How to Overcome SIEM Limitations for Network Security

Overcoming the Limits of SIEM for Network SecuritySIEM technology has been in existence for more than a decade, providing consolidated security reports from correlated event logs, often in order to achieve compliance with security standards. But SIEM can do better, by leveraging correlated security events to trigger alerts and appropriate reaction from SOC (Security Operations Center) teams.

Effective SIEM deployment benefits from all specialized network security components. Just like a manager delegating tasks to expert members of its team, the SIEM should delegate part of the analysis to specialized security solutions in order to focus on what matters most – qualified security events.

This is particularly true for DNS security. While SIEM is perfectly fine for post-mortem analysis or threat investigation, it is not built for the real-time analysis of the high volume of data coming from DNS logs, which in addition only reflect part of the traffic. That requires a purpose-built security solution to efficiently detect and protect the DNS service while enabling SIEM to trigger coordinated responses from all network components.

Massive volumes, false alerts and staff overload

Competent security requires efficient analysis of network activity. Unfortunately, too often SIEM is used mainly to analyze raw data, which is far from a cost-effective use of this great tool. It’s particularly inappropriate when it comes to handling the massive volumes of logs generated from DNS traffic. A DNS server farm handling 100,000 queries per second, for example, will generate 552GB of logs per day. SIEM solutions are unable to perform real-time correlation of such a workload and will stop working properly.

Furthermore, this large amount of unqualified activity being received also affects the quality of SIEM responses. Analysts such as Forrester Research have noted that the software itself is not completely accurate in detecting what’s acceptable activity and what’s a legitimate potential threat. The discrepancy leads to high numbers of false alerts, creating “alert overload” for security personnel, and for SIEM to become just a post-mortem analysis tool.

From historical analysis, SIEM is able to help identify threats on the network such as an infected device or a suspect employee copying huge amount of data which he is not granted access to. But as analysis is not carried out in real-time, the attacks are often detected too late, in particular data exfiltration attempts. The result being data theft is not detected until long after the event.

Ensuring efficient threat detection, requires looking for relevant security events. As is the case for next-generation firewalls, dealing with raw DNS query logs at SIEM level is not a solution to secure a DNS service. Having only partial visibility over DNS transactions, without any notion of customer context, dramatically limits its ability to accurately detect threats, leading to a high risk of creating false positives. This high risk is usually deemed unacceptable, resulting in limited threat response from the SIEM, whereas it could be used to do much, much more.

It is clear that SIEM technologies are resource-intensive and require experienced staff to implement, maintain and fine-tune specific monitoring rules for each analyzed protocol. This quickly becomes an issue as few organizations have the funding or desire to invest in staff for this. SIEM software therefore requires quality data for maximum yield, so organizations need help defining and providing qualified security events.

Purpose-built security for improved SIEM event quality

When it comes to network security, the two main keys today are: 1. How fast can you detect threats?  and 2. How efficiently can you protect against them? DNS service is at the core of the IP network, benefiting from wide visibility over network activity, and dealing with vast amounts of traffic. However, the corresponding traffic logs offer limited notion over what are real threats. In addition, dealing with the resulting amount of data is resource intensive. To make the most efficient use of SIEM, purpose-built DNS Security is needed to bring in-depth visibility over DNS traffic, and allow forwarding of only the events which have been qualified, for SIEM to treat.

To identify and truly distinguish between real and false alerts coming from DNS, real-time advanced analytics must be incorporated. That requires DNS Transaction Inspection (DTI) capability which is able to provide behavioral threat detection in the context of each user, enabling application of the adapted countermeasure. This built-in DNS security is essential as it brings extended visibility on network activity while inhibiting service downtime and any exfiltration attempts using the DNS protocol.

DNS security components participate to the overall network security by preventing connected devices from reaching malicious domains and related internet resources. Events resulting from the analysis of DNS transactions, together with threat intelligence over domain reputation, should be used to supplement traditional logs, allowing the SIEM to contextualize the threat by knowing: a) why the request was identified as malicious (e.g. phishing), and b) who initiated it.

Holistic network security: putting SIEM focus on events, not logs

For securing your DNS, and hence your network, SIEM needs a helping hand to ensure it focuses on handling events instead of logs. Purpose-built DNS security solutions enrich the security ecosystem of networks, complementing SIEM, DLP and endpoint detection solutions to enhance threat detection and mitigation.

Solutions offered by innovators such as EfficientIP provide advanced DNS analytics for behavioral threat detection, combined with in-depth visibility of DNS traffic in order to collect, gather and store – in real-time – advanced statistics on a global and per client basis. This enhances threat visibility well beyond known attack patterns and quickly outdated blacklist mechanisms, enabling the identification of the most advanced attacks in order to ensure business continuity and data confidentiality. Any network manager would surely be happy with that kind of help.

Want to learn more about filling the gaps in your current security infrastructure? Read the DNS security solutions paper now.