MIAMI—Security information and event management (SIEM) solutions are supposed to boost security, but researchers say the network analysis tools are ripe attack targets.
The warning comes from security expert John Grigg, lead cyber strategist with Meta Studios. In a talk at the Infiltrate Conference, he concluded, after a review of deployments, that many top SIEM vendor solutions are insecure.
“SIEMs are a one-stop shop for attackers. Nobody has these locked down. And once they gain a toehold on the SIEM box, an adversary has a map and keys to do what they want on the network,” he said.
While SIEMs are used as defensive tools to analyze events on a network, weak or default credentials often used by network administrators coupled with complex installations make them prime targets.
Grigg’s warnings come from experience helping companies mitigate against SIEM attacks. “These are products built on top of products within sprawling networks,” he said.
That makes management a herculean task and also complicates patching efforts by network administrators often gunshy about deploying SIEM updates that could break any of a dozen vendors’ hardware or software configurations.
Security information and event management (SIEM) solutions provide real-time and post-analysis of security alerts generated by network traffic and security alerts generated by network hardware and applications. Grigg said that for too long, SIEMs have had the perception of being impenetrable because they are installed behind network firewalls and considered a security product.
But when Grigg began looking into SIEM security from an offensive perspective he said the community of stakeholders—from network administrators, vendors to resellers—were making it easy for adversaries.
“If I’m on offense, my recon is easy. Check vendor sites for testimonials, download documentation, check (SIEM) forums or befriend a sales engineer,” Grigg said. Most of the heavy lifting in an attack scenario is finished once a target and its SIEM information is established, he said.
Next, adversaries do need to gain a foothold behind the firewall of targeted networks to establish access to the SIEM admin console. Once inside, Grigg said he was shocked at the number of SIEMs accessible via weak or default credential that utilized RESTful APIs, giving adversaries a starting point to launch an attack.
Compounding the problem is the fact SIEMs are generally implemented by people with little to no experience, and create more vulnerabilities than they solve, Grigg said.
That’s good news for attackers, he said. Once in, the SIEM offers a number of opportunities to upload malicious code onto a network, manipulate network logs to cover their digital tracks, and download a target’s PCAP file for further data exfiltration.