RESOURCES
Mastering Log Management: Enhancing SIEM and SOC Efficacy
We mentioned in our previous blog on SIEM efficacy that we would be exploring key areas and best practices for improving SIEM and SOC efficacy. In this blog, we will look into some of the challenges associated with log management and an innovative approach to tackle them.
Security Information and Event Management (SIEM) platforms depend on the quality, consistency, and timeliness of the logs they receive, to generate alerts on security events. Log management is no straightforward task. Log agents and collection software can malfunction due to configuration errors, software bugs, expired licenses, old APIs, and many other factors. In addition the complexity, size, and load on the network can delay the flow of data.
In broader terms and in the context of threat alerting, there are four distinct categories of log problems that can arise. Understanding these categories is crucial for maintaining the efficacy of SIEMSs and SOCs. Each category highlights a different aspect of log management challenges, shedding light on potential areas of improvement for Security Operations Centers (SOCs).
Category 1:All of the relevant security controls on the attack vector may fail to detect the TTPs of the attack, and therefore no log is generated.
One reason for missing the required event logs in SIEM platforms is that defence technologies may fail to detect some adversarial techniques. Sophisticated adversarial techniques often evade these technologies, and "True positive" situations can go undetected, posing significant cyber breach risks. Some threat categories might not be addressed due to systemic weaknesses, technological limitations, or skill shortages. Maintaining a bird's-eye view of the network environment in terms of threat readiness can help SOC teams proactively identify gaps and improve detection and response capabilities.
Another difficulty SOC teams face is tracking changes applied by operations teams. These changes may include configuration adjustments or newly deployed technologies without a proper change management process. Such uninformed changes can lead to ineffectiveness in both SOC environments as well as the network at large.
Category 2: Attack TTPs are detected by the defences but either logging options are not set properly or the delivery mechanism failed to work.
When attack TTPs are detected by the defence technologies but either logging options are not set properly or the delivery mechanism failed to work, it creates a significant gap in the security monitoring process. This can occur due to misconfigurations in the logging settings or issues in the log forwarding infrastructure. Such problems lead to critical events not being recorded or transmitted to the SIEM platform, causing potential security incidents to go unnoticed. Ensuring proper configuration and functionality of logging mechanisms is essential for accurate and timely threat detection.
Category 3: Logging and delivery mechanisms may be working but there may be a setting or a network-related problem delaying log delivery.
Even when logging and delivery mechanisms are operational, issues such as incorrect settings or network-related problems can delay log delivery to the SIEM platform. These delays can hinder the timely detection and response to security incidents. Network congestion, bandwidth limitations, or misconfigured log forwarding settings are common culprits. Ensuring that logs are delivered promptly and without interruption requires regular monitoring and optimisation of the network infrastructure and logging configurations. Addressing these issues proactively can significantly enhance the efficiency and reliability of security monitoring.
Category 4: Logs may be delivered to SIEMs but it does not contain the right level of detail to generate alert.
Logs that reach the SIEM platform but lack the necessary detail to generate alerts present a significant challenge for security monitoring. These incomplete logs may miss critical information required to identify and respond to security incidents effectively. This can happen due to insufficient logging configurations or inadequate log parsing and enrichment processes.
How to tackle these challenges?
Today, the widely adapted log validation mechanism is primarily based on identifying deviations from the set traffic statistics. This approach could neither map the traffic with malicious content nor identify the root cause of log problems in multifunctional security controls. Not being able to validate logs in terms of threat coverage lowers Security Operations Centers' (SOC) efficacy and could impede taking timely actions on alerts and incidents.
We at Cynode validate our log coverage, quality and timeliness of delivery using an integrated and a continuously operational threat simulation infrastructure to make sure we do not bump into any of the situations listed above. We also map our log coverage to the MITRE ATT&CK Enterprise framework to keep the TTP context in scope. We make sure that our customers are served with the optimal log coverage for the best possible detection and response experience.
Get in touch to learn more.
-
The Risks of Increasing SaaS Use
Organisations increasingly rely on cloud applications, with small enterprises using over 20 SaaS apps per user and large companies exceeding 250 per company. This growth introduces significant cyber security risks, including unauthorised access and Shadow IT, where unsanctioned apps are used without oversight. To mitigate these risks, companies need advanced monitoring solutions like Cynode’s MDR for Cloud Apps Shadow IT, which offers visibility, consent policy enforcement, and threat detection across SaaS platforms, ensuring security and compliance.
-
Interview with Senior Cyber Advisor Per-Olov Kask
Delve into the fascinating career journey of a seasoned cyber security professional who has dedicated over three decades to the ever-evolving IT and cyber security landscape. Starting as an IT technician in 1993, our expert quickly rose through the ranks to become a country IT manager, driven by a passion for combating emerging cyber threats. In 2022, this journey led to an impactful role at Cynode as a Senior Cyber Advisor. Join us as we explore his experiences, insights, and the innovative approaches that make Cynode a leader in the cyber security field.
-
Regular EDR Policy Tuning
The cyber security world has recently focused on EDR technology due to its significant impact across industries. This post explores the evolution from early antivirus software to EDR platforms. Key milestones include the introduction of commercial antivirus software in 1987, the emergence of heuristic and behavioural detection methods in the early 2000s, and the development of Next-Gen Antivirus (NGAV) in 2010. EDR solutions, emerging around 2013, are crucial for detecting, investigating, and mitigating security threats but require regular policy updates and meticulous tuning for optimal performance.
-
Understanding WebApp Exposure
WebApp Exposure Monitoring involves regular assessments and updates to perimeter defence platforms like WAF policies, ensuring alignment with the latest threat intelligence. Having a proactive stance to WebApp attacks is crucial as cyber threats incredibly fast, often outpacing traditional security defences. The process of continuously monitoring web applications allows organisations to more readily detect anomalies and respond to threats in real-time, minimising the risk of data breaches and other cyber incidents.
-
Introduction to Managed Security Service Providers (MSSPs)
Businesses increasingly struggle with cyber security management, especially with limited resources. Managed Security Service Providers (MSSPs) like Cynode offer comprehensive, efficient solutions, managing everything from security infrastructure to incident response, often using cloud services for cost efficiency. This article explores the benefits and services MSSPs provide, underscoring their importance in modern cyber security strategies.
-
Improving SIEM Efficacy as the Market Evolves
As the SIEM market evolves with new mergers and partnerships, Cynode supports practitioners to ensure no security event is missed, offering comprehensive services from threat-centric log and rule validation to complete SIEM management.
-
Welcome Konrad Falk as Our New Senior Cyber Advisor & Architect!
Konrad brings extensive experience in Cyber Security and IT, with a background in programming, networking, and security. Passionate about securing companies and educating others, he values the trust of our leadership and is eager to manage security incidents and tackle evolving threats hands-on.
-
“Trust me, I was an engineer” – Björn Nilsson
We are pleased to announce Björn Nilsson as the new Head of Security Operations Sweden at Cynode. His extensive experience in cyber security and IT infrastructure marks a significant milestone in enhancing our capabilities. Björn brings a wealth of expertise from various critical roles within the industry.
-
Cynode Boosts Team with Gustav Bivstedt's Technical Expertise
Cynode hires Gustav Bivstedt as a Cyber Advisor to enhance our Cyber Advisory and Assurance Services. His expertise strengthens our technical capacity and supports business growth, including new offerings in security testing, cyber maturity assessments, and proactive risk management with Cyber Threat Intelligence.
-
Meet our "VP of Product" Cumhur Hatipoglu
As Cynode’s CMO, I am constantly impressed by our team's innovation and engagement. Cumhur Hatipoglu, our new VP of Product, enhances our mission to innovate in cyber security and MDR services. His approach integrates NIST CSF and best security practices to ensure our solutions meet clients' evolving needs.
-
Hacking and Cyber Warfare Go Hand in Hand
Sweden, amidst its NATO application and tensions with Russia and Turkey, has experienced a rise in political cyber-attacks. Groups such as Anonymous have targeted governmental infrastructures, leading to data leaks. Escalation of cyber-crime and nation-state backed cyber warfare necessitates global enhancement of defense measures.
-
EU updates NIS Directive. Are you compliant?
The European Union introduced the NIS 2 Directive to improve the cyber security of critical infrastructure systems within its member states and to ensure that digital service providers and operators of essential services have adequate security measures in place to secure their networks and data.
-
Rise of Cyber Due Diligence in M&A Processes
Sweden's post-pandemic economic recovery has spurred M&As. Cynode emphasises integrating cyber due diligence to address vulnerabilities, protect essential information, and optimise security spending, enhancing the security posture before, during and after M&As.