Mining a SIEM can help detect and respond faster to security threats
9 March 2017 | 0
One of the longest-standing problems in information security is the time it takes from when a breach, infiltration, or attack occurs, and the moment when the target organisation discovers it. Yahoo’s disclosure last year that it had suffered a data breach came almost two years after the incident actually took place. Yahoo’s case might be an extreme example, since it happened to be the biggest breach in history and involved around one billion customer records. But it illustrates a wider trend shown in Verizon’s Data Breach Investigations Report, which found that fewer than 25% of breaches are discovered within days or less.
To turn that figure on its head, more than three quarters of security incidents take days or more to uncover. Just think what an attacker could accomplish within that time. So the question becomes: would you know if a breach happened inside your IT environment? Or would it only be the moment when someone tells you they had seen all your organisation’s data on Pastebin?
Having the tools and techniques to detect activity on a network, identify it as malicious, react to it and investigate it, is becoming a challenge as organisations get to grips with understanding their risks and formulating a security strategy. In theory, the data should be there within the network or systems to show the evidence of malicious activity, but is that information being collected and securely stored? Is anyone reviewing the log files? Is there any analysis to identify indicators of an attack?
Unfortunately, in our experience, the answer to these questions is frequently no.
So, the next step is to focus on a toolset or a plan to increase the ability to detect malicious behaviour. Many organisations implement tools such as security information and event management (SIEM) software to analyse the alerts generated by the existing hardware and applications. SIEM can be really helpful in filtering out potentially suspicious activity from the buzz of general everyday network activity. In practice, the work doesn’t stop there. Very few cases are 100% malicious so they require further investigation and a decision about what action to take.
Even the SIEM tool itself needs to be actively tuned regularly to ensure it matches the environment that it is monitoring, and that it is monitoring for the right security threats. This is not a process that can be automated and it can quickly turn into a fulltime job. Furthermore, the confirmed incidents identified by the SIEM need to be analysed as part of a detailed investigation to understand the breadth, scale and impact of any potential breach.
These factors make a strong case for having a security operations centre, but the significant cost and resource needed to staff a true 24×7 SOC is available to only a few organisations — to say nothing of the time it would take to set one up from scratch. That is where a managed SIEM, operated by an external service provider, comes into its own.
In Integrity360’s case, our SOC analysts already work with multiple global customers, gaining wide knowledge and experience which then benefits each and every one of our customers and is a source of key threat intelligence. Any one company by itself would find it difficult to emulate this setup. It is why an externally managed SOC can be a valuable asset in an adaptive security model that ensures detecting and responding to attacks are covered as comprehensively as protecting against them.
Richard Ford, UK technical manager, Integrity360