SOAR

Do you collect error and event logs from your systems?  Why?

Some might say ‘because we are supposed to’ or ‘so that we can perform post-event analysis’.  A few might say that they actively review them.  I recall telling my internal auditors we simply do not have the manpower to review logs on a regular basis…but they are available in case we need to perform an investigation.  Yes, my team would occasionally look at server event logs as a health check, but it is simply unrealistic for a small team, who are already time-strapped, to proactively review logs.

Along came Security Information and Event Monitoring (SIEM) technology with promises that the solution could actively parse logs and correlate potential security issues.  However, it is my opinion that the technology providers over-promised and under-delivered.  Many companies implemented a SIEM for compliance reasons but have come to realize that the number of alerts generated are overwhelming.  It simply has become noise that often gets ignored.  These systems require constant tuning in order to minimize the noise and provide true alerts which require action.

Up next was User Behavior Analytics (UBA) and User and Entity Behavior Analytics (UEBA) technology which uses machine learning to automatically create a baseline of normal user and device activity.  These systems attempt to automatically correlate unusual activity (based on logs) and alert IT when action is required.  These systems also provide a depth of forensic information to quickly determine what happened and who/what was compromised.  While this is a big step forward in reducing the noise of false positives, what happens if the alert is generated in the middle of the night and your on-call person is fast asleep?

Cyber security defenses continue to evolve and improve.  The next iteration in proactive log monitoring and event correlation is Security Orchestration Automation Response (SOAR) which builds on SIEM and UEBA.  SOAR systems take those logs, automatic correlation rules and understanding of ‘normal activity’. Instead of alerting IT to spring into action, it can automatically respond and manage events.  This sounds a little ‘Big Brotherish’, however, if configured correctly, the technology can be set to automatically manage minor events.  This can drastically reduce the time lost dealing with simple or monotonous tasks to focus on threat hunting and managing the larger events, that require human insight.

The moral of this story…don’t stop logging.  Logs provide valuable insight into what is taking place within your IT environment.  Too many organizations are not taking advantage of this information.

Do more with those logs.