Every business requires a set of software tools to automate mundane tasks for successfully running a business. The most important one among them is an enterprise level Security Information and Event Management (SIEM) system. A SIEM solution in place helps organizations to identify network security threats in real time. These systems are designed to capture and analyze logs and security information from multiple sources within a network. This includes your router, server, data centers, mainframes and other devices connected to the network. SIEM systems give a big picture of what’s happening inside your organization.
In networking, there is no system that can be called a completely secured. Attackers constantly devise new ways to breach your network security. You need a detailed analysis of every breach so that the errors can be corrected before another attack. Moreover, when an incident occurs, you need to provide digital evidence in the courtroom generally for proving compliance and filing a complaint against an attacker. A simple record of device logs is not enough. You need to worry about forensic evidence.
By integrating forensic capabilities in your SIEM system, you can automate most of the work that goes into the forensic analysis of security logs. Also, integrating forensic features into your security solution will make it more effective for your customers. In simpler terms, forensic analysis is the process of searching log, on different nodes and time periods based on specific criteria in a network. Your administrators don’t have to aggregate the log information manually especially when they are searching through thousands and thousands of logs. Forensic analysis helps them to identify any unusual activity or suspicious user behavior.
Key features of forensic analysis include:
- Analyzing the source of a security breach in a failed or compromised computer system
- Identifying policy violations, improper use of the network and who is behind all this activity
- Detecting advanced persistent attacks (APTs) and determining how far it has spread to isolate the affected systems
- Providing legal proof of misuse of computer systems
Court admissibility can be achieved by establishing all the guidelines and procedures of log data protection as advised by a legal corporate advisor. We have compiled a list of requirements for having forensic features in your SIEM solution.
Data Security and Integrity:
Collection and real-time forensic analysis of data is not an easy task because the data has to be admissible in the courtroom. You need to protect your log data and ensure that it is not tampered with. You can secure your logs by:
- Storing a copy of unmodified log entries
- Save detailed information about security events in a backend database.
- Have a procedure that practices periodic backup and restore
- Build an intrusion prevention mechanism on the system that stores log data to block anyone from corrupt logs
- Encrypt log data so that no one without a decryption key can read it
- Save digital signature of every system that modifies log data
- Limit the access to centralized log collection systems and allow only the authorized person to access them
- Have an access mechanism that uses employee IDs to stores information about any person that accesses or modifies log data
High Performance for Real-time Analysis:
With data being produced at an enormous rate, the SIEM solution in your company might produce hundreds of terabytes of log data each day. But it should be able to process all the data in real-time and separate or correlate events every second. This can be achieved by using complex algorithms with your SIEM system that can process data in real time from multiple sources. Algorithms like Dimension Reduction, Isolation Forest & Random Forest will help you out in this.
For a data to be admissible in court, it has to be accurate. SIEM system should also provide information about failures while capturing and processing log data. Because a failure in SIEM system will cause the log data to lose its accuracy and it may be rejected as an evidence. Also, with so many events to correlate, the designers of the SIEM system might have assumed some of the key points like assuming a system is used only by its owner. You should provide the information about these assumptions so that no invalid assumption may lead the forensic experts in the wrong direction.
Storage and Advanced Searching:
Long-term security data retention is critical in forensic investigations because the SIEM system needs to correlate events with past attempts for identifying patterns. Therefore, ensure that you have enough storage to accommodate a large amount of log data. Along with storing, the SIEM system should also have advanced algorithms for filtering data. Because with a pile of log data, finding a needle (data relevant to a security breach) is difficult.
Finally, your SIEM solution should document the logs and relevant data in a standardized format that is admissible in court. Time zones and timestamps of each log should be documented to help you and the forensic investigator to align events on a timeline. Also, the document must describe what’s being logged and for how the log data is captured, stored, and analyzed.