SEC555: SIEM with Tactical Analytics—A Valuable New Course

NXLog users can benefit from a SANS course titled SEC555: SIEM with Tactical Analytics, the first vendor-neutral course of its kind.

About SANS

First of all, what is SANS? The SANS Institute is a cooperative research and education organization that reaches more than 165,000 security professionals worldwide. Today, SANS is the world’s largest and most trusted source for information security training and certifications, with courses taught by real-world professionals.

Relevant Training Important

Among the many cybersecurity best practices is the collection and tactical analysis of domain, IP, and related logs. However, Security Incident and Events Management (SIEM) products that facilitate this are only as good as the training and processes that support them.

Furthermore, it is necessary for an end user to learn more than simply how to use the SIEM product—it is important to understand the ways that an SIEM can be used in a truly effective manner.

Course Details

That’s where the class SEC555: SIEM with Tactical Analytics comes in. This new lab-heavy SANS course focuses on the construction, development, and maintenance of a true tactical SIEM. The course uses open source Big Data technologies to either operationalize a current SIEM or develop one that is competitive with commercial SIEMs. SEC555 will prepare the attendee to use the SANS SOF-ELK VM in real-world production settings.

The course instructor will discuss the pros and cons of standard SIEM agents, while highlighting open source agents like NXLog and Beats. Such agents are typically stable and feature-rich, and some offer commercial support. Even the NXLog Community Edition, for example, provides features exceeding those of many commercial agents, with multi-platform support, log format support and conversion, encryption, advanced filtering, and real-time file monitoring.

Although the instructor’s approach is vendor-neutral, NXLog is often referenced. Therefore, NXLog users will find SEC555 to be especially helpful.

Effective Use of Log Data

SIEM architecture is often more mysterious than it needs to be. It is easy is to accumulate data from logs, but it is challenging to strategically analyze it and to identify intrusions.

To succeed, it is necessary to gather, process, and analyze literally billions of logs from myriad data sources. The development of an effective Security Operations Center (SOC) requires an aggressive analysis of these logs to extract actionable intelligence. A well-conceived, customized SIEM will successfully integrate with the SOC.

From Data to Actionable Information

The process of converting log data into actionable information involves multiple steps.

  • Determine whether mining given data is, in fact, worthwhile
  • Correlate worthwhile data
  • Commence investigation of the aggregate data
  • Employ the knowledge gained

There are a number of ways to effectively use the knowledge acquired. In a successful system, continuous monitoring and in-depth analysis lead to the replaying of captured attack information to generate appropriate real world scenarios and deploy countermeasures.

Benefits of Tactical Analysis of Log Data

Specifically, why process and analyze all of this Big Data? For a number of reasons related to intrusion discovery and the advancement of tactical analytics:

Identifying IOCs - Two of the most prevalent Indicators of Compromise (IOC) are IP addresses and domain names. Detection and review of IOCs on computer networks ideally involves the comprehensive gathering and processing of DNS information. Analysis of queried domains and responses promote efficient detection of intrusions in the network.

Protocol agnostic detection - Those responsible for network defense can also access firewall and web proxy logs in search of both IP and domain IOCs. This data is often valuable when the adversary's modus operandi does not include HTTP. It is also valuable when the DNS is employed as a covert channel.

Covert channel detection - Covert DNS channels are often used by adversaries to facilitate data transfer and/or remote configuration capabilities to malware inside a network. Covert channels are potentially identified through the at-scale analysis of irregular response packets.

Tracking - Adversaries frequently use multiple IP addresses and domains in an effort to disguise activity. Tactical analysis of query and response data facilitates the tracking of the command and control infrastructure of adversaries. 

Ultimately, the transformation of reams of nondescript logs into true tactical data is of value on numerous levels. Graphs and tables presented on active dashboards facilitate the detection of adversarial activity and support prompt action when required.

To effectively detect even highly sophisticated intrusions, the majority of processing and analysis should be automated to produce results efficiently. Breach canaries and internal tripwires can then be manually deployed to counter these intrusions.

About the Course Developer

Justin Henderson is a SANS instructor and author of SEC555: SIEM with Tactical Analytics. He is a security architect, researcher, and consultant with more than a decade of experience in the health care sector. Justin has been involved in government contracts pertaining to intrusion analysis and network monitoring systems. He is the 13th GSE to achieve both red and blue SANS Cyber Guardian status.

Share this post