Many of us are familiar with Security, Incident, and Event Management (SIEM) systems, which detect and monitor security events and activities. In this blog post, we want to show you that SIEMs have evolved and can now do much more.
Most companies and system providers deploy a SIEM to get alerts and report on security-specific incidents and events in their systems. They build and deploy specific security rules, signatures, and use cases based on their applications, platforms, and environment. For Oracle SaaS, SIEM comprises one of the major components of our Automated SaaS Cloud Security Services (ASCSS) infrastructure.
SIEM in a DevSecOps Model
Oracle SaaS Cloud Security (SCS) uses the DevSecOps model to build and protect our SaaS environments. But it’s how and where we use SIEM that makes our solutions the most secure on the market. Because unintended or malicious actions can occur in any phase of an engineering lifecycle, we use SIEM to monitor logs and activities in ALL phases of a DevSecOps lifecycle. Usage of a SIEM in all phases is a best practice incorporated by the Oracle SaaS Cloud Security (SCS) organization and also one that all security organizations should implement and deploy.
As implied from the title of this posting, a SIEM provides more automated detection than just security-specific logs and events. In general, there are many events that are not always security-related, but they MIGHT have security impact if not detected and addressed. A SIEM is much more than what meets the eye and here are just three simple examples of the many that exist throughout the DevSecOps lifecycle.
Example #1: Incorrect configurations, system settings, or application state changes that are set unintentionally
If a system’s firewall or security list is misconfigured, we know attackers or malicious users can change the ports, routes, and access rules to persist future access. They also can make changes to the automated infrastructure management systems that can result in similar unauthorized access. A SIEM can automatically detect such configuration changes, immediately alert a security operations center (SOC) to investigate and trigger automatic remediation controls.
Example #2: System telemetry or log indicators that indicate improper system usage
We can use a SIEM to detect when a large number of failed authentications or authorizations occur with a system account or an infrastructure control. We can also find the potential source of the activity, which may well be caused by an incorrect password persisting after a password change in a service account or daemon. The source of these suspicious failures can often be system job controls or tasks with misconfigurations. The correlation of logs and activities can help a service desk quickly determine where the potential job or service has been misconfigured and needs correction.
Example #3: Code or system malfunctions that are identified during the development cycle
A third, and less known, example is the value a SIEM can provide in the code and test phases of the DevSecOps model. Often when new functionality and features are developed and tested, they may malfunction and not operate properly. When a SIEM collects the network and activity logs for systems that are being built and tested, engineers can quickly identify and receive alerts about issues before these components are released into production. Authentication, access, and network activity can be correlated automatically to determine potential unauthorized or unintended access.
In summary, in a SaaS cloud environment, a SIEM provides a valuable detection and monitoring capability that extends far beyond security events and activities. In Oracle SaaS, the SCS organization looks at the overall infrastructure and the DevSecOps model from an end-to-end perspective to ensure we have all assets monitored for all events. The SIEM infrastructure is deployed and maintained automatically as part of the ASCSS infrastructure at Oracle.
In the future, we will share some more of our specific SIEM scenarios that we automate and detect in a SaaS cloud environment.