Cyberattacks evolve every day. Concepts such as malware-as-a-service enables even amateur hackers to use high-level malicious software to exploit organizations. This allows cybercriminals to make huge profits without the risk of deploying the exploits themselves. Such large-scale attacks have fostered the need for a unified security structure in organizations for protection from future threats.
In the cybersecurity landscape, early log management tool providers slowly evolved into security information and event management (SIEM) solution vendors. This started a new phase in cyber defense. As we move towards a remote work environment featuring an increased number of endpoints, we can see the complexity and volume of the attacks rising. Organizations need to upgrade the threat detection and response capabilities of their security solutions.
From the first modern-day cyberattack in 1988, an inadvertent distributed denial of service incident, to the most sophisticated attacks in the recent times, hackers have become smarter and smarter. Hackers are no longer operating out of their parents' basements and looking for sheer fun. The attacks are evolving and have become multi-staged and polymorphic.
Fun Fact: Before the computer age, the equivalent of a cyberattack was perpetrated against a telegraph network in 1834. Brothers Francois and Joseph Blanc devised a way to hack the semaphore system, which the French government used to transmit data about market movements in the Paris stock exchange to the other cities across the country. The brothers bribed the telegraph operator to include a specific set of codes in the usual messages sent. These characters were made to look like errors but actually contained critical information which only the Blanc brothers could decipher.
Unfortunately, most organizations today are only equipped to protect against early-generation threats like viruses and payloads, leaving networks, data centers, cloud resources, and endpoint devices exposed to other attacks.
Tool Tip: Understanding how a cyberattack works is important for preventing it from occurring. The video series on the cyber kill chain framework explains the approach used by cybercriminals to carry out an attack.
Any security tool is as good as the person using it. The shortage of cybersecurity skills is an issue faced by many organizations today. According to the 2020 report by ISACA, 70 percent of the respondents said that less than half of their cybersecurity applicants were well qualified. Concerns cited included the lack of experience and knowledge about the current cybersecurity landscape.
If you want to defend your network from attacks, you must think like a hacker. Although stopping cyberattacks isn't always feasible, with a strong security strategy and the right tools, it's definitely possible to spot hackers at work and contain an attack in its initial stage.
Tool Tip: Cybersecurity tools like Log360 have implemented the MITRE ATT&CK framework to effectively spot attacks. Such integrations also help build an effective defense system as it clearly provides the picture of the tactics, techniques, and procedures used to carry out the attack.
Once more organizations adopt remote work and the Internet of Things (IoT) continues to evolve, there will be more access points for cyber criminals to take advantage of. SIEM solutions will need to upgrade to support the advanced technologies that will safeguard against the growing threats.
Over the past years, organizations have started to invest in SIEM tools as their frontline defense against cyberattacks. Initially, these tools were expensive, difficult to implement, and deployed only by large organizations. As SIEM evolved, these challenges were addressed and vendors now focus on small and medium-sized organizations to help protect them from threats.
Let us see how SIEM has developed over the years.
Early-stage SIEM solutions were capable of combining security information management (SIM) and security event management (SEM) capabilities which were previously separate, but this provided limited incident response and visualization features. The threat detection rules had to be set manually and were limited to the information available to security analysts. Therefore, these traditional rule-based systems could not adapt to the increasing complexity of attacks, number of threats, and data sources. Static threshold values were set for the correlation rules, and due to this, the systems generated an excessive number of alerts, requiring manual threat analysis to eliminate false reports.
As the cybersecurity landscape evolved, SIEM vendors realized that the solution should house more capabilities to cater to the demands, especially with respect to threat detection, attack mitigation, and compliance management. This second-generation SIEM supported big data, and was better equipped to handle large volumes of data and correlate historic logs with real-time events.
This new variant of SIEM is now more mature and has new capabilities such as:
User entity and behavior analytics (UEBA) - Going beyond rules and correlations, UEBA leverages machine learning to understand the behavior of the employees to find irregular patterns. This helps detect the insider threats which accounts for 60 percent of the cyberattacks experienced by organizations in 2020, an increase of 47 percent compared to 2018.
The security teams started to realize that the standard correlation rules were not adaptive when a number of false positives overwhelmed them. UEBA correlates multiple factors, and utilizes machine learning (ML) techniques to filter out potential threats and alert security teams. How is ML-based behavioral analytics better than a rule-based detection system? Consider a scenario where a user from the marketing department accesses financial data. A flag might be raised because of this cross-departmental request, but UEBA evaluates and triggers an alert based on a risk score. A threshold can be set so that this request can quickly and automatically be determined to be legitimate or non-threatening. This enables analysts to focus more on the real threats that require a real-time response.
Threat intelligence - As security professionals, we need to stay informed of the latest Indicators of Compromise (IoCs) to prevent attacks in the initial stages. Threat intelligence feeds contain threat data generated from various sources. The data are obtained from known malicious domains, IPs, geolocations, and are updated in real time to provide fresh knowledge on live threats and to identify valid IoCs.
These feeds can be integrated with other security devices like firewalls to block malicious IPs. When combined with a SIEM solution, these feeds can be used to correlate with internal events and to generate alerts.
Security, orchestration, automation and response (SOAR) - Modern SIEMs are deeply integrated with the organization's systems to accelerate incident response. This also helps analysts investigate security incidents and automate response mechanisms in case a potential attack is detected. SOAR can be used to automate commonly known threat tactics, and set alerts and response measures if detected.
SOAR is commonly used to detect phishing emails where the suspicious email's metadata is extracted and correlated with external threat feeds. If the threshold is reached, actions such as blocking the IOCs and deleting the email from other's inboxes can be set to help neutralize the situation. You can configure your email environment to automatically send email attachments to a sandbox environment where they will be checked for impact on system security. If there is no response mechanism in place for the threat, an alert or ticket can be raised to the security teams to initiate a manual investigation.
There are many tools such as data loss prevention (DLP), united endpoint management (UEM), and cloud access security broker (CASB), which specialize in securing specific applications in an organization's network. You can use any of these tools based on your needs. For example, a UEM tool can be used to update or track the software used in all the endpoint devices in your network.
Today's security teams require a solution that can piece together different capabilities to prevent an attack from disrupting the network. SIEM tools provide that solution.
When looking for a SIEM solution, ensure it meets the requirements of a layered defense against cyberattacks and can evolve to address new threats.
Flexible plans and a scalable architecture - SIEM systems can cost hundreds and thousands of dollars. An optimal SIEM solution is a pay-as-you-go model based on your needs that supports on-premises, cloud-based, and hybrid models.
Comprehensive and orchestral capabilities - Brings together different capabilities, such as UEBA, SOAR, cloud security, DLP, and federated identity management (FIM), etc, in one package.
Support compliance reports - Supports out-of-the-box compliance reports to help your organization meet regulation requirements.
Threat intelligence - Pulls threat data and correlates with the internal security events.
Threat hunting - Writes queries that derive insights from raw log data and for log forensics.
Log archival and data protection - Additional features that safeguard critical log data for future requirements during forensic analysis and auditing.
Seamless integration - A modern SIEM tool should have the ability to integrate with certain tools, such as a help desk component, so that tickets can be raised and assigned to the respective admins.
Advanced log visualization and analytics - Displays logs visually in dashboards and as charts.
Want to learn more about a SIEM solution? Check out this link.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.