of that system. That is how systems have to be built and rendered out.

Dave Bittner:

Yeah, that leads me to this notion of community. How important is it to you that we have this strong community with the ability to share information? How do you think we are doing on that front?

Monzy Merza:

I think the community aspect is integral to the growth of security in general, and now, security operations is starting … Cyber is becoming part of the general vernacular to where people are starting to learn more and more, and are sharing more. I think there are a number of different organizations — Splunk included — and many of the partners that Splunk worked with in the technology sector, enabling the community aspects, either through opening PIs or through having their own, almost, app stores, if you will. Whether they are firewall vendors, or whether they are application platforms, or intelligence analytics platforms like Splunk, they all have these different community aspects to them. I think that is critical to moving things faster and cultivating, and for this ability for people to share with each other.

Dave Bittner:

You know, we focus on threat intelligence here on this show. What’s your take on that, and what do you think its part is to play in building a good security posture?

Monzy Merza:

A good security posture has a variety of different facets. There has to be this input of being able to collect information, being able to process information, and the ability to share or link information from different types of data sources. Threat intelligence is a key component of those different types of data sources, those different levels of insight. As any organization thinks, “What do I need?” I need data from endpoint systems, and I want to analyze that. I need data from network systems, application services, authentication services, and identity services. Threat intelligence is a key pillar in that stack, so you can learn from what’s happening from the outside world, and bring that. You leverage the power of the community to bring that information in.

I would say to a lot of organizations, too, that it’s not just the ability to collect threat intelligence, it’s the ability to act on the threat intelligence collected. It’s also the ability of an organization to create threat intelligence though their own analysis, and enrich the available threat intelligence with their own analysis, so that they can move the security operations forward faster.

Dave Bittner:

Now, when you say the ability to act on threat intelligence, what do you mean by that? Is it empowering employees, is that having systems in place?

Monzy Merza:

Yeah, I think it is a combination of both. I think it’s taking threat intelligence and making it so that when you receive something, whether it’s in the form of an IOC, whether it’s in the form of a TTP of some kind — which is tactics, techniques, and procedures — or tools, techniques, and procedures from a particular actor, to be able to take that information and make it actionable. I’ll give you a specific example. Let’s say I have a particular IOC from Recorded Future that’s associated, and I receive that in Splunk as part of an alert. Now, what I want to do is, I want to then see how many systems within my enterprise have interacted with this particular IP, for example. Or, what is the criticality of this system that has interacted with this IP? When they did interact with this IP, what is it that they did?

So, it’s this ability to receive good information, and be able to action that and contextualize it within your own organization, and then take the next-level action, whether it’s to block something, whether it’s to reduce something’s privilege, or whether it’s to notify somebody. That’s what I mean when I say intelligence should be actionable. As a consequence of that, acting on that then creates this additional loop to where I want to go back in and say, “Perhaps I can discover additional IOCs, or perhaps I can work this through and acquire additional TTPs as a consequence of my own investigation.” Then, I can loop that back into my own organization to make things better.

So, threat intelligence is about actioning, and I feel threat intelligence is really about accelerating your time to defense so that you are not the only organization who is looking at a threat. You can leverage the community, who’s learned, and then action that information.

Dave Bittner:

You know, it strikes me that you have a unique view of the ecosystem. You are traveling around, working with the customers that you do … Do you find some interesting patterns emerging? Do you find yourself thinking, “Gosh, if only people did this, they would be able to make their life a lot easier?”

Monzy Merza:

It kind of goes without saying, but there is really no silver bullet, so to speak. But I feel that in talking to most … So, I’ll share the observation. Organizations who are well-settled in their ways and have confidence are rooted in a good definition for themselves on what they think the risk is to them, and have taken action to minimize that risk. So, for the very strong sense of some kind of a root. As an example, some of the retail customers that I talk to, they’re very much anchored in the vulnerability management as their core security root. As a consequence, everything that they do is anchored in that. That doesn’t mean that they don’t have very sophisticated reverse engineers on their teams, that doesn’t mean that they don’t use threat intelligence. They do all those things as well, but everything contributes to that key anchor.

So, I feel that organizations that take some sort of an anchoring approach to reducing risk, they seem to do better. They seem to be at least more comfortable and be able to sleep at night a little bit better. The other observation is that there are some organizations who take this approach of, “There is all this data out there, and I’m going to somehow do some security operation thing, and I am going to collect a bunch of data from a bunch of different places, and whatever data that I have, and I’m going to try to detect things based on that data.” I think that approach is less optimal than the other one, to start with an anchor and work your way backwards. So, I would say that is the key differentiator.

Dave Bittner:

That’s Monzy Merza from Splunk. Our thanks to him for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.