Fatal SIEM flaw: No body, no murder

Fatal SIEM flaw: No body, no murder

Fatal SIEM flaw: No body, no murder

November 7, 2017

Over lunch last week, a customer who recently deploy our Cognito™ platform told me that his SIEM sales person said “We can do what Vectra does with our analytics package. I simply looked at him and said, “No body, no murder – no they can’t.”

He was puzzled, so I explained.

SIEMs receive security event logs for a wide range of systems – everything from your computer to servers, authentication systems, firewalls, and many more including Vectra Cognito.

Event logs record events that happen on systems and networks. Examining the events in these logs can help you trace activity, respond to events, and keep your systems secure.

As the volume of event logs inside an enterprise number in the millions of events per day, the purpose of a SIEM is to store and provide real-time analysis of all these security alerts generated by applications and network hardware.

A clever cyber attacker knows that event logs are typically sent in batches rather than in real time to reduce the impact on network availability due to transmitting large amounts of logs from every device.

This gives an attacker a window of opportunity on the operating system to have system access, including to the underlying logging system. If the cyber attacker can erase the log of his administrative access on your machine before the log is sent, then there is no body and, therefore, no murder.

At the same time, if the attacker can perform this system authentication without triggering a network anomaly or by not using malware, no event logs will be generated by network monitoring systems either. No body, no murder.

This came as a startling revelation, leading to the question of why is this so.

This is when I broke my rule of no iPhones at a customer meeting. I pulled up the NIST Guide to Computer Security Log Management. I scrolled to the executive summary and read two sentences.

“The number, volume, and variety of computer security logs have increased greatly, which has created the need for computer security log management.”

“A fundamental problem with log management that occurs in many organizations is effectively balancing a limited quantity of log management resources with a continuous supply of log data.”

After saying “Okay, I get it,” he went on to ask, “But what about logs from Cognito?” Now he was asking the right question.

An event log from Cognito is not the same as an event log from any other device. An event log from Cognito is an intelligence report about the threat hunting, analysis, scoring, correlation and risk level of a device demonstrating attacker behaviors.

An event log from a firewall or an intrusion detection system is generated from a network detection event lacking context of the bigger picture of an attack. This requires a security analyst to triage across multiple events in their SIEM, score each event based on the level of impact it would have on the organization, correlate all associated events to a single host at the center of an attack, and prioritize those hosts and associated events that need to be addresses immediately.

The ensuing series of activity easily consumes hours of an analyst’s time, all at the risk of missing important events in real time while working with historical evidence that may not even be correct.

An event log from Cognito is a cybersecurity dossier. Cognito continuously monitors network traffic and performs threat hunting. Manual, labor-intensive triage, scoring threats, host correlation, and threat and host prioritization are automated by Cognito. The sum of this work is sent as a completed attack event log to the SIEM, with precise information on where analysts should focus their time.

There won’t be a log of the cyber attacker stealing the admin credentials from your computer, and no malware or anomaly detection might occur either.

However, Cognito will detect the remote access Trojan (RAT) that was used to access your device as well as the abuse of those credential and related admin protocols. Even if the attacker uses the admin credentials from another machine, the artificial intelligence behind the Cognito Attack Campaign report will correlate these attacker behaviors over multiple devices.

“Are all these other logs in my SIEM doing me any good?” he asked with a tone of hope.

Typically, the data lake created with these logs will drown your security team because – without context – it is impossible to know the right questions to ask. However, the “security dossier” log from Cognito gives you an accurate starting point for a threat investigation in the SIEM.

To learn more about Cognito, join our upcoming Bootcamp webinar, or visit the Cognito product page.

About the author


Vectra® is the world leader in AI-powered network detection and response.

Author profile and blog posts

Most recent blog posts from the same author

Threat detection

How to Track Attackers as They Move to Your Network from the Cloud

December 8, 2020
Read blog post
Security operations

Expertise That Unlocks the Potential within Your Security Operations

July 21, 2020
Read blog post

A Tale of Two Attacks: Shining a Security Spotlight on Microsoft Office 365

October 26, 2020
Read blog post