In network security, one of the questions we frequently ask our clients and colleagues is, “if you had been hacked, would you know it?” The answer is surprisingly not the one it should be. Some of the largest Enterprise companies still place too much faith in the security of legacy systems. They place trust in hardware based on a name and the mindset that their data isn’t worth anything to anyone but them. However, the reality is that systems are, and always will be, insecure. No matter what we do, there will always be someone, somewhere, looking for a way to access information, data, and systems that they shouldn’t be accessing.
As Network Security Engineers, we do our best to stop them with firewalls, intrusion prevention systems, intrusion deception systems, malware and botnet detection, traffic monitoring, application layer firewalls, and end user education. But the attacks keep coming and, in spite of our best efforts, some are still successful and go unnoticed. Sometimes for days, weeks, or months. Even a security conscious company that logs EVERYTHING may not notice the intruder right away if they aren’t reviewing each and every log file every single day and looking for specific things.
That’s what makes Event Correlation so important. Event Correlation looks at all of the log files from all of the systems in your network that are being sent to the SIEM and determines exactly what’s happening and when. Event Correlation is generally a feature built into a good SIEM (Security Incident & Event Management System). A good SIEM can examine flows, event logs from application servers, events from switches, firewalls, IPS and web filters. With all of that information, the SIEM creates a complete profile of everything an attacker touches. This is all great for a response AFTER an attack to remediate a security issue, but how can this help during an incident?
A good SIEM with an Event Correlation engine will also be capable of generating alerts based on certain behaviors that might indicate a possible security issue. For example, if User A logs into a database from the office at 11:30am EST and a few minutes later logs into the same database from a remote location 10,000 miles away, there’s a very good chance that one of those is a possible security breach. When that remote session is initiated, the process of tracking the session begins and an alert can be sent to the proper admin to disable access or revoke a connection. Some SIEMs can even automatically do this when used with certain security devices.
Make sure that when your network is breached, you’re able to act quickly and that you have the proper Security Incident & Event Management System in place to help you both stop the attacker in their tracks and prevent them from accessing your systems again.