2024-12-14 –, Track 3
For nearly three decades, SIEM tools have been the cornerstone of the SOC, centralising threat detection, alerting, and commonly used for ticketing, case management, and SOC metrics. But what if this essential tool could be bypassed, evaded, or even directly attacked?
Having both several years experience working directly for various SIEM vendors, we shall discuss and explore these possibilities in more depth, as well as emphasise the importance of continuous control testing.
We will aim to give some ideas to offensive teams, and also give defenders some things to think about!
SOC teams commonly rely on Security Information and Event Management (SIEM) tools to detect, analyse, and respond to security threats. In this presentation, we will introduce key SIEM concepts and the role of the SIEM in the SOC, as well as discuss shortfalls of SIEM tools. Then we shall explore the possibility of attacks and evasion techniques in SIEMs. We will also discuss the general challenges of managing SIEMs in enterprise environments.
Not only will we cover the technical aspects, but also highlight processes, organisation dependencies and discuss non-technical mitigations.
Attacking a SIEM involves exploiting vulnerabilities in data ingestion, correlation rules, and alert mechanisms to manipulate the very systems designed to detect malicious activities. Specifically, we will cover:
- Introduction to Security Information and Event Management (SIEM) tools, architectures, and their role in the SOC
- Common log sources and ingest methods
- Custom apps and add-ons
- Cloud-native SIEMs
- Key vulnerabilities and attack vectors in SIEM systems: Data ingestion manipulation, Correlation rules exploitation, Alert bypass techniques
- How organisational structures and supporting processes can be exploited
We are hoping to help defenders and offensive teams better understand the risks involved with SIEM deployments, whilst emphasising the importance of simulating real-world attack scenarios.
