Security information and event management (SIEM) frameworks are essential for enterprises to monitor, manage and mitigate the impact of evolving cyberattacks. As the number of threats and the financial impact of breaches increase, these frameworks are even more crucial.

Consider ransomware. Since 2020, more than 130 different strains of these encryption and extortion efforts have been identified. According to the US Cybersecurity and Infrastructure Security Agency (CISA), ransomware incidents have been detected across 14 of 16 critical infrastructure sectors, such as Emergency Services, Food and Agriculture, and Energy. Today, ransomware is present in 10% of all breaches.

Not surprisingly, costs are also on the rise. According to the 2022 Cost of a Data Breach report, the average global cost to detect, mitigate and remediate an attack is $4.35 million. US firms pay more than twice that amount, at $9.44 million per breach.

SIEM implementation allows companies to reduce the cost and impact of these threats. In this piece, we’ll break down the six basic tenants of SIEM and look at six times companies skipped one (or more) steps — and paid the price.

The Six Tenants of Effective SIEM

Solid SIEM deployments depend on six tenants:

Identifying Insider Threats

By pinpointing potential insider threats before they occur, organizations can reduce their risk of compromise. While 63% of these threats are caused by negligence rather than malice, the result is the same: data at risk. As a result, companies need to identify these threats ASAP.

Detecting Advanced Threats

Detecting advanced threats as early as possible in their lifecycle helps companies make informed response decisions.

Securing the Cloud

As hybrid and multi-cloud deployments become increasingly common, cloud security is paramount to keep attackers at bay.

Uncovering Data Exfiltration

The sooner companies can detect data exfiltration — even if it’s seemingly benign — the better.

Managing Compliance

With regulations rapidly evolving, managing compliance frameworks is critical to keep data secure and reduce the risk of non-conformance.

Monitoring OT and IoT Security

The Internet of Things (IoT) is going mainstream, while operational technology (OT) is getting connected. Effectively monitoring both OT and IoT is a must-have SIEM segment.

Six Times Skipping SIEM Steps Saw Attackers Slip Through

Attackers are always looking for any opportunity — big or small — to compromise corporate networks. As a result, skipping out on even one SIEM step can lead to security problems.

Here’s a look at six times things didn’t go well for security.

Dallas Police Department: The Call is Coming from Inside the House

It was an unfortunate case of accidental insider threat. In March and April 2021, the Dallas Police Department lost more than 8.7 million files — amounting to more than 23 terabytes of data — when an employee deleted the files.

This information included video, audio, photo and text evidence for police cases, in turn potentially impacting more than 17,500 cases being handled by the Dallas County District Attorney’s Office. While experts tried to recover the lost data, they could only restore three terabytes.

In part, the issue stemmed from a lack of training. The employee had minimal knowledge of handling and moving cloud files, but the DPD also lacked a robust backup policy.

Defense Industrial Base (DIB) Organization: APT Pupil

In November 2021 and January 2022, a DIB sector organization saw its network compromised by multiple advanced persistent threats (APTs). Ensuing CISA investigations found that multiple threat actors gained access to the organization’s IT environments and that some had used APTs to achieve long-term persistence. In addition, attackers extracted sensitive data from the organization without its knowledge.

It’s a classic case of lacking APT detection capabilities leading to IT blind spots. If companies can’t see what’s coming — and detect what’s already happening — the results can be disastrous.

Uber: When It Rains, It Pours

Ride-sharing service Uber saw an attacker rain on its cloud parade in September 2022, when a malicious actor gained full access to the company’s cloud-based storage systems containing customer and financial data.

According to researchers, the supposed threat actor — who self-identified as an 18-year-old — tricked an Uber employee into providing cloud credentials. This allowed the attacker full access to the company’s Amazon and Google cloud databases.

It’s a reminder that all it takes is one. One attacker looking for publicity or hoping to cause havoc; one employee who provides access credentials or clicks a malicious link.

Multiple Anesthesia Practices: Mama Said Knock You Out

Data exfiltration is a dangerous game, especially when it comes to healthcare. As noted by SC Magazine, 13 anesthesia practices across the United States found themselves victimized by attackers in July 2022.

Malicious actors could compromise and extract the protected health information (PHI) of more than 380,000 patients, but details were scarce on exactly how the attack occurred or how long the attackers had access.

After the fact, the covered entities involved in the incident say they improved their security controls. The problem? Those involved needed to act sooner as part of SIEM efforts, not after the exfiltration.

Amazon: How the Cookie Crumbles

Fail to comply, and face the consequences. That’s what happened to online retail giant Amazon when it ran afoul of GDPR in Luxembourg. While the company has been quiet about the issue, it appears that in the summer of 2021, officials in Luxembourg fined Amazon more than $850 million for compliance breaches related to cookie consent.

While Amazon is appealing the fine by arguing that no data was breached, compliance isn’t just about keeping the doors closed — it’s about following the rules wherever you operate.

Oldsmar, Florida Water Treatment Plant: Would I Lye to You?

Operational technology is essential for critical infrastructure functions but often poses a security risk. With many of these solutions never designed to interact with Internet-enabled services, moves to more modern frameworks can create security weak points.

Take the incident in Oldsmar, Florida, when an employee of the city’s water treatment plant noticed the cursor on his screening moving without his input. An attacker had breached network systems, taken control of the employee’s computer and increased the concentration of sodium hydroxide, or lye, in the water by 100 times — enough to cause serious illness or death.

While the threat actor quickly left and the employee fixed the lye levels, it’s a stark reminder that just because these technologies have historically been passed over for attack efforts, they’re not immune to compromise.

Security, Step by Step

Extensive SIEM is critical to defending against familiar and emerging cyberattacks, but it’s not enough to simply go through the motions.

To ensure they don’t skip steps, businesses are best served by partnering with SIEM experts to ensure their security frameworks are capable of frustrating attack efforts no matter where, when or how they occur.

More from Risk Management

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Machine Learning Applications in the Cybersecurity Space

3 min read - Machine learning is one of the hottest areas in data science. This subset of artificial intelligence allows a system to learn from data and make accurate predictions, identify anomalies or make recommendations using different techniques. Machine learning techniques extract information from vast amounts of data and transform it into valuable business knowledge. While most industries use these techniques, they are especially prominent in the finance, marketing, healthcare, retail and cybersecurity sectors. Machine learning can also address new cyber threats. There…

3 min read

Now Social Engineering Attackers Have AI. Do You? 

4 min read - Everybody in tech is talking about ChatGPT, the AI-based chatbot from Open AI that writes convincing prose and usable code. The trouble is malicious cyber attackers can use generative AI tools like ChatGPT to craft convincing prose and usable code just like everybody else. How does this powerful new category of tools affect the ability of criminals to launch cyberattacks, including social engineering attacks? When Every Social Engineering Attack Uses Perfect English ChatGPT is a public tool based on a…

4 min read

How I Got Started: White Hat Hacker

3 min read - White hat hackers serve as a crucial line of cyber defense, working to identify and mitigate potential threats before malicious actors can exploit them. These ethical hackers harness their skills to assess the security of networks and systems, ultimately helping organizations bolster their digital defenses. But what drives someone to pursue a career as a white hat hacker, and how do you get started in leveraging so-called “evil” skills for the greater good?? In this exclusive Q&A, we spoke with…

3 min read