technology has been in existence for more than a decade, providing consolidated
security reports from correlated event logs, often in order to achieve
compliance with security standards. But SIEM can do better, by leveraging
correlated security events to trigger alerts and appropriate reaction from SOC
(Security Operations Center) teams.
SIEM deployment benefits from all specialised network security components. Just
like a manager delegating tasks to expert members of its team, the SIEM should
delegate part of the analysis to specialised security solutions in
order to focus on what matters most – qualified security events.
is particularly true for DNS security. While SIEM is perfectly fine for
post-mortem analysis or threat investigation, it is not built for the real-time
analysis of the high volume of data coming from DNS logs, which in addition
only reflect part of the traffic. That requires a purpose-built security
solution to efficiently detect and protect the DNS service while enabling SIEM
to trigger coordinated responses from all network components.
Massive volumes, false alerts and staff overload
security requires efficient analysis of network activity. Unfortunately, too
often SIEM is used mainly to analyse raw data, which is far from a
cost-effective use of this great tool. It’s particularly inappropriate when it
comes to handling the massive volumes of logs generated from DNS traffic. A DNS
server farm handling 100,000 queries per second, for example, will generate
552GB of logs per day. SIEM solutions are unable to perform real-time
correlation of such a workload and will stop working properly.
this large amount of unqualified activity being received also affects the
quality of SIEM responses. Analysts such as Forrester Research have noted that
the software itself is not completely accurate in detecting what’s acceptable
activity and what’s a legitimate potential threat. The discrepancy leads to
high numbers of false alerts, creating “alert overload” for security personnel,
and for SIEM to become just a post-mortem analysis tool.
historical analysis, SIEM is able to help identify threats on the network such
as an infected device or a suspect employee copying huge amount of data which
he is not granted access to. But as analysis is not carried out in real-time,
the attacks are often detected too late, in particular data exfiltration
The result being data theft is not detected until long after the event. Ensuring
efficient threat detection, requires looking for relevant security events. As
is the case for next-generation firewalls, dealing with raw DNS query logs at
SIEM level is not a solution to secure a DNS service. Having only partial
visibility over DNS transactions, without any notion of customer context,
dramatically limits its ability to accurately detect threats, leading to a high
risk of creating false positives. This high risk is usually deemed
unacceptable, resulting in limited threat response from the SIEM, whereas it could
be used to do much, much more.
is clear that SIEM technologies are resource-intensive and require experienced
staff to implement, maintain and fine-tune specific monitoring rules for each
analysed protocol. This quickly becomes an issue as few organisations have the
funding or desire to invest in staff for this. SIEM software therefore requires
quality data for maximum yield, so organisations need help defining and
providing qualified security events.
Purpose-built security for improved SIEM event quality
it comes to network security, the two main keys today are: 1. How fast can you
detect threats? and 2. How efficiently can you protect against them? DNS service is at the core of
the IP network, benefiting from wide visibility over network activity, and
dealing with vast amounts of traffic. However, the corresponding traffic logs
offer limited notion over what are real threats. In addition, dealing with the
resulting amount of data is resource intensive. To make the most efficient
use of SIEM, purpose-built DNS Security is needed to bring in-depth visibility
over DNS traffic, and allow forwarding of only the events which have been
qualified, for SIEM to treat.
identify and truly distinguish between real and false alerts coming from
DNS, real-time advanced analytics must be incorporated. That
Transaction Inspection (DTI) capability which is able to provide behavioural
threat detection in the context of each user, enabling application of the
adapted countermeasure. This built-in DNS security is essential as it brings
extended visibility on network activity while inhibiting service downtime and
any exfiltration attempts using the DNS protocol.
security components participate to the overall network security by preventing
connected devices from reaching malicious domains and related internet
resources. Events resulting from the analysis of DNS transactions, together
with threat intelligence over domain reputation, should be used to supplement
traditional logs, allowing the SIEM to contextualise the threat by knowing: a)
why the request was identified as malicious (e.g. phishing), and b) who
Holistic network security: putting SIEM focus on
events, not logs
securing your DNS, and hence your network, SIEM needs a helping hand to ensure
it focuses on handling events instead of logs. Purpose-built
DNS security solutions enrich the security ecosystem of networks,
complementing SIEM, DLP and endpoint detection solutions to enhance threat
detection and mitigation.
offered by innovators such as EfficientIP provide advanced DNS analytics for behavioural
threat detection, combined with in-depth visibility of DNS traffic in order to
collect, gather and store – in real-time – advanced statistics on a global and
per client basis. This enhances threat visibility well beyond known attack
patterns and quickly outdated blacklist mechanisms, enabling the identification
of the most advanced attacks in order to ensure business continuity and data
confidentiality. Any network manager would surely be happy with that kind of
To discuss SIEM limitations further, why not
register for Digital Transformation EXPO Europe, Register your interest here.