Problem to Solve: How can we integrate our Cybersecurity SIEM with data from our Application and Network Performance Management solutions?
For those of us with a little “gray in our hair” will remember the end of the ORIGINAL Batman series from the late 1960’s. At the end of an episode, Batman and Robin would usually be in some type of inescapable and impossible dilemma that was sure to be the end of them. At the height of each suspenseful episode, there was always a reminder to tune in next week … “SAME Bat Time .. SAME Bat Channel”. There are even more references to the catch phrase in the new Lego movies with Batman. So… what does Batman have to do with a SIEM?
Well, I cannot think of any reason except for the idea of repeating a message with an easy to remember catch phrase. In my travels, I always stress the idea of “Bring All that You Have to the Table“, especially when it comes to information for cybersecurity. The focus of this article will be the notion of LEVERAGING your Application and Network Performance Management (APM NPM) data in your SIEM to make it MORE EFFECTIVE.
What is A SIEM again?
Wiki explains what a SIEM is at this link: https://en.wikipedia.org/wiki/Security_information_and_event_management. A SIEM is an acronym for a Security Information and Event Management solution. In English, this is typically what cybersecurity teams use to collect data from sources that relate to security types of workflows. SIEM’s are excellent solutions and have become the “manager of managers” in cybersecurity land. There are many popular solutions in this space, such as ArcSight, QRadar, LogRythym, and Splunk just to name a few.
SIEM Functionality with APM NPM
So let’s apply specific SIEM capabilities that can be enhanced by integrating with your APM NPM solution.
A SIEM collects data from many sources, such as firewalls, routers, servers, etc. Adding in APM NPM solutions as an input to your SIEM data collection only enhances the overall security view. I always recommend to customers that they forward relevant APM NPM (application, utilization, response time, error codes, microburst, analytics, etc) type alarms to their SIEM.
- Why is this Valuable? This configuration allows the SIEM to sort through data rich alarm information which can be analyzed along with the other data it collects. The result is adding a lot of quality information, without having to add heavy burden to the SIEM data collection.
A SIEM looks for common attributes and links together meaningful bundles. This is exactly why APM NPM data should be sent to the SIEM. The APM NPM data makes it more efficient because it adds another piece of information to correlate with other data sources.
- Why is this Valuable? More correlated data makes the SIEM more efficient. Also, APM NPM solutions provide data ‘not available‘ in other data sources as well as cover areas of the network where there may not be a security related device. If you consider Virtualized Servers and Cloud deployments, there are great coverage capabilities available from the APM NPM solution. See this previous article on perimeter defense (https://problemsolverblog.czekaj.org/cybersecurity/hey-security-teams-dont-forget-look-apm-npm-tools/)
SIEM’s create alarms from the correlated data. APM NPM solutions also have alerting capabilities that often times provide unique information into the application layer.
- Why is this Valuable? This feature allows the SIEM to collect application rich alarms (error codes come to mind such as HTTP 404 errors) that can be analyzed and correlated. The SIEM gets a data rich alarm by which it can analyze and correlate with other collected data to then determine if there is an (security related) actionable event in process. GREAT APPROACH!
SIEM’s take event data and create dashboards. APM NPM solutions usually have dashboards as well. As mentioned previously, by forwarding alarm data into the SIEM, the APM NPM solution provides further value for patterns and service triage. An example might be a potential DNS Hijack or Denial of Service. APM NPM solutions can easily forward DNS error conditions (Name Errors, Server Failures, Non-Existent Domain, Query Refused, etc).
- Why is this Valuable? Not only can this APM NPM error be correlated with other data sources, but many times can it be used to properly triage and get this information to the “right team”. For example, if this were NOT really a cybersecurity related DNS event, then the proper team within IT can be supplied with the information to resolve the issue. This saves time and cycles for the cybersecurity team. HUGE TIME SAVER!
SIEM’s automate the data gathering process which is necessary to create compliance related reports. APM NPM solutions have similar capabilities that can be leveraged for this task. One example that is usually a big hit with cybersecurity teams are “Application Flow Maps” for the PCI CDE environments.
- Why is this Valuable? Anything that adds information value to the SIEM efficiency, without the additional burden of heavy data collection, is a WIN.
SIEM’s employ long-term storage for historical data and reporting, and so do APM NPM solutions. This option is usually in the form of long-term metadata (used for reporting) as well as longer term packet capture retention.
- Why is this Valuable? APM NPM solutions natively collect packets for longer term storage. From a cyber perspective, this is hugely beneficial when correlation analysis determines an event has occurred and the forensic investigation has begun.
SIEM’s can search across logs and collected data. The APM NPM solution can provide a nice complementary workflow and assist in the forensic analysis. I recommend to customers to leverage the APM NPM solution to search through the collected metadata within, and then drill into packets as a high level workflow as it is fast and efficient.
- Why is this Valuable? As a cyber team begins the forensic analysis, both attack reconstruction and historical evidence workflows are at your fingertips to assist. The workflows are fast and efficient to help determine what happened and what data may have been compromised. This ability is a large complementary value to the SIEM functionality.
Points to Ponder
- Do any of your companies leverage your APM NPM solutions into your SIEM?
- Do you have any unique cyber related stories where this approach did or could have helped?