At this year's Infiltrate Security Conference in Miami, John Grigg walked the audience through a common target network where a known and commonly used SIEM had been integrated in order to show participants how to exploit onto the SIEM, find intel, and cover their tracks.
Though SIEM technologies are supposed to help secure the networks, Grigg said that they are often misconfigured, which creates more vulnerabilities.
Even though some of the legacy tools are pretty cool, Grigg said the problem is that no one really knows the platform that well. "The vendor who built it knows it from a design standpoint. Then there's the re-selllers, the guys who install it, the internal IT guys who inherit the systems, but they tend to never really focus on it."
By the time they have called in an expert to help fix a problem, they are at least a few degrees of separation away from the people who know the product.
Even though the designers and programmers know their piece really well, they aren't always seeing the big picture, said Grigg.
"A lot of the vulnerability is bad configurations which stem from poor consultancy. These things weren't meant for a huge company," Grigg said. He's hardly pointing the finger at anyone to lay blame, as Grigg said that in his earlier years he had likely provided some bad consultancy.
"I started to notice buddies of mine who were really good consultants, and watching them do their work, I thought, 'I probably shouldn't be allowed to touch this stuff'. Unfortunately, It's the norm to have bad consultants," Grigg said.
Many companies hire a third party to come in as the 'fix it' people. Those that specialized in SIEM platforms, as Grigg eventually did, found themselves "Fixing what was super messed up," he said.
Because so much of the SIEM industry is legacy software that was the same tool just redesigned and rebranded, Grigg said, "Those back doors still exist on there today."
Another issue is that, "A lot of SIEMs don't get patched because people don't want to make a mistake. They are a giant way into the network, and there are always new features being added in that present new vulnerabilities," Grigg said.
Forrester Research senior analyst Joseph Blankenship wrote in a recent report, "Vendor Landscape: Security Analytics (SA),"In its first incarnation, [SiM] failed to live up to its expectations because it lacked the ability to ingest, correlate, and analyze large amounts of data from a variety of sources."
However, the accuracy of the rules-based technology is not its only downfall. Mark Orlando, CTO at Raytheon Foreground Security, said, "One of the biggest ones is that in many cases the SIEM infrastructure isn’t managed like the rest of the network."
When the security best practices of keeping patches up to date and managed are not applied to their security infrastructure, it leaves the platform exposed. "In some cases the folks that manage the whole network aren't managing the infrastructure at all, so it's not up to date and it's not being managed," Orlando said.
Because SIEMs have been positioned as the hub of critical and sensitive data, that makes them vulnerable. "When they are aggregating that much sensitive data into a central location, they are positioning this hub as a pretty big target for an attacker," Orlando said.
In many cases, organizations have given their SIEMs a lot of access, and Orlando said it's not only access to the SIEM but also access to proactively collect data from other portions of the network.
A SIEM is a complex architecture of everything from databases, web servers, and applications servers and more, and within all those components are huge list of applications, said Orlando.
"Each of those components needs to be maintained separately. They need to think about which components talk to others and think about ports and protocols. They need to make sure they are patching and updating," Orlando said.
Best practices in security include managing people, processes, and technology, but often Orlando said, "There are ports and protocols that would never be exposed but because it’s part of their SIEM, people don’t pay attention to it."
As a result, researchers and attackers are looking at and targeting the SIEM.
In order to mitigate the risks to enterprise security, "The same security best practices everywhere else in the network apply to the infrastructure. Minimizing access, reducing attack surface, reducing ports and protocols to only allow what is necessary to get the data."
Matt Rodgers, head of security strategy at E8 Security, said despite the fact that he hasn't heard a lot of people talking about the issue of vulnerabilities that exist within a SIEM, he said, "With any security practice, it comes down to people, process, and technology."
"Vulnerabilities in any tool obviously need to be addressed, but I think one reason I haven't heard much on this topic is that a lot of the security operations teams function in an environment that they believe is relatively stable and safe," Rodgers said.
Whether that is a fair or faulty assumption, Rodgers said, the specific vulnerabilities that exist in a SIEM or any other tool should be shaken out by the processes they follow.
Despite its widespread use, SIEM isn't really so much a security tool as it is a management tool. As is the case with most legacy tools, the next 10 technologies are using machine learning and AI to provide better and more efficient capabilities.
"If you look at the marketplace, vendors have started building security analytics (SA), and some SIEM vendors are trying to encroach on the SA vendors by claiming some of their adjacent use cases," said Rodgers.
Today even in the biggest SOCs in the world, they have a set of use cases that are addressed with SIEM, said Rodgers, but "Others have evolved that require a different approach. We will see these and other tools become much more integrated and able to share data and intelligence to provide better service."
Some of the new players are in a really good position in that they have an almost unfair advantage, having grown up in an environment that includes lots of open source tools and technology, said Rodgers.
Regardless of whether they rely on the legacy SIEM tools or the next-gen SA tools, Grigg said, "Know the product. Do some sort of internal penetration test of the SIEMs, or the flip side would be to bring in red team vulnerability assessments, and have really good coding practices."
The SIEM can touch everything, so make sure that they are enforcing good practices, "Don't reuse passwords and don't use default passwords. That solves about 95 percent of the problem," said Grigg.