Amid Growing Coronavirus-Related Cyberattacks, Companies Must Continue Making Big Strides in SIEM and Other Types of Cybersecurity Analytics

Posted on by Robert Ackerman

If you’re an adult, it’s virtually impossible not to know by now that the global coronavirus has significantly impacted human health, daily life and the worldwide economy for the worse—much worse.

Yet as bad as this is, the multifaceted pain doesn’t stop here.

We’re also now confronted with a new cyber-environment in which hackers and scammers are thriving, capitalizing on the cruel reality that the government, companies and individuals have never had more of a reason to pay less attention to security threats than they do today.

At the same time, coronavirus phishing scams are emerging and increasing. In addition, potentially malicious coronavirus websites have begun circulating widely. The US Health and Human Services Department suffered a cyberattack last month, and, shortly afterward, the World Health Organization was targeted with a malicious look-alike website. On top of that, the University Hospital Brno in the Czech Republic—a major COVID-19 testing hub—suffered a ransomware attack last month that disrupted operations and sparked surgery postponements.

More cyberattack disruptions are sure to follow, including the possibility of an attack on critical infrastructure, such as a power plant, and various disinformation campaigns to sew confusion. According to Prevailion, a Maryland-based cyber-intelligence firm focused on nation-state cyberattack schemes, a number of state and local governments have already been unwitting victims of nation-state actors promoting dissension and disruption. In addition, millions more people are suddenly working from home, often with fewer security defenses than their office.

What should companies do?

They need to quickly step up their efforts to improve their cybersecurity analytics and intelligence to get ahead of the attack curve. In particular, they need to further improve now significantly better SIEM (security information and event management) software, which combines analytics and intelligence to easily and quickly connect the dots between alerts and events as a key piece of the overall security analytics tree.

A SIEM solution is like a radar system that pilots and air traffic controllers use. Without one, enterprise IT is flying blind. Security appliances and system software are generally only good at catching isolated attacks after they have started. In essence, the additional surveillance is roughly akin to finding a way to eavesdrop on a criminal gang plotting a bank robbery before actually executing it.

Common threats today, such as APTs (advanced persistent threats), botnets, script kiddies and malware-as-a service via the dark web, attack across multiple systems and use advanced evasion techniques to avoid detection. The most advanced SIEM tools help make sense of the hodgepodge before attacks are allowed to germinate.

Security data collection, processing and analysis has improved markedly in recent years. According to research by Enterprise Strategy Group, a Silicon Valley IT analysis, market research and advisory firm, 87% of organizations recently surveyed were collecting and analyzing more diversified security data today than two years ago. Large organizations, in particular, are monitoring tens of thousands of systems, generating upward of 20,000 events per second and collecting terabytes of data each day, Enterprise Strategy Group says.

But, as usual, there is a significant difference between the volume of security collection and analysis among the biggest public companies and smaller ones, and between public and private companies. Most of the latter are smaller and have fewer resources. Nonetheless, they and small public companies are under growing pressure to improve.

Moreover, companies of all stripes need to better monitor their multiple security spending priorities and appreciate that complexity is the enemy of security. Too many today still purchase almost every product they feel holds some promise to make their companies more secure. This enhances complexity and related overhead, and gaps between products become vulnerabilities.

SIEM has been around well over a decade but has more recently evolved and improved significantly. Initially, it was somewhat limited in scope, complex and too often failed to identify attacks. IT pros had to know what they were looking for. A subsequent SIEM generation was able to scale better but wound up presenting more data than an enterprise could possibly cope with.

As it turned out, a mechanism to collect, store and analyze more security-only data was relatively simple. Collecting all security-relevant data and turning it into actionable intelligence, however, was an entirely different matter. And, investigation of a security event took previous time away from overall IT functions—time that most IR organizations could not afford to lose.

Today, analytics-driven SIEM monitors more threats and allows IT to respond quickly to incidents, minimizing the impact on IT overall.

Today’s most robust SIEM systems have three primary strengths:

(1) The system includes monitoring capabilities that can be applied in real time to any data set, regardless of whether it’s located on-premises or in the cloud. This is important because the longer it takes to discover a threat, the more damage it can potentially inflict.

(2) The system cannot only identify distinct incidents but also provide the means to track them.

(3) Last, the system can adapt to new advanced threats by implementing, among other things, network security monitoring, endpoint detection and behavior analysis in combination with one another to more readily identify and quarantine new potential threats.

For all of their improvements, SIEM tools are still far from perfect. For one thing, the value of a SIEM solution depends heavily on the threat intelligence it feeds its users. Moreover, the log data available from legacy applications, for example, still doesn’t translate well into these platforms. For example, a legacy application might be able to report who has access to the system, but not what they have access to inside the system.

Countering this, fortunately, is the development of some mitigation techniques. If a legacy application has a back-end database, for instance, it’s sometimes possible to grab access and usage information from the database itself. Enterprises also have the option to build a more locked-down system or have just a small portion of a legacy app available as a service. This way, if it is compromised, the impact on the rest of the organization is mitigated.

Regardless of these secondary shortcomings, the primary takeaway about SIEM and other analytical tools today is that they have become a must-have for any organization subject to advanced, diversified cyberattacks. If they haven’t already, sizable companies need to take this into account and act quickly.

As things stand today, the pandemic and the withering economy are already almost too much to handle. Yet another big migraine would be unfathomable.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

RSAC Insights Analytics Intelligence & Response Hackers & Threats

security analytics incident response

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs