Internet-based attacks on data networks employ an overwhelming variety of methods. Advanced persistent threats (APTs) exploit every possible weakness in their attempts to steal private data and use targeted systems for their own ends. New threats constantly appear, and old ones change to evade detection.
Even small business networks consist of more than a handful of machines. They all have different operating systems, applications, configurations, Internet connections, and roles. The information from all of them needs to come together intelligently to provide an overall security picture. Integrating so much information is beyond unaided human capabilities.
System and application logs are valuable, but the occasional indicator of a dangerous event is buried in thousands of lines of routine messages. IT managers have long recognized the need for software to coordinate information, identify significant events, and call administrators’ attention to threats. At the same time, they have to avoid a barrage of alerts if administrators are going to pay attention. They need to have the information boiled down to a form they can use.
Let’s take an in-depth look at how MITRE ATT&CK, SIEM, and SOC work together to make organizations and businesses more secure.
SIEM (security information and event management) software aims at these goals. It combines and correlates information from diverse sources on a network. The software analyzes them and generates two kinds of information:
The first is a knowledge base of tactics, techniques, and procedures (TTPs). This information lets the software connect anomalous behavior to specific threats and identify the appropriate remedies. The second is a knowledgeable and experienced security operations center or SOC. Machines can’t do it all. Human intelligence and intuition are necessary to tell real threats from false alarms and to choose the best approach. Most breaches involve human error, and they require responsible reporting. A SOC is necessary for communicating issues to management and promoting strong security practices.
Early SIEM software was generally deployed on-premises. The trend today is to deploy it as a cloud service. That way it’s easier to keep up to date, and it can scale to deal with high-intensity hostile activity. Its functions include the following:
A SIEM system needs a solid base of information to achieve these goals. It needs to categorize threats, correlate activities that are part of the same threat, and provide specific information in its alerts. For example, there’s some value in detecting an SQL injection attack. To be really useful, though, the software should identify an attack pattern, its objective, and any available remediation. That allows an automated response or gives administrators enough information to take action.
Providing this level of information requires a thorough, regularly updated knowledge base with enough information to pinpoint the tools, techniques, and tactics used. BitLyft integrates its SIEM as a service (SIEMaaS) with the MITRE ATT&CK framework to generate detailed information about the threats that it discovers.