Threat Intelligence Best Practices for Your SIEM Integration
July 16, 2019 • Zane Pokorny
Security information and event management (SIEM) solutions emerged in response to the need to collect, store, and analyze security data from across multiple systems in one place. Fundamentally, they perform two functions:
- Detecting security incidents in real time
- Organizing and managing security logs in one place
These two functions were sometimes called security event management (SEM) and security information management (SIM), respectively, and now they’re joined together in SIEM solutions.
For monitoring your internal network, SIEMs are far more efficient than any manual processes could hope to be. But detecting security incidents by only looking at your own network is like a doctor examining a patient using only internal tests. The patient’s external environment — what they’re eating, the spaces they’re living in, and so on — is just as important for diagnosing their health as what’s going on inside.
We’ll take a closer look here at some characteristics of SIEMs and explore how the external context provided by threat intelligence is essential for getting the most out of them.
SIEMs in Short
SIEMs gather log and event data from various sources within a network, including devices like routers and switches, security devices like firewalls, webmail servers, applications, and more. That data gets normalized before being correlated and analyzed.
This approach helps organizations discover threats by identifying outliers (like unusual activity) and performing incident response more effectively, as well as monitoring for potential security issues, like what users have access to where. But there are limitations to SIEM solutions.
The Problems With SIEMs
For one, they’re complex — they can be expensive to integrate with the rest of a security ecosystem, and even then they require a good degree of expertise to use effectively. Knowing what to do with all the event data that a SIEM can churn out can be difficult, and it’s only getting more so.
A few statistics from a recent Cisco study illustrate the problem:
- The average security team ignores 44% of the daily alerts they receive.
- Of the alerts they do look at, 28% are deemed legitimate threats — but only 46% of those are remediated.
Why are more than half of legitimate alerts going unresolved? Alert fatigue, information overload, a lack of time or expertise — whatever you want to call it, the problem is a big one. The solution requires moving beyond the reactive approach that SIEMs facilitate to a more proactive one.
Moving to a Proactive Approach With Threat Intelligence
Returning to the analogy of the doctor diagnosing a patient, threat intelligence provides the environmental context needed to see what might make you sick, so that you can take the proper precautions, like getting vaccinations.
Threat intelligence is knowledge that allows you to prevent or mitigate cyberattacks, helping you make informed decisions about your security by answering questions like:
- Who is attacking me?
- Why are they doing it? What are their motivations?
- What are they after?
- What are their tactics, techniques, and procedures?
- What indicators of compromise in my systems should I look for?
- What can I do about it?
All these factors are external context that can enhance the internal information you get from your SIEM, when they’re properly correlated together.
This short video explains further how threat intelligence provides context that helps you accelerate your alert triage:
Integrating Threat Intelligence Into Your SIEM
The important thing is to get threat intelligence that’s actionable. Threat feeds, for example, which have their uses but don’t give a lot of context, are not threat intelligence — don’t treat them as such. For threat intelligence to be actionable, it needs to have the following qualities:
- Relevant: The threat intelligence you get needs to matter to your organization and the systems and processes you use. Intelligence about exploits targeting vulnerabilities in systems that you don’t use, for example, is a waste of time.
- Timeliness: Related to relevance, threat intelligence needs to arrive at the right time to be useful. It has a limited shelf life.
- Completeness: The point of threat intelligence is to help you make better informed decisions. If it’s incomplete, it can often just slow down or otherwise complicate the decision-making process, even if it’s trustworthy knowledge.
- Accuracy: The sources for threat intelligence should be high fidelity, with as little noise and as few false positives as possible.
Integrating threat intelligence with your SIEM should look something like this:
Learn More With Our Solution Brief
Threat intelligence enhances your SIEM by enriching its internal network alerts with more context and correlating it with external information. This provides a more holistic, proactive approach to security.
This was only a quick overview, though. Learn more about the best practices for integrating threat intelligence with your SIEM by reading our complimentary solution brief on the topic, “Supercharging SIEM Solutions With Threat Intelligence.”