How do we know what’s happening in the network? SIEM and Log Analysis

Cyber threats have become a daily reality. For this reason, there is an urgent need within organizations to build effective strategies for continuous monitoring and response to potential incidents. One of the essential aspects of a SOC’s rapid response system is the integration of all devices in a given organization’s infrastructure with a data collection solution (SIEM), so they can be monitored. The analysis of the logs flowing from them forms the foundation upon which a comprehensive detection and response system can be built.

What devices are subject to monitoring? Why are they so important, and what benefits does log analysis provide? Below you will find information on various aspects of device monitoring by SIEM/SOAR systems in a SOC.

Why analyze security logs?

Logs are the digital footprints of activity for all IT infrastructure components. They are the most important source of knowledge about the security status of a system – both in real-time and in retrospective analysis. Their significance can be compared to black boxes in an airplane: if something goes wrong, it is the logs that reveal the cause of the problem.

Regular log analysis allows for:

• Detecting anomalies and unusual behavior of users or systems,
• Quickly identifying incidents and initiating response procedures,
• Maintaining compliance with regulations and audits, e.g., GDPR, ISO 27001, NIS2,
• Tracking internal abuse and privilege escalation attempts,
• Understanding the attack vector after a breach – what, when, who, and how.

In an IT environment, without effective log processing, an organization remains blind to what is happening inside its systems – and this directly exposes it to the risk of losing data, money, and reputation.

Which devices are monitore by a SIEM system?

The effective operation of a SOC, whether built within internal structures or operating as an outsourced service, depends on monitoring devices and other data sources in real-time. Key types of devices subject to monitoring in a SIEM include:

• Servers, which constitute the heart of the organization’s infrastructure, storing vast amounts of data. Monitoring them is crucial for the rapid detection of potential security breaches, such as DDoS attacks.

• Routers and Firewalls responsible for network traffic control. Monitoring their actions allows for the identification of unauthorized access attempts and protects the network from hazards.

• Personal computers, laptops, and other endpoints are often the points of attack, which is why securing them with endpoint protection solutions is so important. Monitoring their activity allows for a quick response to potential attempts to breach security and enter the organization’s network through this channel.

• System logins using Active Directory are also monitored by the SOC to identify any unauthorized access attempts. In the event of suspicious activity, the SOC reacts appropriately, securing the system against a potential breach.

• By monitoring switches in the SIEM system, logs regarding network activity are collected, allowing for the identification of suspicious traffic patterns and response to potential security incidents. This enables the SOC to protect the network more effectively against attacks, control access to network resources, and monitor communication between different network segments.

Protocols and standards for vulnerability response

Effective device monitoring in a SOC requires efficient protocols and standards that enable the collection, analysis, and response to data from various sources. Here are the main protocols and standards used in a SOC that enable coordinated actions to maintain organizational security:

• SNMP (Simple Network Management Protocol) is a protocol that allows for the monitoring and management of network devices. In a SOC, it is widely used to collect information about device status, performance, and security.
  
  

• Syslog Protocol is commonly used for collecting, transmitting, and archiving logs from various devices. In a SOC, it enables the analysis of security events and the identification of potential incidents.
  
  

• NetFlow is a protocol that allows for the collection of information regarding network traffic. In a SOC, it is used to analyze data flows, identify anomalies, and detect attacks.
  
  

• SIEM (Security Information and Event Management) is a comprehensive system that integrates data from various sources, including logs, alerts, and security events. It works on the principle of data analysis and correlation, enabling a rapid response to potential threats.
  
  

• ISO/IEC 27001 is the standard for information security management. In a SOC, it serves as a reference framework that helps maintain effective security practices at the organizational level.
  
  

• IDS (Intrusion Detection System) analyzes network traffic in search of irregularities, anomalies, or suspicious patterns that may indicate potential threats. IPS (Intrusion Prevention System), on the other hand, operates based on rules that define specific situations requiring a reaction.

How to conduct effective data analysis in SIEM systems?

The effectiveness of log analysis depends not only on the amount of data but primarily on its structuring, context, and automation. Here are the key elements of effective analysis in a SOC environment:

• Centralization of data sources – collect logs from as many sources as possible,

• Event correlation – the SIEM system should correlate events from different locations,

• Creation of context and profiles – it is worth building user and device profiles, making it easier for the system to distinguish normal activity from suspicious activity,

• Response automation – SOAR systems are extremely helpful here,

• Machine learning and behavioral detection – modern SIEM systems implement machine learning algorithms that learn system behaviors in real-time,

• Data visualization and reports – these facilitate analysis and decision-making for both specialists and non-technical personnel.

Examples of SOC responses to incidents identified during monitoring

To illustrate the effectiveness of device monitoring in a SOC, here are several real-life situations where this process played a key role in securing an organization against cyber threats:

DDoS Attack

The SOC received alerts regarding a significant increase in network traffic on one of the servers. Thanks to the analysis of data from network devices, including firewalls and IPS systems, the DDoS attack was identified and neutralized, ensuring the continuity of the organization’s services.

Unauthorized network access

The IDS/IPS system in the SOC detected an unauthorized network access attempt. Thanks to integrated SIEM tools and the analysis of logs from various sources, the attack was identified, stopped at an early stage, and appropriate responsive actions were carried out.

SIEM systems feature a machine learning function. If an incident recurs and is regularly determined to be a “false positive,” it stops being identified as a threat after several occurrences. This can be useful, for example, in situations where system users log in at unusual times – such as a sales director working in the CRM at 2 AM. As life shows – such situations do happen. If such an incident is verified several times as a non-threatening event for the organization’s IT ecosystem, the system stops identifying it in such categories.

The SOC is becoming an indispensable part of the cybersecurity system – a guardian watching over the integrity and functionality of the organization. The process of monitoring diverse devices, analyzing data, and reacting quickly to potential threats are not just technological aspects, but the foundation of a secure cyber-future. By implementing these practices, organizations not only protect their assets but also shape a secure future in an era where cybersecurity is an inherent necessity for ensuring that an organization’s functioning is possible.