Do We Need a Buzzword to Re-understand the Value of the SIEM Correlation?
Correlation, machine learning, and threat hunting are important, and they play a critical role in modern SOC.
Correlation rules can easily detect common threats that hackers repeatedly use to attempt access to your resources. Rules are discriminators used to find a certain behavior, as usual, they are dependent on human expertise if their designer knows what it’s searching for they will be invaluable tools. The community effort, like SIGMA rules, is an example of the value of the correlation of SIEM solutions.
The objective of correlation is identifying when an adversary is following a given path and stopping them. Rather than thinking of security as walls and moats, think of security as strings with bells on them. Alerts ring whenever the adversary goes by the correlation rules. Your IR team then can spring into action.
Using only Machine Learning is not sufficient. Because of this, UEBA solutions utilize rules and correlation engines. They are not relying on just anomaly detection. Anomaly is just evidence or signal. Even after aggregation, the user/entity risk score is just a possibility. It’s not confirmed, it’s not categorized, at least for now for the most UEBA solutions. So, it needs rules and correlation events to full-fill the timeline and the attack graph.
Using only searching is also not sufficient. Doing a scheduled search every night to detect threats is a mostly used technique now. But if you can take it one much further and detect it in real-time, you will have a chance to stop it in real-time. The learning curve of search languages, system requirements to do multiple searches, real-time detection, and search logic ( https://www.peerlyst.com/posts/comparison-of-detection-methodologies-in-siem-correlation-and-search-ertugrul-akbas) will be an issue.
Most of the currently available SIEM solutions and Next-generation SIEM solutions utilize profilers and outlier detectors with correlation.
Correlation and rules are really useful and will be used with both ML and search based detection.
Originally published at https://www.peerlyst.com on June 9, 2020.
