January 12, 2023 By Douglas Bonderud 4 min read

Security information and event management (SIEM) frameworks are essential for enterprises to monitor, manage and mitigate the impact of evolving cyberattacks. As the number of threats and the financial impact of breaches increase, these frameworks are even more crucial.

Consider ransomware. Since 2020, more than 130 different strains of these encryption and extortion efforts have been identified. According to the US Cybersecurity and Infrastructure Security Agency (CISA), ransomware incidents have been detected across 14 of 16 critical infrastructure sectors, such as Emergency Services, Food and Agriculture, and Energy. Today, ransomware is present in 10% of all breaches.

Not surprisingly, costs are also on the rise. According to the 2022 Cost of a Data Breach report, the average global cost to detect, mitigate and remediate an attack is $4.35 million. US firms pay more than twice that amount, at $9.44 million per breach.

SIEM implementation allows companies to reduce the cost and impact of these threats. In this piece, we’ll break down the six basic tenants of SIEM and look at six times companies skipped one (or more) steps — and paid the price.

The six tenants of effective SIEM

Solid SIEM deployments depend on six tenants:

Identifying insider threats

By pinpointing potential insider threats before they occur, organizations can reduce their risk of compromise. While 63% of these threats are caused by negligence rather than malice, the result is the same: data at risk. As a result, companies need to identify these threats ASAP.

Detecting advanced threats

Detecting advanced threats as early as possible in their lifecycle helps companies make informed response decisions.

Securing the cloud

As hybrid and multi-cloud deployments become increasingly common, cloud security is paramount to keep attackers at bay.

Uncovering data exfiltration

The sooner companies can detect data exfiltration — even if it’s seemingly benign — the better.

Managing compliance

With regulations rapidly evolving, managing compliance frameworks is critical to keep data secure and reduce the risk of non-conformance.

Monitoring OT and IoT security

The Internet of Things (IoT) is going mainstream, while operational technology (OT) is getting connected. Effectively monitoring both OT and IoT is a must-have SIEM segment.

Six times skipping SIEM steps saw attackers slip through

Attackers are always looking for any opportunity — big or small — to compromise corporate networks. As a result, skipping out on even one SIEM step can lead to security problems.

Here’s a look at six times things didn’t go well for security.

Dallas Police Department: The call is coming from inside the house

It was an unfortunate case of accidental insider threat. In March and April 2021, the Dallas Police Department lost more than 8.7 million files — amounting to more than 23 terabytes of data — when an employee deleted the files.

This information included video, audio, photo and text evidence for police cases, in turn potentially impacting more than 17,500 cases being handled by the Dallas County District Attorney’s Office. While experts tried to recover the lost data, they could only restore three terabytes.

In part, the issue stemmed from a lack of training. The employee had minimal knowledge of handling and moving cloud files, but the DPD also lacked a robust backup policy.

Defense Industrial Base (DIB) organization: APT pupil

In November 2021 and January 2022, a DIB sector organization saw its network compromised by multiple advanced persistent threats (APTs). Ensuing CISA investigations found that multiple threat actors gained access to the organization’s IT environments and that some had used APTs to achieve long-term persistence. In addition, attackers extracted sensitive data from the organization without its knowledge.

It’s a classic case of lacking APT detection capabilities leading to IT blind spots. If companies can’t see what’s coming — and detect what’s already happening — the results can be disastrous.

Uber: When it rains, it pours

Ride-sharing service Uber saw an attacker rain on its cloud parade in September 2022, when a malicious actor gained full access to the company’s cloud-based storage systems containing customer and financial data.

According to researchers, the supposed threat actor — who self-identified as an 18-year-old — tricked an Uber employee into providing cloud credentials. This allowed the attacker full access to the company’s Amazon and Google cloud databases.

It’s a reminder that all it takes is one. One attacker looking for publicity or hoping to cause havoc; one employee who provides access credentials or clicks a malicious link.

Multiple anesthesia practices: Mama said knock you out

Data exfiltration is a dangerous game, especially when it comes to healthcare. As noted by SC Magazine, 13 anesthesia practices across the United States found themselves victimized by attackers in July 2022.

Malicious actors could compromise and extract the protected health information (PHI) of more than 380,000 patients, but details were scarce on exactly how the attack occurred or how long the attackers had access.

After the fact, the covered entities involved in the incident say they improved their security controls. The problem? Those involved needed to act sooner as part of SIEM efforts, not after the exfiltration.

Amazon: How the cookie crumbles

Fail to comply, and face the consequences. That’s what happened to online retail giant Amazon when it ran afoul of GDPR in Luxembourg. While the company has been quiet about the issue, it appears that in the summer of 2021, officials in Luxembourg fined Amazon more than $850 million for compliance breaches related to cookie consent.

While Amazon is appealing the fine by arguing that no data was breached, compliance isn’t just about keeping the doors closed — it’s about following the rules wherever you operate.

Oldsmar, Florida water treatment plant: Would I lye to you?

Operational technology is essential for critical infrastructure functions but often poses a security risk. With many of these solutions never designed to interact with Internet-enabled services, moves to more modern frameworks can create security weak points.

Take the incident in Oldsmar, Florida, when an employee of the city’s water treatment plant noticed the cursor on his screening moving without his input. An attacker had breached network systems, taken control of the employee’s computer and increased the concentration of sodium hydroxide, or lye, in the water by 100 times — enough to cause serious illness or death.

While the threat actor quickly left and the employee fixed the lye levels, it’s a stark reminder that just because these technologies have historically been passed over for attack efforts, they’re not immune to compromise.

Security, step by step

Extensive SIEM is critical to defending against familiar and emerging cyberattacks, but it’s not enough to simply go through the motions.

To ensure they don’t skip steps, businesses are best served by partnering with SIEM experts to ensure their security frameworks are capable of frustrating attack efforts no matter where, when or how they occur.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today