If you are like most companies today, you have followed all the steps to ensure compliance with the myriad of regulations – SOX, PCI DSS, HIPAA, to name a few: Firewall in place, AntiVirus Deployed, Network Segmented, IDS/IPS, with the logs being sent to an SIEM/SIM/SEM. You are capturing event data from systems (Windows, Linux, Applications, etc) and sending that information as well. Reports have been created, and alerts setup for any unusual behaviour. So why according to Verizon Data Breach Report are the number of incidents/breaches climbing every year. In addition, according to the 2014 Cyberthreat Defense Report, by the CyberEdge Group, 60% of respondents were affected by a successful cyberattack in 2013.
Reviewing logs (10 years ago) was the best way to see what was occurring on your network, and for the most part were extremely successful, a jump in activity on a device indicated a form of malware/trojan/virus. So what has changed?
- Increased sophistication of threats.
- Proliferation of devices and applications
- Rise of Social Media
- Inadequate Data Collection
- Data overload
- Over normalization
- Siloed information and processes.
Organizations are collecting data from a variety of data sources, or trying to, and then create complex queries to generate reports. The problem lies in the fact that you are collecting log data for a compliance regulation,not necessarily for security. Being compliant does not equate to being secured. Log Management truly assist with forensics – after the breach – but most do not assist with predicting or providing Security Analytics. In order to have security intelligence and therefore have anomaly detection, you need historical data to create a more effective baseline of average activity by either the user or the computer (asset), and for most SIEM/SEM/SIM’s the more data collected, the slower they will perform. By utilizing a Data Analytics platform, to augment your SIEM/SEM/SIM, additional alerts can be generated on activity that deviates by specific thresholds, and can be investigated immediately. Allowing a machine to “learn” the habits of the organization will eliminate human error. Have a look at the whitepaper by our partner Hexis Cyber Solutions – Why SIEM’s Are Not Enough,or review the HawkEye AP .
Contact us for web demonstration of the product.