Almost every company needs a solution for protecting its sensitive data and detecting suspicious activity in real time. Besides, when an incident occurs, companies want to be able to provide digital evidence in the courtroom. A security solution that just records and stores a host’s activity logs isn’t enough. Security vendors now have to worry about both security information and event management (SIEM) and digital forensics. This article covers the implementation of forensic features in SIEM solutions and the key requirements to ensure admissibility of data in court.
Security Research Leader
Digital forensics is the process of providing evidence from electronic devices in order to reconstruct past events. This process includes collecting, identifying, and validating digital data to ensure its integrity and admissibility in court.
The field of digital forensics is divided into a few main branches depending on the types of devices to which the forensics are applied:
- Cloud forensics
- Computer forensics
- Mobile forensics
- Network forensics
With the increase in the number of digital devices used for business purposes, nearly every company feels the need to be able to perform digital forensics. Digital forensics capabilities help companies determine what has happened within their networks and systems and better protect their sensitive data.
While forensic products are specifically developed for certified forensic investigators, capabilities of security information and event management systems can ensure that data collected by security staff is provided in a forensic format for further analysis.
SIEM systems allow companies to collect and analyze log data in a central location from all devices/appliances and hosts and get notified about abnormal events immediately. Modern SIEM products can also correlate events in internal systems, calculate risks, and generate reports showing patterns in chaotic log data. These systems can also store and archive log data as well as parse it into events and have a query mechanism for better log construction. All these features of an enterprise SIEM solution are crucial for investigating suspicious activity and finding data breaches.
The main reason that companies choose to implement a SIEM solution at enterprise is that centralized logging and event management must comply with many security standards such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm–Leach–Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), and Sarbanes–Oxley Act (SOX).
Moreover, properly stored and protected logs can be useful for internal incident investigations and can even be admissible as evidence in court.
In 2006, the National Institute of Standards and Technology (NIST) issued its Special Publication 800-86, known as the Guide to Integrating Forensic Techniques into Incident Response, which contained recommendations for establishing forensic capabilities in security solutions. In addition, the NIST Guide to Computer Security Log Management (Special Publication 800-92) provides recommendations for effective log management.
SIEM systems record and store logs collected from various devices and hosts in a local network, and this information can contain the digital fingerprints of a cyber crime. Malicious activity leaves traces in event log data and syslog data that can be detected with SIEM technologies. Forensic analysis of log data allows security staff to figure out how and when a security breach occurred as well as to determine what systems and sensitive information were compromised and which users violated security protocols.
Integrating forensic features into your security solution will make it more effective and valuable for your customers. Thus, in addition to traditional log management and event correlation, you should also collect real-time data for forensic analysis.
However, developing a SIEM solution with forensic capabilities is not an easy task, as digital evidence collected by your product should be admissible in court. Court admissibility can be achieved only if forensic features can ensure adequate protection of log data. Consequently, forensic features should also meet the requirements for forensic products used by certified forensic investigators. Here are 10 requirements for forensic features in SIEM solutions.
The forensic features of your security solution must ensure that collected data is not tampered with in any way. Typically, this is achieved by storing a copy of unmodified log entries as well as normal events in a backend database. Moreover, a SIEM solution should also have built-in functions for periodic backups and restores.
Your system should also have intrusion prevention mechanisms that can block the actions of an attacker who’s attempting to corrupt logs. If it’s problematic to guarantee that data hasn’t been modified, then the system report should provide information for forensic purposes about changes made during data collection and export. Your SIEM solution should also limit access to stored data. For instance, it should support role-based access so that only authorized security staff can access certain data.
Your SIEM functionality should also allow collecting data and storing it for further forensic analysis in a tamper-proof form. This is usually achieved by using integrity mechanisms, such as running hash checks on blocks of stored log data. Historical log data must be secured either with a checksum in the form of a popular hash – MD5, SHA1, SHA2, etc. – or with a digital signature.
SIEM tools should collect all possible information about all activities that occur across the network and also provide information about failures while capturing and processing log data. Ensuring the stable operation of your security solution is crucial if you want to collect information that’s admissible in court and valid for proving compliance. If your SIEM system crashes, your log data will no longer be accurate and may be rejected as evidence. The accuracy of abnormal behavior detection is also important for incident response. All these considerations impose high requirements on the competence of your quality assurance team.
While justification of data for forensic products is achieved through information about a file’s physical path and the offset to the data in this file, your security solution should be able to justify the information it presents for forensic analysis. There must be a way to describe what’s being logged and why as well as how log data is captured, stored, and analyzed.
Often, in pursuit of usability, development teams optimize the log data shown in their system reports. However, there may be challenges in linking events collected by different log sources. For example, different devices may generate logs for the same user that contain different content. Thus, a SIEM system may simultaneously receive the same data but recorded as different values. For instance, one source many record the IP address of the user while another source records the name of the user but not their IP address. But what if that person used someone else’s computer to perform malicious activity? Thus, the initial log data must be collected, no matter how inconvenient it may seem. Otherwise, invalid assumptions may lead incident investigations in the wrong direction. Assumptions may still be used to provide hints for security staff or forensic investigators, but the conclusions should be made by investigators themselves.
The amount of information that a SIEM solution needs to process grows dramatically each year. Today, it’s terabytes of data every day. Your SIEM implementation should be able to process an increasing number of separate events per second, so these systems require complex algorithms to process data as fast as possible. This is especially important for forensic features because forensic analysis requires the collection of all possible information, as it all may be necessary for an investigation.
Long-term centralized storage of historical data is necessary to ensure the correlation of data over time and to retain data for forensic analysis. Consider also the amount of database storage, as some regulations may require data to be available for a particular length of time.
Your security solution should include features that allow users to reduce the volume of data provided for forensic analysis by filtering system logs. Moreover, you should be able to narrow down data by keywords or times. While all information should be collected without any assumptions, filters are important for forensic analysis. Filters provide users with only relevant data that relates to the incident under investigation.
Timestamps are the most sensible and valuable bit of information that’s extracted from log data. Timestamps are essential for linking the events recorded by your security solution to real-world facts. When analyzing logs from different sources, keep in mind that a host’s internal clock can be inaccurate; consequently, logs may have incorrect timestamps. However, it’s vital to have timestamps that are as precise as possible. Timestamps may be shown truncated to seconds in the UI, but if information is available with microsecond precision, it must be stored with such precision and this information about the original timestamp value should be available for forensic analysis.
The next important aspect is time zone. Information about the time zone that a timestamp is associated with must also be extracted and saved for forensic purposes. If there’s no time zone information available, the logs will be considered unreliable. Inaccurate time zones and timestamps prevent security staff or a forensic investigator from putting the facts on the timeline in the correct order and reconstructing the sequence of events.
Court investigators are usually pretty conservative about the forensic features and tools they use. Each new solution with forensic features will be compared against the existing ones to make sure that it’s accurate enough and can be trusted. For this reason, the forensic analysis results provided by your security solution should be shown in a familiar way. For instance, if a standard de facto application with forensic features can export query results in PDF format, then your solution should also be able to export query results in PDF and should be able to produce the similar results for forensics even better. Otherwise, your innovation may be rejected because it can’t be compared to results from known tools. For this reason, forensic innovations should be introduced carefully as alternative representations to the familiar way of displaying results.
Developing forensic features can greatly improve the value and effectiveness of your SIEM system, but forensic capabilities must meet certain requirements to ensure the admissibility of captured data in court. To successfully use forensic features, your SIEM solution should ensure proper handling of log data as well as crash resistance, enough space for data storage, and useful filtering of results.
Fortunately, one of Apriorit’s specialties is digital and enterprise security technologies. We would be glad to assist you in building your own solution by applying our experience in all levels of data encryption and system monitoring.