Coming apart at the SIEMs …

Security Information and Event Management (SIEM)1 systems are all the rage at the moment – and with good cause.

As you are all aware, one item of data2 does not a case make, it is the combination & correlation between _all_ of the data that creates “evidence” – and here in the SIEM we are seeing the very thinnest separation between forensics and security – if we look at it today it is security, if we look at it tomorrow, it’s forensics.

An SIEM (oft pronounced “seem” – although mostly I like to spell out my TLAs ESS-AYE-EEE-EMM [ with a few notable exceptions … raid, scuzzy, wizzywig … but I suspect that shows my age more than anything else ! ] ) is a centralised system that collects information from other systems in the network. This information is typically – but not exclusively – collected from some, or all, of the normal logging of the system.

It should be noted that although a SIEM could, theoretically, collect _all_ of the logs across a network – it usually doesn’t. Therefore it isn’t a replacement for centralised logging systems that _do_. More typically it seeks out a subset of the log entries that are perceived to be relevant to “Security” and collects these.

The determination of what a “Security” relevant entry consists of is clearly open to debate. Most of the SIEM vendors will provide you with a helpful template for a given system, and these are perhaps a good start. The British Government also publishes some recommendations (requirements if you are on an HMG system) in a document called, rather catchilly, “Good Practice Guide 13 – Protective Monitoring for HMG ICT Systems” – it is UNCLASSIFIED, so theoretically anyone can read it – good luck on getting a copy though, it’s a nightmare to find !


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

I’ve been involved in two major SIEM implementations of late, one which was being sold as a service ( client data coming into the SIEM for Security-as-a-Service [ another acronym there – SaaS – not to be confused with SaaS which is Software-as-a-Service 😉 ] ) the other which is monitoring a large network infrastructure on which clients depend … ( Subtly different … )

SIEM setups will vary in their forensic value depending upon how well set up they are, how much “meta-data” ( for want of a better word ) they include with each alert, how synchronised and consistent the logs are and, possibly most importantly – how trustworthy the SIEM itself is. If we are looking to gain data from an SIEM to use forensically, then we need to be sure that the data is sound in line with the standard forensic principles – so if the SIEM is open to all to change as they wish, or the SIEM isn’t consistent about recording time, or the SIEM does substantial rewriting of data, modifying the source then whoever is presenting it faces an uphill struggle to get it accepted as evidence.

So, as a parting shot and summary here are some forensic specific tips:

  1. Make sure that you are recording sufficient information that your SIEM contains enough detail to reconstruct as required – that doesn’t mean everything, but the right things.
  2. Ensure that your time is consistent.
  3. Hash, hash and hash again to show consistency – high volume SIEMs won’t be able to hash each entry – hash batches, then hash batches of batches and then batches of batches of batches … ( Repeat as necessary ) This way, although you may not be able to identify _which_ has been modified, hopefully you can show that something has been if it is corrupted in some way.
  4. Spend as much time, if not more, securing the SIEM than the systems that it is looking after. Don’t forget – “Quis custodiet ipsos custodes? 3

If you’d like to chat about SIEMs, their implementation or forensic use, please drop in a comment below !


1. Or … Security Incident and Event Management – I’ve seen both.
2. Datum ?
3. Who watches the watchmen ? ( Terry Pratchett fans know the answer to this to be “Me. I watch him.” 4 )
4. Thud!: Terry Pratchett

Leave a Comment

Latest Videos

Magnet Forensics' Matt Suiche on the Rise of e-Crime and Info Stealers

Forensic Focus 12th January 2023 3:00 am

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast. 

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading -  https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast.

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading - https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_BhrBg5_sAKo

Si and Desi Holiday Special 2022

Forensic Focus 16th December 2022 12:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...