SiEM: A Complementary Approach to Addressing DDoS

Security information and event management (SiEM) systems have long been relied on to support threat detection, compliance, and security incident management. Traditionally, using SiEMs has not been the primary method security analysts and SecOps teams have gone to when dealing with distributed denial of service (DDoS) attacks. But as the impact of DDoS attacks grows, SiEMs are increasingly playing a role in identifying precursors to attacks and in helping mitigate the root causes of those attacks.

DDoS attacks are getting much more attention now. While DDoS attacks can be launched against any target, there is increasing concern about attacks against government entities and critical infrastructure. This is especially true as DDoS is likely to be an element of cyber warfare now and into the future.

See also: Continuous Intelligence Insights

Additionally, the rapidly growing number of smart devices and IoT devices, many of which are inadequately secured, offers malicious actors new opportunities. Compromising a network of such devices gives cybercriminals yet another attack vector. 

Traditionally, the main defense against DDoS attacks has been of a more reactive nature. When a malicious actor launched an attack, organizations would either shut down the links bringing in the high volume of traffic or perhaps rely on a content delivery network partner to help prevent the traffic surge from impacting their sites and servers.

The problem with that approach is that actions are taken after an attack is launched. A better approach would be to identify the telltale signs of a DDoS attack before they impact an organization and automatically take steps to mitigate the issue.

How can SiEMs help? SiEMs collect and analyze (both near real-time and historical) security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards, and reporting).

A SiEM tool could be used to detect different types of DDoS attacks using its incident detection engine. Additionally, if the tool has an inference engine, it could be used to automatically infer potential countermeasures to respond to and recover from DDoS attacks. Such an inference system would need to continuously reason for each reported incident and provide suggestions to keep the system stable.