Light Dark
January 12, 2023 By Douglas Bonderud 4 min read
Risk Management

Security information and event management (SIEM) frameworks are essential for enterprises to monitor, manage and mitigate the impact of evolving cyberattacks. As the number of threats and the financial impact of breaches increase, these frameworks are even more crucial.

Consider ransomware. Since 2020, more than 130 different strains of these encryption and extortion efforts have been identified. According to the US Cybersecurity and Infrastructure Security Agency (CISA), ransomware incidents have been detected across 14 of 16 critical infrastructure sectors, such as Emergency Services, Food and Agriculture, and Energy. Today, ransomware is present in 10% of all breaches.

Not surprisingly, costs are also on the rise. According to the 2022 Cost of a Data Breach report, the average global cost to detect, mitigate and remediate an attack is $4.35 million. US firms pay more than twice that amount, at $9.44 million per breach.

SIEM implementation allows companies to reduce the cost and impact of these threats. In this piece, we’ll break down the six basic tenants of SIEM and look at six times companies skipped one (or more) steps — and paid the price.

The six tenants of effective SIEM

Solid SIEM deployments depend on six tenants:

Identifying insider threats

By pinpointing potential insider threats before they occur, organizations can reduce their risk of compromise. While 63% of these threats are caused by negligence rather than malice, the result is the same: data at risk. As a result, companies need to identify these threats ASAP.

Detecting advanced threats

Detecting advanced threats as early as possible in their lifecycle helps companies make informed response decisions.

Securing the cloud

As hybrid and multi-cloud deployments become increasingly common, cloud security is paramount to keep attackers at bay.

Uncovering data exfiltration

The sooner companies can detect data exfiltration — even if it’s seemingly benign — the better.

Managing compliance

With regulations rapidly evolving, managing compliance frameworks is critical to keep data secure and reduce the risk of non-conformance.

Monitoring OT and IoT security

The Internet of Things (IoT) is going mainstream, while operational technology (OT) is getting connected. Effectively monitoring both OT and IoT is a must-have SIEM segment.

Six times skipping SIEM steps saw attackers slip through

Attackers are always looking for any opportunity — big or small — to compromise corporate networks. As a result, skipping out on even one SIEM step can lead to security problems.

Here’s a look at six times things didn’t go well for security.

Dallas Police Department: The call is coming from inside the house

It was an unfortunate case of accidental insider threat. In March and April 2021, the Dallas Police Department lost more than 8.7 million files — amounting to more than 23 terabytes of data — when an employee deleted the files.

This information included video, audio, photo and text evidence for police cases, in turn potentially impacting more than 17,500 cases being handled by the Dallas County District Attorney’s Office. While experts tried to recover the lost data, they could only restore three terabytes.

In part, the issue stemmed from a lack of training. The employee had minimal knowledge of handling and moving cloud files, but the DPD also lacked a robust backup policy.

Defense Industrial Base (DIB) organization: APT pupil

In November 2021 and January 2022, a DIB sector organization saw its network compromised by multiple advanced persistent threats (APTs). Ensuing CISA investigations found that multiple threat actors gained access to the organization’s IT environments and that some had used APTs to achieve long-term persistence. In addition, attackers extracted sensitive data from the organization without its knowledge.

It’s a classic case of lacking APT detection capabilities leading to IT blind spots. If companies can’t see what’s coming — and detect what’s already happening — the results can be disastrous.

Uber: When it rains, it pours

Ride-sharing service Uber saw an attacker rain on its cloud parade in September 2022, when a malicious actor gained full access to the company’s cloud-based storage systems containing customer and financial data.

According to researchers, the supposed threat actor — who self-identified as an 18-year-old — tricked an Uber employee into providing cloud credentials. This allowed the attacker full access to the company’s Amazon and Google cloud databases.

It’s a reminder that all it takes is one. One attacker looking for publicity or hoping to cause havoc; one employee who provides access credentials or clicks a malicious link.

Multiple anesthesia practices: Mama said knock you out

Data exfiltration is a dangerous game, especially when it comes to healthcare. As noted by SC Magazine, 13 anesthesia practices across the United States found themselves victimized by attackers in July 2022.

Malicious actors could compromise and extract the protected health information (PHI) of more than 380,000 patients, but details were scarce on exactly how the attack occurred or how long the attackers had access.

After the fact, the covered entities involved in the incident say they improved their security controls. The problem? Those involved needed to act sooner as part of SIEM efforts, not after the exfiltration.

Amazon: How the cookie crumbles

Fail to comply, and face the consequences. That’s what happened to online retail giant Amazon when it ran afoul of GDPR in Luxembourg. While the company has been quiet about the issue, it appears that in the summer of 2021, officials in Luxembourg fined Amazon more than $850 million for compliance breaches related to cookie consent.

While Amazon is appealing the fine by arguing that no data was breached, compliance isn’t just about keeping the doors closed — it’s about following the rules wherever you operate.

Oldsmar, Florida water treatment plant: Would I lye to you?

Operational technology is essential for critical infrastructure functions but often poses a security risk. With many of these solutions never designed to interact with Internet-enabled services, moves to more modern frameworks can create security weak points.

Take the incident in Oldsmar, Florida, when an employee of the city’s water treatment plant noticed the cursor on his screening moving without his input. An attacker had breached network systems, taken control of the employee’s computer and increased the concentration of sodium hydroxide, or lye, in the water by 100 times — enough to cause serious illness or death.

While the threat actor quickly left and the employee fixed the lye levels, it’s a stark reminder that just because these technologies have historically been passed over for attack efforts, they’re not immune to compromise.

Security, step by step

Extensive SIEM is critical to defending against familiar and emerging cyberattacks, but it’s not enough to simply go through the motions.

To ensure they don’t skip steps, businesses are best served by partnering with SIEM experts to ensure their security frameworks are capable of frustrating attack efforts no matter where, when or how they occur.

 |  |  |  |  |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from Risk Management
April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

April 11, 2024

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature