Security information and event management (SIEM) frameworks are essential for enterprises to monitor, manage and mitigate the impact of evolving cyberattacks. As the number of threats and the financial impact of breaches increase, these frameworks are even more crucial.
Consider ransomware. Since 2020, more than 130 different strains of these encryption and extortion efforts have been identified. According to the US Cybersecurity and Infrastructure Security Agency (CISA), ransomware incidents have been detected across 14 of 16 critical infrastructure sectors, such as Emergency Services, Food and Agriculture, and Energy. Today, ransomware is present in 10% of all breaches.
Not surprisingly, costs are also on the rise. According to the 2022 Cost of a Data Breach report, the average global cost to detect, mitigate and remediate an attack is $4.35 million. US firms pay more than twice that amount, at $9.44 million per breach.
SIEM implementation allows companies to reduce the cost and impact of these threats. In this piece, we’ll break down the six basic tenants of SIEM and look at six times companies skipped one (or more) steps — and paid the price.
The six tenants of effective SIEM
Solid SIEM deployments depend on six tenants:
Identifying insider threats
By pinpointing potential insider threats before they occur, organizations can reduce their risk of compromise. While 63% of these threats are caused by negligence rather than malice, the result is the same: data at risk. As a result, companies need to identify these threats ASAP.
Detecting advanced threats
Detecting advanced threats as early as possible in their lifecycle helps companies make informed response decisions.
Securing the cloud
As hybrid and multi-cloud deployments become increasingly common, cloud security is paramount to keep attackers at bay.
Uncovering data exfiltration
The sooner companies can detect data exfiltration — even if it’s seemingly benign — the better.
Managing compliance
With regulations rapidly evolving, managing compliance frameworks is critical to keep data secure and reduce the risk of non-conformance.
Monitoring OT and IoT security
The Internet of Things (IoT) is going mainstream, while operational technology (OT) is getting connected. Effectively monitoring both OT and IoT is a must-have SIEM segment.
Six times skipping SIEM steps saw attackers slip through
Attackers are always looking for any opportunity — big or small — to compromise corporate networks. As a result, skipping out on even one SIEM step can lead to security problems.
Here’s a look at six times things didn’t go well for security.
Dallas Police Department: The call is coming from inside the house
It was an unfortunate case of accidental insider threat. In March and April 2021, the Dallas Police Department lost more than 8.7 million files — amounting to more than 23 terabytes of data — when an employee deleted the files.
This information included video, audio, photo and text evidence for police cases, in turn potentially impacting more than 17,500 cases being handled by the Dallas County District Attorney’s Office. While experts tried to recover the lost data, they could only restore three terabytes.
In part, the issue stemmed from a lack of training. The employee had minimal knowledge of handling and moving cloud files, but the DPD also lacked a robust backup policy.
Defense Industrial Base (DIB) organization: APT pupil
In November 2021 and January 2022, a DIB sector organization saw its network compromised by multiple advanced persistent threats (APTs). Ensuing CISA investigations found that multiple threat actors gained access to the organization’s IT environments and that some had used APTs to achieve long-term persistence. In addition, attackers extracted sensitive data from the organization without its knowledge.
It’s a classic case of lacking APT detection capabilities leading to IT blind spots. If companies can’t see what’s coming — and detect what’s already happening — the results can be disastrous.
Uber: When it rains, it pours
Ride-sharing service Uber saw an attacker rain on its cloud parade in September 2022, when a malicious actor gained full access to the company’s cloud-based storage systems containing customer and financial data.
According to researchers, the supposed threat actor — who self-identified as an 18-year-old — tricked an Uber employee into providing cloud credentials. This allowed the attacker full access to the company’s Amazon and Google cloud databases.
It’s a reminder that all it takes is one. One attacker looking for publicity or hoping to cause havoc; one employee who provides access credentials or clicks a malicious link.
Multiple anesthesia practices: Mama said knock you out
Data exfiltration is a dangerous game, especially when it comes to healthcare. As noted by SC Magazine, 13 anesthesia practices across the United States found themselves victimized by attackers in July 2022.
Malicious actors could compromise and extract the protected health information (PHI) of more than 380,000 patients, but details were scarce on exactly how the attack occurred or how long the attackers had access.
After the fact, the covered entities involved in the incident say they improved their security controls. The problem? Those involved needed to act sooner as part of SIEM efforts, not after the exfiltration.
Amazon: How the cookie crumbles
Fail to comply, and face the consequences. That’s what happened to online retail giant Amazon when it ran afoul of GDPR in Luxembourg. While the company has been quiet about the issue, it appears that in the summer of 2021, officials in Luxembourg fined Amazon more than $850 million for compliance breaches related to cookie consent.
While Amazon is appealing the fine by arguing that no data was breached, compliance isn’t just about keeping the doors closed — it’s about following the rules wherever you operate.
Oldsmar, Florida water treatment plant: Would I lye to you?
Operational technology is essential for critical infrastructure functions but often poses a security risk. With many of these solutions never designed to interact with Internet-enabled services, moves to more modern frameworks can create security weak points.
Take the incident in Oldsmar, Florida, when an employee of the city’s water treatment plant noticed the cursor on his screening moving without his input. An attacker had breached network systems, taken control of the employee’s computer and increased the concentration of sodium hydroxide, or lye, in the water by 100 times — enough to cause serious illness or death.
While the threat actor quickly left and the employee fixed the lye levels, it’s a stark reminder that just because these technologies have historically been passed over for attack efforts, they’re not immune to compromise.
Security, step by step
Extensive SIEM is critical to defending against familiar and emerging cyberattacks, but it’s not enough to simply go through the motions.
To ensure they don’t skip steps, businesses are best served by partnering with SIEM experts to ensure their security frameworks are capable of frustrating attack efforts no matter where, when or how they occur.