SIEM – Proactively Combating Cyber Threats and Monitoring Infrastructure Security

End-user spending on information security worldwide is expected to reach $212 billion USD by 2025, reflecting a 15.1% increase from 2024, according to a new forecast by Gartner. For organizations seeking a comprehensive system that can cater to their diverse security and business needs – security information and event management (SIEM) can address the most crucial issues related to these challenges.

Read on to explore what SIEM (especially platforms like Wazuh and Splunk) can offer and learn how vital monitoring is in addressing security issues.

What is security information and event management (SIEM)?

SIEM is a crucial component of security monitoring that helps identify and manage security incidents. It enables the correlation of incidents and the detection of anomalies, such as an increased number of failed login attempts, using source data primarily in the form of logs collected by the SIEM system. Many SIEM solutions, such as Wazuh, also enable the detection of vulnerabilities (common vulnerabilities and exposures, or CVE). Complex systems often employ artificial intelligence (AI) and machine learning (ML) technologies to automate threat detection and response processes. For instance, Splunk offers such a solution.

How SIEM can secure your business. Source: Software Mind

Thanks to its ability to correlate events, SIEM facilitates early responses to emerging threats. In today’s solutions, it is one of the most critical components of the SOC (Security Operations Center). The solution also fits into the requirements of the NIS2 directive and is one of the key ways to raise the level of security in organizations.

Furthermore, SIEM systems allow compliance verification with specific regulations, security standards and frameworks. These include PCI DSS (payment processing), GDPR (personal data protection), HIPPA (standards for the medical sector), NIST and MITRE ATT&CK (frameworks that support risk management and threat response), among others.

SIEM architecture – modules worth exploring

A typical SIEM architecture consists of several modules:

Data collection – gathering and aggregating information from various sources, including application logs, logs from devices such as firewalls and logs from servers and machines. A company can also integrate data from cloud systems (e.g., Web Application Firewalls) into their SIEM system. This process is typically implemented using software tools like the Wazuh agent for the open-source Wazuh platform or the Splunk forwarder for the commercial Splunk platform.

Data normalization – converting data into a single model and schema while preserving the original structure and adhering to different formats. This approach allows you to prepare – and compare – data from various sources.

Data corelation – detecting threats and anomalies based on normalized data. Comparing events with each other in a user-defined manner or automatic mechanisms (AI, ML) makes it possible to spot a security incident in a monitored infrastructure.

Alerts and reports – provisioning information about a detected anomaly or security incident to the monitoring team and beyond, which is crucial for minimizing risks. For example, a SIEM system generated a report with information about a large number of brute-force attacks and, a moment later, registered higher than usual traffic to port 22 (SSH) and further brute-force attacks, indicating that a threat actor (a person or organization trying to cause damage to the environment) has gotten into the infrastructure and is trying to attack more machines.

Practical solutions and implementations

Wazuh

Implementing a SIEM solution using the open-source Wazuh platform provides significant benefits by offering insights into incidents and events. This solution collects data from various systems through Wazuh agents, which relay event logs to the server. Wazuh central components diagram can be found here.

Depending on the circumstances SIEM-related dashboards can be customized. One example is the presentation of vulnerability detection. This allows for quick assessments of which systems have potentially dangerous security vulnerabilities and execution of required updates. The data to Wazuh, in this case, comes from agents and is compared with the CVE vulnerability database.

Sample dashboard 1

Source: Software Mind

Implementing frameworks such as MITRE ATT&CK, GDPR, or CIS Benchmark enables teams to assess the level of security and potential threats. Below is one example of using MITRE ATT&CK, where you will find a summary of potential attack techniques detected in the monitored infrastructure.

Sample dashboard 2 – MITRE ATT&CK framework

Source: Software Mind

Verifying security rules based on recommendations from sources such as the CIS Benchmark helps quickly identify and correct potential configuration errors, ensuring a system’s or virtual machine’s security. Additionally, this process is crucial for verifying compliance with GDPR, mainly when the solutions provided involve protecting personal data.

In systems where it is necessary to protect, for example, against malware in Wazuh agents, it is possible to implement a solution that monitors a designated resource (e.g., an upload directory for websites). Each file uploaded to such a location can be scanned by VirusTotal API. Thanks to this solution, you will immediately receive a notification when a bad actor uploads a malicious file.

Example of infection detection incident

Source: Software Mind

Splunk

Splunk Enterprise Security is a commercial SIEM solution that helps perform various tasks, including security monitoring, incident response and management, compliance and threat detection. The solution is provided by CISCO-owned Splunk. Products provided by Splunk, along with solutions such as CrowdStrike and Rapid7 and others, are among the most popular security solutions. Splunk Enterprise Security SIEM is often used in large SOC systems. Example of such an architecture can be found here.

Splunk’s solutions, namely Splunk Enterprise Security (ES) or Splunk Cloud Security, offer a potent, flexible platform thanks to built-in mechanisms. For this reason, this solution is often selected for large SOC installations. Its advantage lies in integrating multiple sources, which provide an organization with a comprehensive threat-monitoring solution.

One of the interesting solutions available in Splunk Enterprise is Splunk Stream. This module enables the collection, filtering, indexing and analysis of network event data streams. It aggregates data from various network protocols, including DNS, HTTP and FTP. Additionally, it performs statistical analysis and data visualization from the monitored endpoints and their surroundings.

Source: Software Mind

Such observations help detect various anomalies, including traffic patterns that indicate the launch of services not typically occurring on the network. Splunk Stream can capture metadata and full data packets for various network protocols, while providing detailed information about network traffic. This allows quick action to be taken when anomalies are detected (e.g., within TCP and UDP protocols, inspecting packets to detect protocols running at the application level, such as Tor (The Onion Router). Typically in an organization, access to the services of this network is not used. Still, an increase in activity in this area may indicate activities that do not comply with security policies).

Source: Software Mind

The Splunk Enterprise Security solution also has built-in detection and data analysis capabilities for cloud providers such as Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure.

Installing additional modules allows Splunk to be expanded – meaning you can partially automate the threat detection process and thus reduce detection time. Options include:

• Splunk UBA (user behavior analysis) – uses ML to detect threats.
• Splunk SOAR (security operations, automation and response) – provides automation and orchestration of the incident response process.
• Threat Intelligence Management – provides SOC analysts with actionable intelligence with associated, normalized risk scores and the necessary context. These are the elements that are required to detect, prioritize and investigate security incidents.

The Splunk solution provides access to the extensive Splunkbase applications, offering a wealth of ready-to-integrate solutions. This way, you can build a system tailored to your companiy’s specific needs.

Source: Splunk

What good security monitoring should look like

One of the most essential features of SIEM is real-time monitoring, a vital element for minimizing the delay between detecting a threat and the actual moment of its occurrence. The sooner information about an attack, for example, is communicated, the sooner you can take appropriate actions to prevent its escalation. Along with this element, the alert and event prioritization mechanism is also important, as significant events should be handled earlier than others.

The IT infrastructure in an organization is usually not homogeneous and consists of many devices. As companies grow, their network solutions become increasingly complex, which can pose challenges for SIEM) systems. From a security standpoint, accessing more data for analysis improves the context for identifying incidents.

A SIEM system should provide the ability to integrate with multiple data sources (data in the form of server logs and data from network devices such as routers, switches, etc.). Integration alone, however, is not enough. To be able to collate and compare such data, it is necessary to normalize it. It is clear that the built-in mechanisms are more effective and significantly expedite the process.

The increased amount of data collected means that there will be a physical limit to the analysis capabilities at some point (especially in large systems, where we are talking about flows of more than 200 GB/day). It is impossible for an operator to manually analyze such a volume of data efficiently. This is where ML mechanisms, AI or advanced statistical methods come to the rescue. Threat Intelligence solutions (IoC compromise index, data on vulnerabilities or attack methods used) are also invaluable, and combining these with system logs creates a more complete picture of threats.

Integrating SIEM with additional modules helps streamline the process described above. SOAR automates incident handling processes, helping SOC analysts respond to threats faster and more effectively. On the other hand, user and entity behavior analytics UEBA allows anomalies to be detected, such as non-standard login times and logins from different geographic locations or bulk data transfers. UBEA provides the ability to recognize attacks that bypass traditional SIEM rules.

Modules for assessing the compliance of infrastructure elements with relevant regulations are significant. Depending on the organization, it may be necessary to comply with GDPR, HIPAA, PCI DSS, or support the implementation of the ISO 27001 standard. The SIEM system a company uses should enable the verification of compliance rules and evaluate the extent to which the implemented solutions and policies ensure that the infrastructure adheres to the required regulations.

SIEM best practices

SIEM systems must be customized to address the specific threats that an organization may encounter. Compliance with relevant regulations or standards (such as GDPR or PCI DSS) may also be necessary. Therefore, it is crucial to assess an organization’s needs before deciding which system to implement.

To ensure the effectiveness of a system, it is essential to identify which source data requires security analysis. This primarily includes logs from firewall systems, servers (such as active directory, databases, or applications), and intrusion detection systems (IDS) or antivirus programs. Additionally, it’s essential to estimate the data volume in gigabytes per day and the number of events per second that the designed SIEM system can handle. This aspect can be quite challenging, as it involves determining which infrastructure components are critical to the computer network’s security, devices, or servers. During this stage, it often becomes apparent that some data intended for the SIEM system lacks usability. This means the data may need to be enriched with additional elements necessary for correlation with other datasets, such as adding an IP address or session ID.

For large installations, it’s a good idea to divide SIEM implementation into smaller stages so that you can verify assumptions and test the data analysis process. Within such a stage, a smaller number of devices or key applications can be monitored, selected to be representative of the entire infrastructure.

SIEM systems can generate a significant number of alerts, not all of which are security critical. During the testing and customization stage, it is a good idea to determine which areas and which alerts should actually be treated as important, and for which priorities can be lowered. This is especially important for the incident handling process and automatic alert systems.

During the initial post-implementation phase, SIEM performance should be monitored to identify and resolve performance problems. This process should also be carried out periodically in a system that is already operating at full capacity. This approach avoids problems with recording and handling events.

Example of performance problems in Wazuh and Splunk systems. Source: Software Mind; internal SIEM (Wazuh and Splunk)

The graphics above are only an outline of the elements that should be considered when designing a SIEM system. Implementation must be tailored for each organization and should be preceded by a comprehensive analysis conducted by a skilled cybersecurity services team.

Splunk and Wazuh integration

SIEM solutions are not just dedicated to SOC. As mentioned earlier, they play an essential role in any organization. It is natural that simple security monitoring solutions are implemented initially (although this is not the rule, of course), and migrations to other systems occur as needs grow. Splunk Enterprise has the advantage of using its modular solutions and definition of multiple data sources, which makes it relatively easy to create a sophisticated SIEM system and add to existing technologies.

While organizations can use Wazuh and Splunk on their own, combining the two platforms is possible, and often advantageous. Integrating the two systems, with the help of Universal Forwarder, enables the transmission of data from Wazuh to Splunk to a dedicated index. Below, you can find an example of a solution that combines the open source and commercial product.

A trusted way to monitor your infrastructure

Effective security monitoring solutions rely on various key elements. In addition to mechanisms for detecting and monitoring cybersecurity threats, it is equally important to have systems for analyzing and responding to observed events. Implementing SIEM systems enables organizations to address these areas comprehensively. From an operational standpoint, deploying a SIEM system accelerates identifying threats and significantly enhances the effectiveness of the teams responsible for cybersecurity. Centralized management and correlation analysis of logs allows for quick responses to security incidents in the infrastructure and are also very helpful in the field of forensic analysis.

Today’s SIEM solutions can be tailored to meet your specific needs. You can choose an open-source option like Wazuh or commercial solutions like Splunk. While these tools offer different functionalities, their primary objective remains the same: to detect threats early by centralizing logs and correlating events.

Additionally, one of the advantages of using SIEM solutions is the ability to quickly establish a system that ensures your monitored infrastructure complies with regulations such as GDPR and NIS2. Splunk offers significant flexibility and scalability but comes with licensing costs. On the other hand, Wazuh is a simpler option that allows for the swift implementation of a SIEM system.

If you are interested in how SIEM can help the cyberoperations of your business, fill in this form to contact one of our experts.