Rule As a Code — SureLog Correlation Engine and Beyond

SureLog SIEM
4 min readNov 10, 2018

SureLog SIEM is a security platform which differs from many SIEM products. The main difference is; correlation engine which you can develop your own logic with a High-Level Domain-specific Language. There is no restriction in the logic because you can develop your logic in JAVA including Machine learning, statistical methods and artificial intelligence. SureLog is ready for the fallowing ML libraries also.

· https://www.tensorflow.org

· http://mahout.apache.org

· http://spark.apache.org/docs/latest/mllib-guide.html

· https://github.com/padreati/rapaio

SureLog has a correlation engine and has a feature called Rule As a Code which is Rule+Code.

SIEM is complex — and everyone knows it. Requires personnel and needs configuration.

This is why current SIEM trends are Co-Managed or Managed SIEM projects. It is obvious that end users do not want to spend time in order to develop SIEM rules. They want that rules are developed by experienced consultants or companies. So, instead of working fully on correlation wizard (GUI) side — which is used by end users, we found to remove barriers on detection capabilities (correlation engine+coding framework) of SIEM is more valuable and we developed a coding framework in order to open borders of SIEM correlation restrictions.

How does SureLog differs from a SIEM tool?

First and foremost, it comes back to the additional services, expertise and experience that our human team provides.

SureLog Correlation is based on rules and coding framework:

Rules are predefined to detect patterns. They are continuously enhanced and customized.

Coding framework comprises the correlation engine’s abilities to develop any logic as a SIEM rule.

SureLog is using JAVA as a High-Level Domain-specific Language which removes barriers for rule creation for the SIEM system. For example:

· Monitor if one of your IT staff will leave the company (HR logs), and he is reaching machines which is not reached before or reaching his machines after work hours and sending some documents to public storage sites.

· You have an outlier algorithm in Python and want to apply this to last month.

· You have any Scala code for anomaly detection and want to apply this

· Java bindings for Yara ( https://github.com/Yara-Rules/rules)

· You want to ping to a critical server and ping time is > 0.3 mis you want to

dump new logged in users and after which processes those users started

· If Value of a cell is more than %50 of standart deviation of Column A on Table B Notify

With the correlation framework (rule engine plus real time free form java rule interpreter) it is easy to develop a statistical anomaly detection rules as well as many other ML and AI algorithms.

Any java code can be injected to the system without the need of restart.

Some SIEM solutions may not detect some attacks, but custom code and advanced analysts do.

The team needs to build the value on top with custom code. Whether it is old school analytics (most people would call trend charts) or newer analytics (involving supervised machine learning and temporal behavioral analysis), a great deal of security expertise and historical analysis goes into the most reliable detection organizations have built on the data they happen to store in their SIEM. The resource-blessed security team is not operating with default SIEM detection, but rather using its data as source for their complex software, which looks for patterns, and strings together search queries to improve their chances and use the available search capabilities for the investigation. This doesn’t mean your team is using the SIEM as a database. The best SIEM solutions out there just allow you to build this custom code on top of their data by providing software development kits. This works extremely well for Co-Managed and Managed SIEM projects.

Open coding framework is different from black-box technologies like UEBA, NBA.

A crucial component of SureLog’s correlation coding framework accuracy and effectiveness is the fact that coding and production results are fully transparent and traceable, something not possible in ‘black-box’ solutions like machine-learning approaches. Current UBA tools are coming with a fixed configuration of analytics and is hidden Vendors can’t sell black boxes. Users need to understand what a machine learning model is doing and how they themselves can manage, control and tune the results as needed.

Some vendors have come up with an innovative approach to this black box dilemma for their clients. machine learning engines automatically generate rules using attributes provided by their ML models.

Originally published at https://medium.com on November 10, 2018.

--

--