Back to BlogHow to Test Your SIEM’s Detections
Getting to the true value of a SIEM often requires layering on other solutions or manual effort to detect potential security threats, such as Security Orchestration, Automation and Response (SOAR) or SOC (Security Operations Center) teams. A SIEM can collect and centralize your logs, but that’s not where the true value lies. Detection is where the true value is – by aggregating, analyzing and correlating your logs, you can identify potential security issues.
SIEMs can be complex, difficult to fine-tune and manage, and often fail in deployment due to the amount of people and resources required (see Is Your SIEM Deployment Failing? The Hidden Costs of SIEMs). Organizations today don’t have weeks to months to spend on deploying a SIEM platform.
As a result, organizations may have a SIEM that fails to provide valuable detections, even if it collects logs or provides audit logs for compliance. Valuable detections can alert you to indicators of lateral movement, ongoing attacker compromise of your environment, or scanning/attacker reconnaissance that is used to get a better understanding of your network for malicious intent.
The failure to detect these security events means many organizations fail to properly reduce their attack surface. That can translate to a failure to detect a compromise early enough to block, contain or limit the overall impact to an organization, and potentially resulting in a loss of data, ransomware infection or a major hit to their brand reputation.
Five Easy Ways to Test Your SIEM’s Detections
To help you test your SIEM for these types of detections and reduce your attack surface, Blumira’s Lead Incident Detection Engineer Amanda Berlin explained how to use different tools and resources available on GitHub.
In case you missed our live webinar, we’ve made it available to everyone, on-demand – Five Easy Ways to Test Your SIEM’s Detections.
They walk through many different examples of threat detection tests – a few of those include:
Reconnaissance: Password Spraying
Password spraying is a common attack used by an attacker to attempt to authenticate to your network or applications. By trying out many usernames paired with a single password, they can avoid password lockouts that can trigger security tool detections and alerts. This method is often used by attackers to discover weak passwords (reconnaissance or discovery) and move laterally throughout your environment. Learn more in How to Test Your SIEM Detections for Password Spraying.
One tool you can use to conduct a test of password spraying detection can be found on Dafthack’s GitHub – DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default, it will automatically generate the userlist from the domain. Note: Be careful not to lockout accounts.
Privilege Escalation: PowerShell Dropper Attacks
One example of privilege escalation is the detection of a PowerShell dropper attack. An attacker could attempt to bypass a PowerShell execution policy. The policy is the setting that determines which type of PowerShell scripts can be run on your system. It’s not meant to be a security control, but is often used by attackers and malicious software to execute code on a system without administrative-level access, according to Berlin.
Learn more in Scott Sutherland’s 15 Ways to Bypass the PowerShell Execution Policy.
Watch Our On-Demand Webinar
Join Jacob Williams, CTO of BreachQuest, along with Blumira’s Amanda Berlin, Sr. Incident Detection Engineer and Erica Mixon, Content Marketing Manager, as they go through ways to test your SIEM.
They’ll cover:
- The process of testing for detections, such as users with non-expiring passwords
- The benefits of using red team or pentest to actively test detections
- Best practices and tools to make SIEM testing easier
