Threat Detection in SureLog SIEM
Threat detection is a complex and challenging task, and it requires a multi-layered approach to effectively identify and mitigate potential threats. There is no one-size-fits-all solution that can handle all types of threats, which is why it’s important to deploy a combination of different detection methods. Here are some approaches that can be used to develop an effective threat detection system:
1. Complex Event Processing (CEP) Based (Real-Time): CEP systems analyze and correlate real-time events from various sources to detect patterns or sequences of events that may indicate a threat. By processing events in real time, potential threats can be identified and responded to quickly.
2. Real-Time Sigma Rules: Sigma rules are a standardized format for representing detection logic. There are tools available for utilizing Sigma rules, such as https://uncoder.io/. SIEM tools like Qradar or Splunk also make use of these tools. However, they are not real-time or automatic. Real-time Sigma rules are continuously evaluated against incoming data streams to identify specific threat indicators or patterns.
3. SQL Streaming Based Rules: SQL streaming allows for the continuous processing of incoming data streams using SQL queries. By formulating rules in SQL, it becomes possible to analyze data in real time and detect threats based on predefined conditions.
4. Behavior Analysis: Behavior analysis involves monitoring and analyzing user and system behavior to identify deviations from normal patterns. By establishing baselines and detecting anomalous behavior, potential threats can be detected.
5. Anomaly Detection (Outliers): Anomaly detection techniques aim to identify data points or events that significantly deviate from expected patterns. By using statistical models or machine learning algorithms, anomalies can be detected, which may indicate potential threats or malicious activities.
6. Comparative Correlation: Comparative correlation involves comparing the current activity with historical data or predefined thresholds. By comparing recent activity with previous periods (e.g., last hour versus last day/week/month), suspicious patterns or changes can be identified.
7. Detection (Rule) as Code: This approach involves representing detection rules as code, allowing for easier maintenance, version control, and collaboration among security teams. It enables efficient rule management and updates. Java, Myel, and Python are the main languages for Rule as code. These programming languages are commonly used for developing custom detection algorithms or implementing existing threat detection techniques. Choosing the appropriate language depends on factors such as performance requirements, integration capabilities, and the expertise of the development team.
By deploying a multi-layered detection system that combines various methods like CEP, real-time sigma rules, SQL streaming, behavior analysis, anomaly detection, comparative correlation, and utilizing detection as code and different programming languages, organizations can enhance their ability to detect and respond to threats effectively. It’s important to regularly update and refine these detection techniques to keep up with evolving threat landscapes and new attack vectors.
Deploy a multi-layer detection system, since no single detection method can find all threats. SureLog SIEM supports:
- CEP Based (Real Time)
- Real Time Sigma Rules
- SQL Streaming Based Rules
- Behavior Analysis
- Anomaly Detection (Outliers)
- Comparative Correlation: Compare last hour activity with last day/week/month activity
- Industry First: Detection (Rule) as Code since 2018 (source: https://www.researchgate.net/publication/328874259_Rule_as_a_Code-SureLog_Correlation_Engine_and_Beyond): Java Based, Myel Based and Pyton Based
