Using their SIEM solutions, companies usually monitor security events correlated into offenses with their indicated duration, severity, type, source and destination IPs, log sources, etc. These details help security administrators and analysts to monitor both internal and external threats and to detect a real user performing an attack. In this regard, an offense represents a successfully accomplished malicious activity by external attackers or malicious insiders who found a loophole in the corporate network.
However, this traditional approach to SIEM doesn’t allow companies to inspect configuration of their network devices and understand if they contain critical vulnerabilities that open the doors to intruders. It is impossible either to look into the heart of an offense and define not only the fact of an intrusion itself but also its path and network points that let an attacker in.
Why SIEM Capabilities May Be Not Enough
Let’s take an example to understand why a usual set of SIEM features may be insufficient for investigating security incidents.
Some company introduced a corporate security policy that strictly prohibits two-way communication with bad-reputation IPs. For this purpose, a system administrator configured the corporate firewall to block all possible connections with unsecure IPs. However, even with the necessary configurations made, a SIEM system periodically reports offenses triggered by the registered communication with prohibited IPs.
With SIEM features enabled, this riddle would be very hard to solve since a SIEM system captures the violation without disclosing any conditions that preceded it. That’s why the security administrator wouldn’t be able to understand neither why this kind of an attack happened nor how exactly it occurred, since there could be multiple offense scenarios: the firewall had an unknown vulnerability, or system administrators made a configuration error or a rogue system administrator intentionally enabled the connection to compromise the network.
When Monitoring the Network Configuration Is Vital
The foregoing example proves that data provided within a SIEM solution sometimes isn’t enough to find the initial cause of an offense. That’s why a SIEM functionality has to be extended with network configuration monitoring in order to:
Prevent offenses made possible by network misconfiguration. IT networks aren’t static and unchangeable, as system administrators regularly install new software and hardware, launch updates, change system configuration, etc. These changes can create vulnerabilities that make networks accessible for potential intruders. Since it’s impossible to follow every step of system administrators, it’s important to have a tool to monitor configuration changes, detect risky ones and eliminate them before they attract an attacker.
The reality shows thata high number of attacks occur not because intruders are highly skilled, but because organizations leave unpatched vulnerabilities in very important network nodes, thus literally inviting criminals to come in. The sooner a company detects a security loophole, the more chances they have to patch it before real attackers start their malicious activities.
Enforce a security policy. In a corporate security policy, companies usually determine all the allowed and prohibited communications within a corporate network. In reality, only a system administrator can guarantee the network compliance with the established policy. Without leaving it exclusively to human consciousness, organizations can extend their SIEM capabilities with dedicated tools for detecting security policy violations related to the network misconfiguration.
Network Configuration Monitoring Features to Consider
To analyze which features can help companies to reinforce their existing SIEM functionality, let’s take the example of IBM Security QRadar Risk Manager, a specialized tool that integrates with IBM Security QRadar SIEM to monitor network device configurations, show possible changes to an IT environment and assess existing and potential vulnerabilities in a network by enabling security administrators to:
Visualize network connections. Provided with dedicated network monitoring tools, security specialists can automatically build their network topology and discover both existing and possible connections between network devices in order to immediately identify and close risky communications throughout the network.
Discover network configuration changes. Using network monitoring tools, security administrators can untangle the riddle of undesirable connections with bad-reputation IPs in just a minute, since network monitoring is a direct way to get detailed data on network appliance configuration (e.g. firewalls, switches, and IPSs), as well as to compare device configuration against different timeframes to detect changes along with those who make them.
Pinpoint vulnerabilities in network devices. Coupled with vulnerability scanners, network configuration monitoring tools allow identifying current vulnerabilities in all the network nodes, thus letting a security department anticipate potential attacks and patch existing loopholes.
Test a network for policy compliance. Assisted by SIEM experts, a company can also extend their SIEM solutions with dedicated features to assess their network compliance with the corporate security policy. This will also enable investigating if any policy rules have been already violated or can be violated because of existing vulnerabilities or misconfigurations.
In QRadar Risk Manager, this functionality is represented as a set of predefined questions enabling security administrators to test their networks for possible communication with forbidden networks or assets. Additionally, the question allow to assess if users are able to use forbidden protocols and check if corporate firewall configurations are aligned with the corporate policy.
Simulate network attacks. Though usually companies turn to penetration testers to look for security weaknesses, advanced network monitoring features can be used to carry out recurrent simulations of network attacks without involving professional penetration testers. This capability will allow security administrators to work in tandem with system administrators and assess a possible impact of network configuration changes before their real implementation.
As for QRadar Risk Manager, it provides security specialists with the opportunity not only to assess the physical network condition, but also to create virtual network topologies with different configurations and perform potential attacks to analyze their effect on the network.
Though a SIEM system is an irreplaceable source of data on security events within a corporate network, sometimes traditional SIEM features aren’t enough to understand the nature of an offense, which makes it difficult to eliminate the root cause of such an offense and prevent its recurrence. To address this challenge, companies can reinforce their SIEM solutions with network configuration monitoring features allowing to constantly control changes made to the network and to assess risks of potential intrusions.