WHAT ARE SIEM SOLUTIONS?
Security Information and Event Management (SIEM) solutions make investigating large amounts of data easier and faster
for administrators. SIEM solutions collect logs and traffic from across the enterprise and format the data to allow for
efficient searching and correlation. Additionally, SIEMs can provide alerting, basic incident response (IR), dashboards,
and reporting, and integrations for data enrichment. Without a SIEM solution, analysts would have to log in to multiple
devices to manually search and correlate hundreds of logs and events. But SIEM solutions oversee an organization’s
most critical network and host data, and a compromised SIEM allows a threat actor to monitor defenders in order to stay
in. As a critical nerve-center of the network, a SIEM must be properly secured.
RISK
Although SIEMs are great for log aggregation and correlation, threat detection, and incident response, they can also pose
a security risk if not properly hardened. A 2018 report from Carbon Black reported that 72% of IR professionals saw log
destruction—such as deletion of antivirus and security logs—during attacks [1]. While a SIEM can help mitigate log
destruction by exporting logs from their original locations, if poorly secured it can be an attractive target for an attacker
looking to delete critical logs to cover their tracks.
If an attacker gains access to an organization’s SIEM solution or collects unencrypted traffic from it, then the
organization’s critical network information is exposed. This critical network information can be IP addresses and domain
names of critical assets, usernames, operating systems (OS), services running, etc. Many SIEMs integrate with
vulnerability scanners to import and correlate device vulnerability data with event data. The attacker will know what
attacks are most likely to work because the SIEM has told them what assets the organization has, the location of each
asset, and what vulnerabilities it may have. Additionally, they may cover their tracks by deleting certain logs or events.
They will also be privy to any actions in the SIEM indicative of incident response actions such as evictions, allowing them
to take evasive action. Advanced attackers are very difficult to prevent, detect, and evict. Each security measure taken
can be circumvented in one way or another, therefore, one security measure is not enough to protect against an attacker.
Securing an organization’s SI EM solution is important to protect the organization and its assets.
SECURING THE SIEM
An attacker may try to gain physical or remote access to an organization’s SIEM solution. Possible goals include stealing
information about the organization to plan an attack and preventing administrators from detecting the attack. SIEM
administrators must take security measures to protect the SIEM hardware, software, and data from any angle of attack.
Secure the Physical Hardware
If an attacker gains access to an organization’s SIEM appliance, they may be able to connect removable media such as a
USB device to exfiltrate data or install malware such as a keystroke logger. While unlikely, they may even try to destroy
evidence by physically stealing, or damaging the hardware, thus preventing security personnel from using the SIEM to
see the attacker’s actions. Ensure the hardware is in a locked server rack in a locked room. Limit room and rack access to
only authorized personnel.
Secure the Operating System
Vulnerabilities in the OS running a SIEM product could provide attackers a way into the SIEM. Ensure the host-based
firewall is on and blocking unnecessary ports. Limit Internet access into the SIEM appliance. If 3
rd
party integration (such
as cloud reputation lookup or other services) is required, then closely constrain connections from the SIEM to known
services. Remove unnecessary programs and turn off unnecessary services. Utilize patch management to ensure the OS
and software are getting regular security updates. Run anti-malware software on the OS. Enforce applicable OS security
policies. Furthermore, ensure accounts on the OS are secure (see password account suggestions in the Secure the
Instance section). Take a baseline of the OS to identify unauthorized changes and maintain a configuration back up.