Its not only the actual cyber-attack, but the time it takes for an enterprise to detect it that poses a greater threat and causes harm by increasing the impact of the breach. With a delayed response, an attacker gains access to more systems and may steal intellectual property, key financial information, sensitive personal data of customers, and more. Research from FireEye, suggests that organizations across the globe take nearly 99 days over three months to detect a data breach!
How would an enterprise not know about an ongoing data breach?
In a secure scenario, when a user, either legitimate or illegitimate, tries to access an application, data, or network, all activities are recorded in logs. These logs form one of the most critical sources of threat detection. However, a survey from 451 Research shows that only 21% of organizations are using their log data effectively. Also from my experience, most organizations either never capture logs, capture them inadequately, or just store them in flat files or databases specific to the application. Rarely are they proactively checked for the possibility of an unauthorized access or security incident. At times, the logs are even truncated to increase the availability of space on servers, making them irrelevant. Hence, most organizations are oblivious of the hacks and attacks that are occurring within their IT systems.
What can enterprises do to stay safe?
There are multiple technologies and processes that could help in threat detection, but the one that every organization needs to have is a security incident and event management (SIEM) system.
However, the mere presence of an SIEM system isnt going to help enterprises create intelligence. They should have an SIEM strategy in place. This should connect logs of critical infrastructure such as firewalls, web or client facing applications, as well as other high risk applications processing repositories of personal information, financial information, intellectual property, trade secrets, and others. It is also crucial to include logs from endpoints, such as laptops, mobiles, and personal digital assistants (PDAs), and other critical log generating devices that can aid data exfiltration.
Once these logs are captured, it is essential to aggregate them, build intelligence by correlating events and context, identify users, weed out false positives and fine tune the process, and finally create alerts. So when a major incident occurs, stakeholders are informed in near-real-time with dashboard visualizations.
What are the roadblocks to implementing an SIEM system?
In spite of appreciating the need for threat detection and protection, enterprises have many reservations about adopting SIEM.
- Lack of experienced staff or inadequate staffing: The huge amount of data generated in enterprises requires a lot of specialized analytics and intelligence to differentiate between false positives and real threats. This requires employees that understand how to generate such intelligence.
- Inadequate budget and complexity of setting up the system: A majority of companies consider setting up SIEM systems too complex. With a smaller chunk of the IT budget allocated for security, this becomes even more difficult.
- Lack of operational maturity: Given the rapidly evolving digital landscape and nature of threats, technologies used in SIEM should be scalable and interoperable to ensure effective and efficient operations. Hence, continuous improvement is a must, but can be a challenge.
Setting up an SIEM system is a costly proposition and adding the indirect costs of hiring staff to monitor events 24/7 would need bigger budgets.
How best can enterprises implement an SIEM system?
Investments should be made not just to prevent a security intrusion and achieve compliance but also to protect the business from the potential damage or loss from such intrusions. So if high costs are a concern, many feasible options are available. For example, enterprises can opt for managed security services, where the service is hosted on the cloud with logs from different sources synced to the SIEM system. A pay-as-you-go model could reduce the initial capital investment and yearly maintenance costs, yet ensure advanced intelligent security monitoring and management. SIEM can provide visibility across an organizations network, highlight current vulnerabilities and future threats that may impact the business, and suggest how to mitigate those issues.
Does your organization have an SIEM strategy in place? Tell us in the comments section below.