SIEM Bat Time .. SIEM Bat Channel (Hacktivism #8)
avatar

Problem to Solve: How can we integrate our Cybersecurity SIEM with data from our Application and Network Performance Management solutions?

SIEMFor those of us with a little “gray in our hair” will remember the end of the ORIGINAL Batman series from the late 1960’s. At the end of an episode, Batman and Robin would usually be in some type of inescapable and impossible dilemma that was sure to be the end of them. At the height of each suspenseful episode, there was always a reminder to tune in next week … “SAME Bat Time .. SAME Bat Channel”. There are even more references to the catch phrase in the new Lego movies with Batman. So… what does Batman have to do with a SIEM? 

Well, I cannot think of any reason except for the idea of repeating a message with an easy to remember catch phrase. In my travels, I always stress the idea of “Bring All that You Have to the Table“, especially when it comes to information for cybersecurity. The focus of this article will be the notion of LEVERAGING your Application and Network Performance Management (APM NPM) data in your SIEM to make it MORE EFFECTIVE.

What is A SIEM again?

Wiki explains what a SIEM is at this link: https://en.wikipedia.org/wiki/Security_information_and_event_management.  A SIEM is an acronym for a Security Information and Event Management solution. In English, this is typically what cybersecurity teams use to collect data from sources that relate to security types of workflows. SIEM’s are excellent solutions and have become the “manager of managers” in cybersecurity land. There are many popular solutions in this space, such as ArcSight, QRadar, LogRythym, and Splunk just to name a few.

SIEM Functionality with APM NPM

So let’s apply specific SIEM capabilities that can be enhanced by integrating with your APM NPM solution.

Data Aggregation

A SIEM collects data from many sources, such as firewalls, routers, servers, etc.  Adding in APM NPM solutions as an input to your SIEM data collection only enhances the overall security view. I always recommend to customers that they forward relevant APM NPM (application, utilization, response time, error codes, microburst, analytics, etc) type alarms to their SIEM.

  • Why is this Valuable? This configuration allows the SIEM to sort through data rich alarm information which can be analyzed along with the other data it collects. The result is adding a lot of quality information, without having to add heavy burden to the SIEM data collection.

Correlation

A SIEM looks for common attributes and links together meaningful bundles. This is exactly why APM NPM data should be sent to the SIEM. The APM NPM data makes it more efficient because it adds another piece of information to correlate with other data sources.

  • Why is this Valuable? More correlated data makes the SIEM more efficient.  Also, APM NPM solutions provide data ‘not available‘ in other data sources as well as cover areas of the network where there may not be a security related device. If you consider Virtualized Servers and Cloud deployments, there are great coverage capabilities available from the APM NPM solution. See this previous article on perimeter defense (https://problemsolverblog.czekaj.org/cybersecurity/hey-security-teams-dont-forget-look-apm-npm-tools/)

Alerting

SIEM’s create alarms from the correlated data. APM NPM solutions also have alerting capabilities that often times provide unique information into the application layer. 

  • Why is this Valuable? This feature allows the SIEM to collect application rich alarms (error codes come to mind such as HTTP 404 errors) that can be analyzed and correlated. The SIEM gets a data rich alarm by which it can analyze and correlate with other collected data to then determine if there is an (security related) actionable event in process.  GREAT APPROACH!

Dashboards

SIEM’s take event data and create dashboards. APM NPM solutions usually have dashboards as well. As mentioned previously, by forwarding alarm data into the SIEM, the APM NPM solution provides further value for patterns and service triage. An example might be a potential DNS Hijack or Denial of Service. APM NPM solutions can easily forward DNS error conditions (Name Errors, Server Failures, Non-Existent Domain, Query Refused, etc).

  • Why is this Valuable? Not only can this APM NPM error be correlated with other data sources, but many times can it be used to properly triage and get this information to the “right team”. For example, if this were NOT really a cybersecurity related DNS event, then the proper team within IT can be supplied with the information to resolve the issue. This saves time and cycles for the cybersecurity team.  HUGE TIME SAVER!

Compliance

SIEM’s automate the data gathering process which is necessary to create compliance related reports. APM NPM solutions have similar capabilities that can be leveraged for this task. One example that is usually a big hit with cybersecurity teams are “Application Flow Maps” for the PCI CDE environments.

  • Why is this Valuable? Anything that adds information value to the SIEM efficiency, without the additional burden of heavy data collection, is a WIN.

Retention

SIEM’s employ long-term storage for historical data and reporting, and so do APM NPM solutions. This option is usually in the form of long-term metadata (used for reporting) as well as longer term packet capture retention. 

  • Why is this Valuable? APM NPM solutions natively collect packets for longer term storage. From a cyber perspective, this is hugely beneficial when correlation analysis determines an event has occurred and the forensic investigation has begun.

Forensic Analysis

SIEM’s can search across logs and collected data. The APM NPM solution can provide a nice complementary workflow and assist in the forensic analysis. I recommend to customers to leverage the APM NPM solution to search through the collected metadata within, and then drill into packets as a high level workflow as it is fast and efficient.

  • Why is this Valuable? As a cyber team begins the forensic analysis, both attack reconstruction and historical evidence workflows are at your fingertips to assist. The workflows are fast and efficient to help determine what happened and what data may have been compromised. This ability is a large complementary value to the SIEM functionality.

Points to Ponder

  • Do any of your companies leverage your APM NPM solutions into your SIEM?
  • Do you have any unique cyber related stories where this approach did or could have helped?

 

Living with the Threat of Ransomware
avatar

Problem to Solve:  How can we go about searching for potential Ransomware activity before our organization gets attacked? The evolution of security for so many has become a reactionary series of response and recovery. The latest highly publicized exploit leaves … Continue reading

The Evolving Role of the Network in the Pharmaceutical Industry
avatar

Working in the greater Philadelphia area now for nearly 17 years has given me the opportunity to work with many of the large pharmaceutical companies located in this area. And one thing you learn quickly is how heavily regulated they … Continue reading

Need a Dr. when your EMR gets sick ??
avatar

Problem to Solve – My healthcare organization is deploying an Electronic Medical Records (EMR) solution as per federal regulation.   What can I do if there are performance issues with it? Ah, the Affordable Health Care Act.   What a fun, enjoyable … Continue reading

Fat, Drunk and Stupid No Way to Go thru Big Data
avatar

Problem to Solve – My company is starting a Big Data / “Internet of Things” initiative as a Business Strategy.     How can I use my APM/NPM tools in this strategic effort? Yes, yes, we all remember the classic movie, Animal House … Continue reading

The Smoldering Ashes After the PCI Fire …PCI #6
avatar

Problem to Solve:  How can we use our APM/NPM solution to meet the PCI requirement of “regularly testing security systems and processes”? Contributing Author – Robert Wright, Network Engineer with 15+ years experience   As we wrap up this blog series I … Continue reading

The Fire is Almost Out …PCI #5
avatar

Problem to Solve: How can we use our APM/NPM solution to meet Network Authentication, Database Access, and Video requirements of PCI compliance?? Contributing Author – Robert Wright, Network Engineer with 15+ years experience This article will cover PCI requirements 7,8, and 9, all … Continue reading

Monitoring the “PCI Compliance Monitor”: PCI #4
avatar

Problem to Solve:  When we put in PCI Compliance mechanisms like Anti-Virus & Malware & Timeout values, how can we be sure things are … (gulp) working? Contributing Author – Robert Wright, Network Engineer with 15+ years experience When “best … Continue reading

Only You .. Can Protect Card Holder Data!! PCI #3
avatar

Problem to Solve:  When we encrypt our traffic to be PCI compliant, how can we still troubleshoot application and network performance issues? Contributing Author – Robert Wright, Network Engineer with 15+ years experience We are almost half way through fighting … Continue reading

If a PCI Tree Falls in the Forest, Are You Non-Compliant? PCI #2
avatar

Problem to Solve:  My company must comply with PCI.   How can I best leverage my APM/NPM tools ‘to be PCI compliant’ inside my business? Contributing Author – Robert Wright, Network Engineer with 15+ years experience In our last segment, … Continue reading