Security Operations is a 24 x 7 job. It does not stop for weekends or holidays or even that much-needed coffee break after the first hour of the shift is complete. We all know this.
Every SOC engineer is hoping for some rest at some point. One of my favorite jokes when talking about Security Operations is "3 SOC engineers walked into a bar…" That the joke. No SOC engineers have time to do that. They get it. They laugh. So why is this all true?
Let us explore that a little bit.
- Demand for experienced SOC engineers far surpasses the available talent.
- Event volume levels boggle the imagination compared to even just a few years ago.
- Utilization of tools to their utmost capability has often not been a priority.
In the Security Operations space, we have been using SIEM's for many years with varying degrees of deployments, customization, and effectiveness. For the most part, they have been a helpful tool for Security Operations. But they can be better. Like any tool, they need to be sharpened and used correctly.
After a while, even a sharpened tool can become dull from too much use: and with a SIEM that takes the form of too many events creating the dreaded ALERT FATIGUE!!!
This is real for security operations and must be addressed; because the more alerts, the more an engineer must work on, and the more they will miss.
Insert Sigma Rules for SIEMS (pun intended); a way for Security Operations to implement standardization into the daily tasks of building SIEM queries, managing logs, and threat hunting correlations.
What is a Sigma rule, you may ask? A Sigma rule is a generic and open, YAML-based signature format that enables a security operations team to describe relevant log events in a flexible and standardized format.
So, what does that mean for security operations? Standardization and Collaboration are now more possible than ever before with the adoption of Sigma Rules throughout the Security Operations community. Sigma Rules are an open-source community project that was started a few years ago as a way to create a common language to be used within security operations for SIEM and EDR queries. This enables security operations teams to create queries in the Sigma rule format instead of vendor-specific SIEM languages.
I know what you might be thinking; "well that is fantastic that the community is coming together to help each other out in their daily cybersecurity battles." But, I use a different SIEM than whoever wrote this sigma rule or that sigma rule. That is the beauty of the standardization of Sigma Rules. They're meant for everyone. Take this example below of a query in a popular SIEM tool that is searching for "Clear command history" - an evasion tactic used in Linux.
That is specific to that SIEM tool's language.
Now take a look at a second SIEM's language for that same query.
As you can see, two very different searches on two different SIEM systems will return the exact same output, derived from the same sigma rule. So, if you're like me and are asking the question in your head, "Do I have to learn a new tool's language to be able to take advantage of Sigma Rules?" - the answer is NO. These queries came from the exact same sigma rule. I took this sigma rule and used a sigma rule converter such as the one at https://uncoder.io and just did a simple translate.
As of right now, 25 different translations can be made, including Grep and PowerShell, two native search methods on Linux and Windows. The specifics of a sigma rule are simple as well.
Each rule must include a title, log source, detection, and condition, and within each of the previously required fields, various optional fields can be created. Collaboration extends further with Sigma rules: threat intelligence feeds, Breach and Attack Simulations (BAS), and other security validation technologies make it easier to sharpen your Security Operations to handle the never-ending security alerts better.
Today, every Security Operations team collects log data and creates custom queries for their day-to-day analysis. We all know we are understaffed and over-worked. For those two reasons alone, as a greater community that is charged with defending against cyberattacks, it is a must for the community at large to adopt Sigma Rules. Start the sigma revolution and be part of the birth of a standard. Sigma was born to be an open standard for everyone to use no matter the SIEM and no matter the query.
Up until now, SIEM operations has genuinely been an island unto itself. No longer is this true. Community-based Security Operations standards are here to stay, which is why I love sigma rules.