There have always been some common themes when it comes to SIEM content creation and the management of it: it is complex, requires the right skills and is not being done by many organizations. I have been lucky enough to see different SIEM deployments in both the commercial and federal space. I worked for eight years as a professional services consultant at ArcSight before becoming the content lead at a commercial MSSP that provided SIEM services. Time and time again, I have seen organizations not developing content or managing the content they have. Let’s explore why SIEM content management is a struggle and what JASK is doing to solve the problem.
We already know that SIEM content management is laborious and can be complex at times. Why is it so tough? As a professional services consultant at ArcSight, we recommended turning off all default content. SIEM default content rarely works because vendors do not have the data sources themselves to create the content, and it is a challenge to create it without the data source that goes along with it. With hundreds of security vendors, it is very hard to have a SIEM vendor to develop meaningful content. There is no guarantee that the content deployed in one network will also work in another as every network is unique in its own way, so default content is never the answer.
What about the correlation between data sources? Let’s look at a chain of suspicious events. A user clicks on a phishing email, then visits a website and downloads a malicious file. The user then executes a file and installs malware, which leads to some lateral movement and CNC traffic.
In this scenario, there could be a mail gateway, proxy, endpoint protection, intrusion detection, operating system, and flow logs — potentially six log sources that need to be correlated together. Think about all the different vendors of the device types listed. It takes a good content developer to be able to piece together this type of correlation. A content developer has to understand what each log source does and how they relate to each other. These complexities make it hard for both SIEM vendors and organizations to develop content that actually represents what took place.
JASK takes the complexity out of advanced correlation with its big data streaming platform and Adaptive Signal Clustering engine to create Insights. Every single signal or rule firing gets tied to an entity (a user, hostname or IP). On the backend, JASK keeps track of the state of the entity and the relationships between them. This type of complex processing takes a streaming platform and would be almost impossible in a traditional relational database. Think of the Adaptive Signal Clustering engine as an analytical machine that sits on top of a standard rules engine and is constantly evaluating signals against the entity as they come through. There is no need to have to develop complex boolean logic statements to correlate between data sources. If there are rules for the data source, JASK automatically correlates between disparate data sources.
Management of content is tough because every environment or business is different and there is no one size fits all. Content must be tuned and measured for effectiveness. With traditional on-premise SIEMs, this is nearly impossible for the SIEM vendors. It rests solely on the organization or their co-managed MSSP and is still a struggle even as traditional SIEM vendors have moved to the cloud-adopted model.
How is a cloud-native solution like JASK solving the management problem? We have a highly skilled team of threat engineers who are responsible for developing content. As customers onboard a new data source, our threat engineers review it, create the content and prototype it before it is deployed. Once deployed, they can tune the content based on how it is performing.
In a final review by threat engineers and Spec Ops team, the content will be certified and pushed out to all of JASK’s customers, as we have the ability to crowdsource content that is developed by our customers with their permission. This means if a customer develops a new detection rule, we can push it out to all of our customers and allow the entire community to benefit from it. In addition, the threat engineers continuously measure how the content is performing across all customer environments to make improvements when appropriate.
For a visual of the JASK content lifecycle, please see the image below.
As a cloud-native solution, JASK can easily push out content to all customers if there is a new emerging threat. For example, think of the recent Wipro incident. At JASK, we pushed out an advisory notification to all customer portals letting them know about the breach, saving them time from having to research the threat themselves.
Below is an advisory notification that was pushed through all of our customer portals:
Below is a portion of the JASK notebook with indicators of compromise that was delivered to all customers. This saved customers time from having to try to develop the content themselves.
Next time you are in the market for a SIEM, make sure to ask what the vendor is doing to help solve the complexities of content management. You will be glad you did.
Steven Dietz is technical director of field operations at JASK. With over 18 years of information security experience ranging from being an analyst to building world-class security operations, he demonstrates to potential customers how and why to use JASK products.