It’s easy to think of SIEM as a security event logger. Yet, there is so much more to treating the security logs than it seems on the surface. Logging is just the tip of the iceberg. After that comes data normalization and event correlation. If it’s misconfigured, an organization might miss a dangerous cyber-attack or keep experiencing performance lags.
For efficient operation, the SIEM solution must be able to process large amounts of log records while normalizing the data into easily-digestible, platform-independent formats and then being able to correlate these events.
Correlation might appear especially challenging since its algorithms should be regularly updated manually for the most accurate operation. Below we review a few methods how to improve the event correlation for your SIEM.
Use Vendor-Specific Solutions
Every SIEM solution is different when it comes to the event correlation techniques that they suggest. For example, Splunk offers quite a few of them that are based on:
- Time: examines relationships between events in time (what happened before, after, during an event?)
- Rules: compares events to certain variables like transaction type, location, etc.
- Patterns: a combination of the two above techniques.
- History: compares identical events between historical and current events.
- Domain: looks for relations between events from various domains. For example, web apps and network performance.
- Topology: adds the context of the IT environment. Events are matched to the topology of endpoints and applications.
Of course, it’s up to the SOC team to decide which techniques are appropriate to use in the context of the industry where the organization operates. It’s important to remember that sometimes less is more and while there are a lot of options available, choosing only some of them may lead to a desirable outcome.
It’s also advisable to mix the vendor-specific solutions with the vendor-agnostic ones. For example, if combining Splunk correlation techniques with SOC Prime Detection as Code platform, security engineers will benefit from using the specifically correlated data for accurate threat detection. Furthermore, the SOC team can improve the deployment of similar rules between various security solutions by translating generic formats like Sigma into vendor-specific formats using Uncoder.IO, an online translation engine that helps to instantly convert Sigma-based rules into a variety of SIEM, EDR, and NTDR formats.
Use Probabilistic Approach
Event correlation improvement in cybersecurity solutions has been widely discussed in academic sources. One of the most inspiring works in this area is the concept of probabilistic alert correlation by Valdes and Skinner. They suggested implementing a hierarchy of correlations. Assuming that threats will be possible to detect by specific sensors spread all over the network, these detections can then be grouped into three processing levels:
- Intra-sensor or synthetic threads;
- Security incidents;
- Correlated attack reports.
The possible algorithm for further correlation can look something like this:
- Cluster alerts that are part of the ongoing attack;
- Ensure the detection of the same attack by dropping the similar sensor fields while maintaining similar alert fields;
- Set a similar attack class for both alerts and thresholds to merge alerts.
For successful correlation of events that can help in detecting multi-stage attacks, security engineers can also write rules that set prerequisites and consequences of attacks as predicates of first-order logic. Then, alerts that signal about the various stages of a single attack, can be grouped together into what researchers call hyper alerts. By applying this concept, SOC teams can effectively reduce the number of true positive alerts to analyze and respond to.
Choose Threat Intelligence Wisely
It’s important for any security operations center to track the events inside the network and correlate them with external events, i.e. threat intelligence to make sure the organization is aware of the current threats. However, external threat intel feeds often lack context, that’s why they may trigger a lot of false positive alerts. Another concern is that often SOC teams lack time to write new rules for the new threat intel. As a result, new and appropriate data is available but the organization relies on outdated rules that do not reflect the current situation.
So, one of the methods to improve event correlation is to feed your SIEM with just the right amount of threat intelligence. Furthermore, the intelligence data should be focused on attacks that are the most likely to happen in your particular context. By doing that, not only the number of false positive alerts will decrease but also there will be more chances of accurate correlation.
A recent study by Cisco shows that almost half of alerts triggered in security solutions are ignored by SOC teams. Clustering alerts can be an effective way of improving event correlation, especially when most of the alerts are generated by a few dozens of persistent root causes. Using generalized attributes for clustering alerts can help to better understand the same root cause for many seemingly unrelated alarms thus improving the event correlation.
One of the particular techniques to increase situational awareness by improving correlation is applying Bayesian Multiple Hypothesis Tracking or Bayesian Network fragments for grouping sensor process outputs.
All in all, it is fair to suggest that event correlation should be handled differently in each individual situation. A lot of scientific research has been performed in this area but the findings that are discovered can only be implemented by high-grade specialists. However, some viable solutions can be found on the market of cybersecurity solutions.