CHAPTER 6

What is event correlation?

An organization of any scale can have numerous suspicious activities in its network, and monitoring these activities can help secure your network from potential threats. For example, if a user account has 100 failed login attempts before a successful login, security administrators flag this as a suspicious activity.

Sometimes, defining the exact threshold to detect a suspicious activity is difficult. In the above case, if the hacker cracks the password on the 90th attempt, it will go undetected if you set up a rule to alert you after 100 failed logins followed by a successful login. To resolve this, you need a more efficient and reliable way of detecting possible threats.

Event correlation analyzes numerous events, adds business context to the analyzed events, and draws connections between them in a sequential manner before providing logical solutions. Correlation compares sequences of activity based on a set of rules. These rules allow your security information and event management (SIEM) solution to decide which suspicious activity should be treated as a potential security threat.

For example, you can define a correlation rule to look for events X and Y that occur in a specific order, where X is a number of failed login attempts from a user account from a particular IP address, and Y is a successful login from the same IP address to any machine in the network. With this rule in place, you'll get alerts every time a sequence of these events occurs in the network. The predefined factors in these events will help you differentiate potential threats from normal occurrences.

You can either create rules based on your business' needs, or use the rules set by your SIEM solution. The key to accurately detecting incidents is configuring the correlation engine of your security solution based on the nature of your business.

Securing your past and your present.

There are two types of correlation: static and dynamic.

  • Static correlation.
  • It's impossible for enterprises to always depend on a preventive security strategy. Breaches inevitably occur, and when they do, it's essential to analyze how and why to prevent similar occurrences in the future and reduce their impact.

    Static correlation is the process of investigating historic logs to analyze the breach activity after an incident. Through static correlation, you can analyze log data and identify complex patterns from past events. This can help you discover threats that may have compromised your network's security, or give you information about an ongoing attack.

  • Dynamic correlation.
  • Dynamic correlation detects security incidents in real time. With events being subjected to correlation rules as they are occurring, a SIEM solution is able to analyze incoming log data and look for attack patterns right away. Through dynamic correlation, organizations benefit from a faster detection and response rate. This helps your network stay protected at all times.

    Through static and dynamic correlation, you can ensure that your organization's network has a timely defense against security attacks.

 

Chapter 2

Different functions of SIEM

Learn about the different capabilities of an ideal SIEM solution.

 

Chapter 3

Component of SIEM Architecture

 

Chapter 4

Log Management

Learn about log management and why it is necessary.

 

Chapter 5

Incident Management

Learn about security incidents and how they are handled.

 

Chapter 6

Threat intelligence

Learn about security audits, real-time monitoring, and correlation and how they are useful to mitigate cyberthreats.

 

Chapter 7

Cloud security

Learn why it is important to secure data that is stored online on cloud computing platforms.

 

Chapter 8

User Entity and Behavior Analytics

Learn why UEBA is critical to maximize cybersecurity.

 

Chapter 9

Data protection

Learn why it is important to adhere to compliance regulations.