Besides being the most fun I’ve had on a computer***, I thought I’d document some excellent reasons your business needs a Security Information and Event Management platform (SIEM). There’s nothing (I’ve ever come across) that offers a more holistic view of what’s actually happening on a network. Much like an AWACS on a battlefield or the human body’s central nervous system, it assimilates input from many different sources into a single place for integration. Once collected, correlations can be made the otherwise would be very difficult.
While I was a system administrator, I learned this valuable lesson from Microsoft Outlook. Several people had reported Outlook randomly saying it was “offline” but would correct itself in 15-30 seconds. No one reported web pages wouldn’t load or any other signs of a disconnection from the internet. I didn’t think much of it for the first few times, but it became so frequent I to figure out what was going on. I started capturing the error codes in Splunk (my favorite SIEM). A few days after that, I had enough information to start digging. Nearly everyone’s Outlook was getting this “We lost connection to the cloud exchange server” error. Because I was viewing it through Splunk, I could easily see the error was happening for clients at the same time across the entire organization (one more reason time normalization is a must!). That insight told me it wasn’t a client issue but something network related. Sure enough, an inspection to the back of the server room revealed there was a little device, owned by our ISP, with a high temp light (if that device were mine, I’d have been collecting logs off it and be notified of high temp immediately – but then I wouldn’t get to write this fun blog!). It turns out, that device was overheating but not badly enough to completely drop connections but enough that highly sensitive apps were noticing. Thankfully, a call to the ISP got the device replaced before a complete outage. Without a SIEM, there’s no way I would have had the data needed to correlate all that.
One more story and I’ll be done. This was several years ago, right before Internet Explorer officially died. I stumbled across yet another “stop using IE, people!” security article on the internet and wondered if anyone at my company still used it (always stay curious in security!). “Surely,” I thought, “we all stopped using it years ago.” To my horror, a quick query in Splunk revealed it was still in use in my organization. Because event details are so easy to correlate, I could filter on the event details and found there was only one person who used it in the last 6 months. A trip over to their desk and an easy conversation later, they pulled a checklist out of a drawer and said, “Well, here’s the process I follow every week.” I looked at the checklist and found: Step 1: Go to desktop and open internet. Sure enough, on the desktop was a shortcut called “Internet” and popped good old Internet Explorer. I didn’t know, Windows 10 would open IE anymore but it did. With a simple swap of a shortcut to a modern browser, the entire organization was more secure. I even called it “Internet” so the checklist didn’t need to be re-printed.
Hopefully that’s helpful in your ongoing security journey!
** This grandiose statement excludes the following:
That feeling you get when you’re almost done building your own desktop and plugged in all those little cables for the power, lights, and speakers and watch it boot up for the first time.
Starcraft (yes, I mean the first one!)
Left 4 Dead 2 (or 1, for that matter)
Age of Empires (1,2,3)
Half Life (any of them and the Portals)
Sins of a Solar Empire when you’re playing as the Vasari and get your Maw Titan leveled up so you can inhale all the little enemy crafts around you.
Cannon Fodder (forever in our hearts Jools and Stoo)
BroForce when you’re on a really good streak with a character and don’t keep spawning worthless melee ones that only live 3 seconds
When you use the satellite-based ion cannon in Command & Conquer to kill your friend’s commando at a LAN party.
Wait, what was this blog post about?