Corporate security strategies have evolved to take into account their growing needs in terms of automation of compliance reports, incident detection and especially incident response. They increasingly rely on teams of experts, SOCs (for Security Operations Center) and specific tools to support their processes.
In SOCs, the daily analytical tools are continually being upgraded to adapt to the changing nature of cyber threats, particularly with increasingly sophisticated methods of attack, as is the case with phishing. Among these tools, one stands out as central: the SIEM, or Security Information and Event Management.
Let’s first take the time to understand how a SIEM works before focusing on how it can be used to optimally block these new phishing attacks.
The value of a SIEM
A SIEM is a system for management of information and security events. To begin with, it is a tool that collects all traces (logs) of the activities of the different components of the infrastructure, then sorts and stores them. This centralization of data, and in particular data relating to security events, gives the SIEM a potential ability to detect attacks that would have gone unnoticed despite the presence of high-performance equipment such as EDR software (for Endpoint Detection and Response). An EDR can identify known security vulnerabilities (especially from CVEs) but unfortunately does not have a global view of an attack.
Some SIEMs can claim to block new attacks (if they are still in progress), since the correlation of information from all applications, all user behaviors and all access to internal or even external data, shows anomalies.
Although SIEMs have existed for many years, the first ones only targeted large enterprises with substantial resources and large teams of analysts (SOC). However, recent strengthening of SIEMs with supplementary tools such as SOAR (Security Orchestration Automation & Response) tools have enabled the emergence of SIEMs adapted to smaller sized businesses.
Today there are SIEMs in different forms: software to be deployed locally, physical or virtual dedicated appliances or cloud-based services. The SOC is therefore no longer necessarily located within the company, but can be rented as an external service, for better cost control. In addition, many SIEMs are enriched in a modular way, with dedicated Marketplaces, which aim to strengthen the analysis and treatment of data by expert tools, adapted to the specific needs of an organization. It should be remembered that a SIEM only makes sense if its design is entirely inspired by the specificities of an organization. In other words, the effectiveness of SIEMs is intimately linked to the specific hierarchy of collection agents, the choice of priorities for the inspection of events and the weighting of anomalies. The work of administrators is essential to develop a system profile and to identify abnormal operating conditions. Indeed, a statistical correlation engine, even the most powerful, will not yield any usable results if the tool is not correctly calibrated.
Supplementing SIEMs, to strengthen SOC performance
Once the SIEM has been set up, it is then able to correlate the log data of a whole list of hosts, reconstruct a chronology of events, then determine the nature of the attack and assess the consequences, all in near real-time. But given the enormous quantity of data to be processed, and the continuously growing amount of information related to activity traces, simple traditional statistical analysis of SIEMs is no longer sufficient.
Fortunately, the SIEM today can go further, provided that it is associated with:
– UEBA tools, which include analysis of the behavior of each user and each entity
– SOAR tools, which rely on all available analyses to conduct a form of security orchestration and propose an automated response to each type of incident.
In this way, and following centralization of all the signals by the SIEM, the UEBA and SOAR tools add to the traditional statistical analysis a considerable increase in terms of effectiveness of incident response.
SOAR tools in particular can save time and resources and can absorb incident overload, but there is more. SOAR tools will accelerate the containment of threats and reduce the magnitude of potential damage, without altering the architecture of the system in place. In two words, they strengthen system resilience, and this is a fundamental notion in the field of cybersecurity.
SOAR & SIEM: working together to combat phishing, in real time
To give a concrete example of orchestration of security and automation of the response, let’s take some known players in the SIEM world: ArcSight, Rapid7, Mandiant, Splunk, Demisto or even Siemplify. Each of these allow integration of applications to strengthen statistical analyses. Let’s focus on a classic and recurring problem: phishing attacks, with an imperative need to improve detection of new phishing URLs. The simplest way to integrate new functionalities would be to create a new “playbook”, or modify an existing scenario. Writing of a playbook is the concrete manifestation of the desired orchestration, and in this case a playbook intended for detecting phishing can be improved with the integration (in the form of an API, for example) with an external information source. One can even imagine querying several reliable sources of different information.
Recall that phishing is a complex threat, based on identity theft, with web links that can sometimes be very difficult to identify. The methods of creating phishing pages and the methods to attract the target are becoming increasingly advanced. It is therefore preferable to be equipped with all useful sources of information, in addition to local analyses.
Within the SIEM, web links can be extracted from email streams, internal browsing or instant messages. For the SIEM this represents a substantial number of links and pages to check, all in real time. But it is a critical subject which is of great interest to the SOC and which necessitates the most accurate and rapid response possible, without the risk of error.
And yet, in terms of quality of the data relating to phishing, we find ourselves confronting a major challenge, because the web pages are perfectly imitated, malicious code is being masked better and better, and the links often appear harmless, even to a watchful eye. It is preferable to have reliable and high-performance analytical tools that are dedicated to phishing.
Although with SOAR tools it is possible to incorporate several databases referencing phishing URLs, it is now recommended to add to these dedicated tools, which are not content to consult a list, but which will explore in real time the URLs submitted to analyze the content, using machine learning algorithms trained to recognize phishing pages. In this case, the fight against phishing is assisted by artificial intelligence, in the form of tools that can easily be called upon in a playbook.
AI, indispensable to detect phishing URLs
At the end of the day, the challenge for the SIEM is rather in the realization of a solution best adapted to cyberattacks, and that reduces the human workload of SOCs to a reasonable level, while offering a personalized formula closer to the specific needs of the company’s security strategy.
Moreover, artificial intelligence certainly has an important role to play in processing data for a SIEM, for example to combat phishing, because too few solutions today allow automation and orchestration of the response to phishing, incorporating algorithms for identifying these pages. Integrating machine learning algorithms that can explore every suspect page in real time would instantly make SOCs more effective.
The maturity of SIEMs undoubtedly includes integration of AI, and this is good news: the company will now be able to have a real method of risk anticipation, where security has long been struggling to find a solution.
As Guillaume Poupard announced at the Assises de la Sécurité this year, risk management methods have developed to adapt to the attack methods, and the collaboration between experts, decision-makers and professions offer many very promising possibilities. Combining different analyses within a SIEM is very concrete proof.