SIEM systems: Using analytics to reduce false positives

Security information and event management (SIEM) systems are notorious for issuing false alarms or warning security users of events that represent normal usage -- not threats.

A Ponemon Institute study, released in January, outlined the scope of the ‘false positives’ problem: Large organizations received about 17,000 malware alerts every week only 19% of which were reliable.

Paring down that problem is a key benefit of analytics, according to David Bianco, a security architect for security-intelligence firm Sqrrl Data, Inc., and former hunt-team leader at incident response firm Mandiant. 

You need analytics when humans cannot read the logs, which, nowadays, is just about always. 

David Bianco, security architect, Sqrrl Data, Inc. 

“You need analytics when humans cannot read the logs, which, nowadays, is just about always,” he said.

The addition of analytics to traditional SIEM systems generally focuses on prioritizing alerts and increasing the chances that they represent  potential threats. An EMA research study found that 90% of organizations were able to reduce their false positives using security analytics.

With analytics, security analysts and SIEM administrators can increase the quality of their alerts in several ways:

• Corroborate events and alerts
• Incorporate lessons from the hunt
• Gain context via global threat intelligence

Using analytics to match events and alerts based on a common user, machine, process or file can help the truly suspicious incidents bubble up to the top of the analyst’s priority list. An administrator logged into a variety of systems, an application contacting a server in China, or a process eating up CPU time may all be valid alerts, but an admin user logged into multiple machines all contacting a server in China and having high utilization should be at the top of a security analyst’s priority list.

Michael Ables, a senior network systems analyst at Tarleton State University, spent 80 hours a week collecting and analyzing logs, before his department moved to a LogRhythm SIEM system that included analytics. The new system helped him find the higher priority threats.  

“There were a couple of [misconfigured] servers on our networks that appeared normal, because they weren’t normally a security threat, and our system helped us find that,” Ables said.

Keeping up with the attackers means that analysts have to learn what is happening on their network and then use that information to determine which alerts represent actionable threats. Regularly hunting down these issues allows analysts to learn about new indicators of compromise and what is normal -- and abnormal -- activity in their environment.

While it is hard to ask questions of most SIEMs, which are historically architected for a high ingestion rate and efficient automatic correlation, using an analysis component or system to hunt down threats can increase the agility of corporate security teams. Rather than trusting an alert, hunting allows security analysts to ask a lot of questions and learn from the attackers.

“It’s an iterative analytic process that requires fast search and incorporating the lessons from the hunt back into the SIEM product,” said former hunt team leader Bianco.

Security analysts also need to incorporate the wisdom of the crowd by using threat intelligence to add detection capabilities and indicators of compromise to their SIEM system. Analyzing current threats and techniques can give hunt teams an idea of where to look and security professionals a way to prioritize certain threats.

About the author: 
Robert Lemos is an award-winning technology journalist, who has reported on computer security and cybercrime for 17 years. He currently writes for several publications focused on information security issues.