Skip to content

Page309

Security Information and Event Management

Intrusion Detection Systems (IDS) have long been the primary technical detective control wielded by organizations. Though the importance of IDS has not waned, organizations now appreciate that many more sources of data beyond the IDS can provide valuable information. These disparate sources of information can provide their own data of value; organizations increasingly see value in being able to more efficiently correlate data from multiple sources.

Security Information and Event Management (SIEM) is the primary tool used to ease the correlation of data across disparate sources. Correlation of security-relevant data is the primary utility provided by SIEM. The goal of data correlation is to better understand the context to arrive at a greater understanding of risk within the organization due to activities being noted across various security platforms. While SIEMs typically come with some built-in alerts that look for particular correlated data, custom correlation rules can be created to augment the built-in capabilities.

To be able to successfully gain intelligence through the correlation of data necessarily implies access to multiple data sources. While the threat detection use case of a SIEM can be viable, the collection of data required for correlation can be vast. Due to the volume of data being consolidated in most SIEMs, there are often use cases for SIEM associated with more easily or better demonstrating regulatory compliance.

User and Entity Behavior Analytics (UEBA)

Compromising legitimate end user systems and accounts represents a common goal of adversaries. Even the most limited user account possesses substantially greater access to our information systems than does the external adversary. While adversaries will employ exploitation, when necessary, a common theme of almost every intrusion includes adversaries abusing legitimate users. Even though detecting exploitation might seem rather difficult, historically this challenge pales in comparison to detecting an adversary wielding legitimate user accounts against our own information systems. User and Entity Behavior Analytics (UEBA) specifically tries to solve the problem of identifying suspicious activity coming from our “trusted” users or systems.

UEBA attempts to discern normal behavior profiles for users and systems within our organization and then proactively alert us to suspicious deviations from the expected patterns of behavior. While conceptually simple, this approach to behavior analysis has proven a difficult challenge over the years. However, with advances in both level of visibility into end user facing systems and security-oriented applications of data science and machine learning, these systems have improved drastically.

Machine Learning and Artificial Intelligence (AI) Based Tools

Artificial Intelligence attempts to provide software and systems the ability to function in a manner that has historically been thought to only be available to human intelligence. Learning constitutes one of those characteristics of intelligence thought previously reserved for human intelligences that has long been a focus of study within artificial intelligence. “Machine Learning is the study of computer algorithms that improve automatically through experience” [9]. Machine Learning algorithms require vast quantities of training data that is processed by the algorithm with the goal of being able to successfully discern information as would a human intelligence. AI and ML have many potential applications to information security. A fundamental goal has been to leverage these tools' capabilities to differentiate malicious activity from benign. Monitoring-oriented applications such as User and Entity Behavior Analytics (UEBA), Security Information and Event Management (SIEM), and general intrusion detection seem particularly well-suited to benefit from artificial intelligence and machine learning.