Back in October 2021, Sheetal Venkatesh and I spoke about challenges associated with relying on event correlation for incident detection during a webinar organized by Confluera. We also discussed how organizations can deterministically “stitch together” disparate data points to track and timeline attacker activity across multiple systems.
When taking a walk during the holiday season, this topic spontaneously came back, and I wondered whether correlation is still relevant or we, as an industry, should move past correlation and focus on high-fidelity detections.
In this short blog, I will discuss my thoughts on correlation based on a decade of experience with SIEM products and countless breach investigations.
What is Correlation and why is it so challenging?
When I started my cybersecurity career a decade ago, it was around the time when IBM acquired QRadar. Many cybersecurity professionals hailed analytics and event correlation as the answer to detecting adverse activity. The idea was simple: you aggregate security events from multiple sources, create correlation rules, and provide a single pane of glass for incident detection. However, the reality turned out to be much uglier. So, is SIEM relevant for incident detection, or did the cybersecurity industry fall victim to the marketing hype? Let’s explore correlation in-depth to answer this question.
What is correlation?
In a threat detection context, correlation is an association or relationship between multiple events based on a common attribute, such as an identity or IP address. For example, suppose a user account fails authentication to 20 systems within 5 minutes. You can establish a relationship between what at first appears to be disparate events based on timing proximity and a common attribute, which is a user account in this case.
At first, this scenario sounds great for detecting anomalies. However, how do we establish whether this event indicates threat actor activity, a misconfiguration, or simply an expired password? This is where correlation becomes challenging as a means to detect incidents. Correlation establishes a relationship between two or more events but does not imply causation. Unfortunately, this concept is frequently misunderstood in the cybersecurity community and across other domains.
One of the most frequently used examples of the pitfalls of correlation is the relationship between ice cream consumption and drowning. Researchers determined that increased ice cream consumption in the summer correlates with a sharp increase in drowning deaths. Therefore, eating ice cream must cause drowning.
In the above example, there is a link between the two events. However, the relationship does not automatically imply that drowning is caused by ice cream consumption. In this case, people consume more ice cream and go more frequently for a swim in the summer. The common attribute is the summer, but there is no cause-and-effect relationship between those two activities.
Let’s put the theory aside and look at some of the challenges organizations face with correlation and SIEM-based threat detection. The following list includes the challenges I have frequently encountered during my consulting career.
Correlation creates many false positive alerts and noise that can obstruct true positive alerts because of the loose association between events.
System misconfigurations and poor IT security hygiene can further contribute to that noise and render SIEM-based detection ineffective.
Alerts created by correlating disparate events are often low-fidelity and can be caused by routine and ad hoc operational activities.
System event logs provide only a partial representation of data required for high-fidelity incident detection.
It is often impractical to build correlation rules for every attack scenario. Furthermore, two events indicative of adverse activity might not have a common attribute required for correlation.
Analysts and correlation engineers must have a comprehensive understanding of logging on systems in scope. We regularly come across SIEM implementations with missing events that are necessary for incident detection and analysis.
In fact, these challenges are so frequent that several senior leaders asked me why their organization did not detect a breach despite a multimillion-dollar investment in SIEM and security analytics.
To address this issue, we need a more deterministic way of detecting and associating security events that minimize probability and focus on cause-and-effect. For example, if a user opens a malicious document that contains code that spawns a PowerShell session, which downloads malware from a command-and-control server, you can clearly see the cause-and-effect relationship. Deterministic detection and event association leads to high accuracy alerts and less work for security personnel. This approach saves time, resources, and ultimately is more cost effective for organizations.
Now that we have covered correlation and its challenges, I will answer the question whether correlation is still relevant, or the industry should abandon it and move on.
Is it all doom and gloom?
The short answer is no. SIEM is still a relevant and necessary tool that every organization should consider. At the same time, we must understand how to utilize a SIEM and correlation correctly to avoid some of the pitfalls described in the previous section. Let’s take a look at context-dependent detection and other ways you can effectively leverage SIEM.
Correlation is relevant for detecting malicious behavior that is context-dependent. I often use the example of unauthorized access to Active Directory domain controllers by a threat actor. As part of a typical attack lifecycle, threat actors leverage harvested credentials to access domain controllers and further escalate privileges to Domain Admin (DA).
Suppose you deployed your Active Directory servers to a dedicated VLAN and configured your internal firewalls to allow access to those servers only from a management jump server. Furthermore, you configured a GPO to restrict access to domain controllers with specific user accounts.
Based on an understanding of your Active Directory deployment and network topology, you can create correlation rules to detect authentication attempts that violate the scenario described above. For example, suppose a threat actor attempts to authenticate into a domain controller from a system other than the jump server. In that case, you can configure a rule to create a high-severity event, even if the authentication fails. This rule will enable you to detect a potential threat actor but also system administrators violating a security policy.
There are countless other context-based scenarios that are good candidates for meaningful correlation rules, including interactive logons with service accounts, logons with a DA account to member servers and domain-joined workstations, and authentication attempts with a break glass account.
Other reasons why SIEM is crucial
Here are some additional reasons why SIEM is indispensable in the toolkit of any cybersecurity department:
SIEM is excellent for aggregating audit logs in a centralized location to enforce a data retention policy and provide rapid access to logs during an incident.
SIEM accelerates incident investigations. I have experienced countless situations where we extracted event logs from individual servers and used open-source tools to parse and timeline them. This hurdle often delayed an investigation by days, and in severe cases, by weeks.
You can use a SIEM as a “single pane of glass” during an incident. Instead of logging into several different tools, you can triage events in SIEM and access specific tools for further details.
A good SIEM enables you to create dashboards and automated reports for events of interest. This approach is relevant for data you may still want to review periodically without generating alerts.
How can you make a SIEM work for your organization?
I often say that a SIEM is not a project but a journey with unexpected obstacles and surprises along the way. Furthermore, a successful SIEM implementation and operation has numerous dependencies and requires alignment between cybersecurity and information technology. The following list provides some of my thoughts on making a SIEM successful in your organization:
First and foremost, implement a logging standard across your organization and monitor compliance with the standard. Also, consult your incident response partner for guidance on what types of event logs they need to investigate incidents on your behalf. Inadequate security logging on systems and platforms renders your SIEM ineffective.
Ensure appropriate Identity and Access Management (IAM) hygiene. Suppose your organization provisions accounts with excessive privileges, uses DA accounts to access member servers and domain-joined workstations, or allows interactive logon with service accounts. In that case, you may have more significant problems than inadequate visibility into security events.
Do not rely on SIEM as the sole or ultimate tool for incident detection. As part of your monitoring strategy, pay close attention to alerts generated by other tools, such as Endpoint Detect & Response (EDR) and Intrusion Detection Systems (IDS). My team has responded to breaches that could have been avoided only if the client’s SOC monitored their antivirus console.
Leverage a SIEM to aggregate security events generated by disparate tools and build context-dependent detections as described in the previous section.
Ensure your SOC analysts have a thorough understanding of auditing on popular platforms, such as Windows and Linux. We noted that analysts often focus on security audit events. However, system and application events are also valuable in threat detection and response (e.g., Event ID 7045 on Windows to identify malware running as a service)
This list is by no means comprehensive. However, implementing the recommendations outlined above will not only lead to a higher return on investment (ROI) from your SIEM but also improve the overall security of your network.
In this blog post, I described the challenges organizations face when relying on SIEM and correlation for threat monitoring and incident detection. Correlation does not imply causation and produces a significant number of false-positive alerts. However, SIEM is still an essential solution that every cybersecurity department should consider to aggregate event logs and build context-based detections. If used correctly, SIEM and correlation can significantly enhance your threat management capabilities.