Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

Profile

Report: 2016 saw 8.5 million mobile malware attacks, ransomware and IoT threats on the rise

by

Mobile malware attacks increased more than three times between 2015 and 2016, according to a new report from Kaspersky Lab. Here’s what you need to know.

From Tech Republic – Alison DeNisco

In 2016, the number of malicious installation packages hit more than 8.5 million—three times more than the year before, according to a report on mobile malware evolution from Kaspersky Lab, released on Tuesday. The firm registered nearly 40 million attacks by malicious mobile software over the course of the year as well.

Geographically speaking, the nations with the highest number of attacks were Bangladesh, Iran, Nepal, China, and Indonesia, the report stated.

The No. 1 malware threat of 2016? Trojans, which gained super-user privileges that allowed them to secretly install advertising applications and display ads on the infected device, and even buy apps on Google Play, the report found. And this trend shows no sign of slowing down.

The Trojans attacked Android devices via vulnerabilities that are patched in newer versions—however, most users do not update their phones in a timely manner, leaving them open to danger.

“Cybercriminals are taking advantage of the fact that most devices do not receive OS updates (or receive them late), and are thus vulnerable to old, well-known and readily available exploits,” the report stated.

Because this malware installs its modules in the system directory, it makes remedying the situation difficult, the report noted. “Some advertising Trojans are even able to infect the recovery image, making it impossible to solve the problem by restoring to factory settings,” it stated.

Kaspersky Lab also found installations of the modular trojan Backdoor.AndroidOS.Triada, which allowed hackers to alter text messages sent by other apps and steal money from the device owner.

Google Play remains a popular place for cybercriminals to find business: Kaspersky Lab detected about 50 new applications infected by Trojan.AndroidOS.Ztorg.am, the new modification of Trojan.AndroidOS.Ztorg.ad. And many of these apps were installed more than 100,000 times.

“Representatives of this class of malicious software have been repeatedly found in the official Google Play app store, for example, masquerading as a guide for Pokemon GO,” the report stated. “This particular app was downloaded over half a million times and was detected as Trojan.AndroidOS.Ztorg.ad.”

Ransomware attacks grew the most over 2016: Trojan-Ransom increased almost 6.5 times, now representing 4% of all malware installation packages. Kaspersky Lab detected 261,214 mobile ransomware Trojans in 2016. “This growth was caused by the active distribution of two families of mobile ransomware – Trojan-Ransom.AndroidOS.Fusob and Trojan-Ransom.AndroidOS.Congur,” according to the report. The criminals behind the Trojan usually demand between $100 to $200 to unlock a device, Kaspersky Lab noted.

Hackers also evolved their use of mobile banking Trojans over 2016, many of which learned how to bypass new Android security measures and continue stealing user information.

“This year, we will continue to closely monitor the development of mobile banking Trojans: the developers of this class of malware are the first to use new technologies and are always looking for ways to bypass security mechanisms implemented in the latest versions of mobile operating systems,” the report noted.

Internet of Things (IoT) devices are also a growing target for cybercriminals, with an “attack-the-router” Trojan Switcher targeting the Wi-Fi network that an infected device is connected to. “If the Trojan manages to guess the password to the router, it changes the DNS settings, implementing a DNS-hijacking attack,” the report stated.

The 3 big takeaways for TechRepublic readers

1. A new report from Kaspersky Lab found that the number of malicious installation packages hit more than 8.5 million in 2016, three times more than 2015.

2. Trojans were the No. 1 malware threat of 2016, due in part to cybercriminals attacking mobile devices that had not been updated.

3. Ransomware attacks and IoT attacks are increasingly common, the report found.

Malware Most Common Smart Hospital Data Security Threat

by

By Elizabeth Snell – HealthIT Security

The European Union Agency for Network and Information Security reviewed top smart hospital data security threats, mitigation techniques, and good practices.

Malware is the most common type of potential attack scenario for smart hospitals that poses a data security threat, according to a recent study from the European Union Agency for Network and Information Security (ENISA).

Smart hospitals have become more prevalent as Internet of Things (IoT) components support core functions of a hospital, ENISA stated in its study. Whilst the rise in smart hospitals looks to be the norm for most of the world, some hospitals as well as medical practices and centers, still like to rely on equipment that has been going on for decades by weaving it into more modern systems. For instance, Cosmomed’s medical answering service has been going since the 1970s and they are still relevant today in helping all kinds of medical facilities to connect with patients through calls, texts, and a variety of other services that require technology.

They may have had an upgrade over time to fit in with the ‘new’ way that patients are handled but they still have shown their reliability through basic services that are essential for handling medical needs. Although they are still susceptible to security threats, as most things are in this day and age, being aware of what is out there can keep them going for another 50 years.

Information security is a key issue for these organizations, and malicious actions, human errors, system and third-party failures, and natural phenomena should all be considered as a potential threat. When healthcare organisations look to collaborate with third-party providers for medicare credentialing and other essential services, it is very important to keep information security and associated risks in mind. Both parties must keep the confidentiality of patient information at the helm of operational processes and data handling by implementing strong cybersecurity measures.

“The risks that result from these threats and corresponding vulnerabilities are typically mitigated by a combination of organisational and technical security measures taken by smart hospitals which comprise good practices,” the report’s authors wrote. “With respect to organisational measures, compliance with standards, staff training and awareness raising, a sound security organisation, and the use of guidelines and good practices are particularly relevant.”

ENISA investigated the current status of Smart Hospitals and related information security issues, focusing on deployments in the EU for the study.

Respondents included hospital representatives, industry representatives, and policy makers.

Along with malware, those surveyed said that device tampering, social engineering, denial of service attacks, and theft, were also top attack scenarios for smart hospitals.

Traditional hospitals may also be vulnerable to these types of attacks, researchers noted. However, the consequences can be much more severe in connected organizations.

“Protection becomes difficult because, with the high number of networked devices, many potential points of attack are emerging,” the report states. “The consequences become more severe because information systems and devices are more intensely connected within hospitals and across organisational boundaries.”

Respondents also rated threat categories according to their likelihood of occurrence on a scale from 1 (low likelihood) to 5 (high likelihood). Human errors were the most likely to occur, according to the survey, while a natural phenomena was given the lowest likelihood of taking place.

“With respect to human errors, user errors, non-compliance with policies and procedures and loss of hardware, for instance, were perceived as posing considerable risk to smart hospitals,” the researchers explained.

However, malicious actions, which include threats from malware, social engineering, hacking, denial of service and device tampering, were considered particularly critical for smart hospitals by a larger group of respondents than human errors.

Specifically, 77 percent of respondents said that malicious actions were a critical threat, while 70 percent said human errors were the top threat. Just over half of those surveyed – 53 percent – listed system failures as a critical threat.

ENISA recommended that hospitals establish effective enterprise governance for cybersecurity, and also provide specific IT security requirements for IoT components in the hospital. Conducting a risk assessment and vulnerability assessment was also recommended, which can be essentially necessary for US organizations under HIPAA regulations.

Industry representatives should perform the following measures to enhance smart hospital data security:

  • Incorporate security into existing quality assurance systems
  • Involve third parties (healthcare organisations) in testing activities
  • Consider applying medical device regulation to critical infrastructure components
  • Support the adaptation of information security standards to healthcare

Additionally, healthcare organizations that provide special services, such as for disabled people, can explore a free NDIS registration guide online and employ software to make progress notes, track patients, and provide care services through an app with quality security integration. This can ensure the complete safety of sensitive data with regard to patients as well as hospital administration.

Several of the healthcare security recommendations are also already being considered for US-based healthcare organizations.

For example, the National Health Information Sharing and Analysis Center (NH-ISAC), the Medical Device Innovation, Safety and Security Consortium (MDISS), and the U.S. Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH) recently signed a memorandum of understanding to help organizations identify, mitigate, and prevent medical device cybersecurity threats.

The Information Sharing and Analysis Organization Standards Organization (ISAO SO) also released several documents in October 2016 on cybersecurity information sharing guidance, which focused on cybersecurity risks, incidents, and best practices. In terms of healthcare cybersecurity information sharing, one document discussed privacy and security aspects of cybersecurity risk.

“At a minimum, privacy considerations should include the individual members of an organization, the privacy of any individuals whose data may be included in cyber threat indicators to the extent provided by law, and a full range of other constituencies, customers, and individuals,” the document stated. “To adequately protect privacy while accomplishing the goals of an ISAO, it is important for the ISAO to provide guidance to members, participants, and ISAO staff that will be helpful in striking a balance between allowable sharing of cyber threat information and protecting privacy.”

2017 Security Predictions

by

From CIO – by Sharon Florentine

From W-2 scams to WordPress vulnerabilities, ransomware, business email compromises, DDos attacks and allegations of a hacked presidential election — 2016’s been a hell of a year in cybersecurity, and it’s not over yet.

There’s no reason to believe 2017 will be any better. If anything, it could be even worse as cybercriminals continue to push social engineering, find new ways to deliver malware, crack vulnerable databases and leverage mobile technology to find ways to get inside corporate defenses and target individuals. But maybe with the help of cybersecurity specialists and digital forensic professionals (you can try these out to know more), we might have a glimmer of hope!

We asked two leading cybersecurity experts, Matt Dircks, CEO of secure access software company Bomgar and Scott Millis, CTO at secure device management and mobile security company Cyber adAPT, what to expect in 2017.

1. Passwords ‘grow up’

The recent DDoS attack that wreaked havoc on a huge portion of the internet on Oct. 21was at least partly enabled by unchanged default passwords on IoT devices, says Dircks, which hackers were able to exploit. Don’t think you’re immune; how many of your users have simple, common or outdated passwords? In 2017, Dircks says better password management services will gain traction as businesses understand how vulnerable they are.

“I used to do a party trick where I’d go to someone’s house and hack their router. There are so many purpose-built, ‘dumb’ devices out there like the routers used to facilitate the DDoS attack a few months ago, that it’s making hackers’ jobs easy,” Dircks says.

Cybersecurity professionals will struggle to protect critical infrastructure, connected systems and remotely accessed systems and devices while weak password practices remain the norm, but it’s not just external threats that are a problem.

Mitigating insider threats can also be accomplished through better password management, he says. The best way to do so is to implement a solution that securely store passwords that remain unknown to users, and then regularly validates and rotates those passwords to ensure safety and security, he says.

“What we’re talking about is credential vaults. In an ideal world, a user would never actually know what their password was — it would be automatically populated by the vault, and rotated and changed every week. Look — hackers are intrinsically lazy, and they have time on their side. If you make it harder for them, they’ll go elsewhere rather than invest the energy to chip away,” Dircks says.

2. Privilege gains power

Hackers want high-level access, which they get through targeting the credentials of privileged users like IT professionals, CEOs and vendors, Dircks says. And while organizations have applied security to the systems, applications and data that are most critical to their business, these preventative measures simply aren’t enough anymore. In 2017, he says, savvy organizations will finally get serious about protecting not just systems, but privileged users by identifying them, monitoring their access and closing off access to what they don’t need.

“We’ve had some clients who say, ‘Well, I just stick my users or outside vendors on the VPN and they’re fine,’ but they have no idea what they are actually accessing! With privilege management, think of it like an elevator bank, where depending on your role, you can only get to certain floors. It really limits what you can do, especially if you’re malicious. Even if I do have a valid password, if my privilege lets me access floors one and seven, but I try to go to six, then the system will block me and notify someone,” Dircks says.

Addressing this issue, too, will involve organizations willing to provide extensive education and training on the potential dangers involved, especially in an increasingly mobile workforce where many individuals would rather sacrifice privacy and personal data for access and believe their security will be taken care off by the third-party services providers and application creators, he says.

“Especially in the last few generations of digital natives, people are more than willing to give up their personal information and data for access to apps, connectivity, information — this can easily be exploited. And they are willing to trust that these app developers, these providers, will make sure they’re safe and secure. That’s dangerous. Combine the cybersecurity skills gap, talent shortage, mobile workforce, app-centric environment, more sophisticated hacking and it’s a perfect storm. We think it’s just going to get worse before it gets better,” Dircks says.

3. The security blame game will heat up

“When we talk to our clients, one trend we’re seeing that is really horrifying is that they don’t even say ‘if’ an attack occurs anymore, they say ‘when.’ It’s like, at this point they are just throwing up their hands and saying, ‘Well, I’m gonna get hit, how bad is it going to be?’ and that, to me, is just terrifying,” Dircks says.

The IoT and increasing reliance on security solution providers means companies may not be able to easily account for ownership or origin once a breach happens, he says. Who is responsible for securing, maintaining and patching the various technologies? Worse yet, has a product been connected to internal systems that can’t yet be patched? A number of IoT devices are often overlooked because they fall outside of IT’s traditional purview, but that means exposure to threats.

“With the integration of IoT, automation and the cloud, no one seems entirely sure who’s actually responsible for maintaining security of all these various pieces: the IoT device manufacturer? The security services provider? The internal IT department? Individual users? You’re only as secure as the least-secure device or relationship,” Dircks says.

When a breach occurs, even with layers of security, the question of who “owns” it and who had or has power to do something about it will create intense reactions and finger-pointing, he says.

Companies can head off this blame game by ensuring open communication between IT and business leadership to understand the potential threats, options for security and safety and the challenges and constraints that exist within the organization, Dircks says.

“Part of the problem is that, as a CSO, a CISO or even a CIO — anyone with security responsibility — you’re either invisible, if you’re doing your job right, or you’re on the hot seat. If you come up with great policies, procedures and security measures, then you often leave those to IT to operationalize. But if those fail because you didn’t understand the business needs, the budgets, the requirements, then you’re not really helping,” he says.

4. Ransomware will spin out of control

Since January 1, 2016, Symantec’s Security Response group has seen an average of more than 4,000 ransomware attacks per day: a 300 percent increase over 2015, according to its 2016 Internet Security Threat Report.

Most organizations rely on low-overhead prevention techniques, such as firewall and antivirus solutions or intrusion prevention to mitigate threats like these, says Cyber adAPT’s Scott Millis. However, these tools are insufficient, and breach data shows that detection and incident response must be improved.

And as attackers continue to use social engineering and social networks to target sensitive roles or individuals within an organization to get to data, the need for comprehensive security education becomes even more critical, he says.

“If security policies and technologies don’t take these vectors into account, ransomware will continue to seep in. There’s also the issue of detection. Some attackers can reside within a company’s environments for months, often moving laterally within environments, and silos between network, edge, endpoint and data security systems and processes can restrict an organization’s ability to prevent, detect and respond to advanced attacks,” Millis says.

Finally, new attack surfaces — for example, IaaS, SaaS and IoT — are still so new that organizations haven’t yet figure out the best way to secure them, he says.

5. Dwell times will see no significant improvement

Dwell time, or the interval between a successful attack and its discovery by the victim, will see zero significant improvement in 2017, Millis says. In some extreme cases, dwell times can reach as high as two years and can cost a company millions per breach.

“Why so long? In my view, this is annoyingly simple — there’s little or no focus on true attack activity detection. At the advent of the ‘malware era’, companies, vendors and individuals were rightly concerned about ‘keeping out the bad guys’, and a whole industry grew quickly to focus on two basic themes: ‘Defense-in-depth’, which I view as layering prevention tactics in-line to make penetration from the outside more difficult; and ‘Malware identification’, which manifested itself as an arms race towards 100-percent-reliable identification of malware,” Millis says.

While response technologies and remediation capabilities, improved, victims were able to isolate and repair damage very quickly. The problem is these technologies didn’t help reduce dwell time; unless response teams stumbled upon something malicious or randomly discovered an anomaly, Millis says.

Nowadays, security pros are using network device log files to search for clues as to whether an attack has been attempted or has succeeded, but storing and sorting through the massive amounts of data needed for this approach is costly and inefficient, Millis says.

“The need for huge data stores and massive analytics engines drove the new security information and event management (SIEM) industry. While SIEM is a great after-the-fact forensics tool for investigators, it still isn’t effective in identifying attacks in progress. What we — and some other companies — are doing now is developing products that focus on analyzing raw network traffic to identify attack indicators. Finding attackers as soon as possible after they have beaten the edge or device prevention gauntlet, or circumvented it entirely as an innocent or malicious insider, will dramatically shorten dwell time,” he says.

6. Mobile will continue to rise as a point of entry

At least one, if not more, major enterprise breaches will be attributed to mobile devices in 2017, Millis predicts. A Ponemon Institute report found that for an enterprise, the economic risk of mobile data breaches can be as high as $26.4 million and 67 percent of organizations surveyed reported having had a data breach as a result of employees using their mobile devices to access the company’s sensitive and confidential information.

People and their mobile devices are now moving around way too much, and much too fast for old-fashioned cybersecurity strategies to be effective. Add to that an increasing sense of entitlement by users with regards to the devices they choose to use, and you have a situation ripe for exploitation. Therefore, it could be more crucial now to audit the security of mobile apps’. This can ensure whether any of the applications available in the market can actually protect the gadgets from potential threats of cyber attacks.

“Many users feel they can protect their privacy while having secure, uninterrupted access to business and personal services. And still many people subscribe to the view it is not they who are accountable for security breaches; if they can work around ‘security’ to improve their user experiences, they will. CISOs, CIOs and CEOs view this as a complex challenge to the implementation of their enterprise security strategies, and one that won’t be solved by having email and calendar data delivered over SSL to a single, approved OS,” Millis says.

Mobile payments, too, will become a liability. MasterCard’s ‘selfie pay’ and Intel’s True Key are just the tip of the iceberg, he says. Individuals should understand that they need to treat their biometric data just as carefully as they do other financial and personal data; again, that comes down to education and training, he says.

“Wouldn’t it be nice if public Wi-Fi access providers were required to put up the internet allegory to the warnings on cigarette packs? Something like, ‘Warning: This public access connection is not secure and information you send and receive while connected may possibly be viewed, collected and subsequently used by criminals to steal your assets, identity or private information,'” Millis says.

7. Internet of threats?

IoT vulnerabilities and attacks will rise and will increase the need for standardization for various security measures — hackers at this year’s Def Con found 47 new vulnerabilities affecting 23 devices from 21 manufacturers.

And, of course, in October 2016 the massive DDoS attack on major global websites including Twitter, Netflix, Reddit and the UK government’s sites — was reportedly powered by the Mirai botnet made up of insecure IoT devices.

“A lot of attention is focused on ‘smart devices’ as proof of IoT’s growing influence. The reality is a connected device doesn’t make it a smart device. The ‘things’ that are being connected often ‘fire-and-forget’ in their simplicity, or are built-in features and tools we may not even know are there — like the routers used in the Mirai botnet. This leads to a mindset of ignoring these ‘dumb’ devices without paying attention to the fact that these devices, while inherently ‘dumb’, are connected to the biggest party-line ever made: the internet,” says Bomgar’s Matt Dircks.

This isn’t just a problem for smaller consumer devices, or even for connected homes and cars. Dircks isn’t even particularly focused on the possibility of another DDoS attack. What’s more troubling is the potential for an attack on large, widespread infrastructure systems like the power grid, or even avionics or railway systems, he says.

“I’m not worried about things like, if my connected showerhead turns on hot or cold. I think there’s a fairly significant chance we’ll see a major hack on power grids or on transportation systems like rail in 2017. This is the ‘dumb’ IoT that’s still out there — the technology from the 1950s and 1960s that’s powering these critical infrastructure systems that is almost totally unsecured,” he says.

This is a perception problem; the general public doesn’t tend to see these systems as being similar to the IoT devices they use with increasing frequency — even mobile phones can fall into that category, says Millis.

“Like smart-phones before them, IoT devices are assumed to be new, separate, and not subject to the same limits, as older technology, but think about it. It’s nonsense: Smartphones are the most plentiful internet device around. IoT is the next hyper-jump in scale. Some organizations are wisely ahead of the curve a little bit this time, trying to head off the same security issues that mobile devices are facing now. So far, activity here has all come down to prevention yet again, but we believe every device and/or connection can be compromised. Shortening dwell time and securing IoT depends on being able to tell when that inevitably happens, as quickly as possible and with the highest level of confidence,” Millis says.

LogRhythm taps machine learning and analytics for its SOC

by

by ITWire – Ray Shaw

When you run a SOC (Security operations centre), you receive so much data that sometimes it is hard to sort the wheat from the chaff. LogRhythm needed at least a 200% boost to its processing power.

LogRhythm,  a Security Intelligence Company, has announced the release of LogRhythm 7.2, a major upgrade to its leading security intelligence and analytics platform. It has been purpose-built to power the next-generation SOC.

This release extends LogRhythm’s lead in providing accurate security analytics with embedded security automation and orchestration to help customers detect, respond to and neutralise cyberthreats before they result in a material breach.

Chris Petersen, CTO and co-founder of LogRhythm, said, “Armed with finite resources to battle a staggering number of possible security threats, CISOs are desperately trying to realise an effective end-to-end threat lifecycle management capability. Whether you support a massive 24×7 global security operations centre or a small virtual SOC, LogRhythm 7.2 will amplify your organisation’s ability to rapidly detect, investigate, and neutralise threats.”

The risk of a breach is steadily climbing, and cloud and internet of things (IoT) deployments further expand the enterprise attack surface.

Enterprise security operations teams recognise that executing end-to-end threat lifecycle management is the only way to effectively manage that risk. However, most are understaffed and overwhelmed, lacking the necessary analytics, automation, and orchestration to stay ahead.

LogRhythm 7.2 addresses these issues by delivering leading capabilities in four key areas: scalability; machine data intelligence; user and entity behaviour analytics (UEBA); and embedded security automation and orchestration.

Michael Meline, the IT security manager at Kootenai Health, said, “Large enterprises are already harnessing the power of LogRhythm 7.2 – it soars to new heights. LogRhythm is putting customers first by developing features collaboratively with users. The Threat Intelligence Service in LogRhythm 7.2 is more actionable and helpful than 7.1 in surfacing important data for better incident response through security automation and orchestration.”

Highlights of the LogRhythm 7.2 security intelligence and analytics platform include:

Greater efficiency, designed for massive environments

  • LogRhythm 7.2 provides up to 200 percent improvement in data processing and indexing performance to help customers cost-efficiently scale, especially in high-volume environments such as those exceeding 100,000 messages per second. What’s more, fully-automated data source onboarding saves countless hours of administration time in large environments.

Accurate security analytics supports, even more, data sources

  • LogRhythm 7.2 extends the depth of the platform’s patented Machine Data Intelligence Fabric™, a feature that automatically extracts contextual meaning from data to enable the most accurate and powerful security analytics. Specifically, LogRhythm 7.2 delivers advanced threat detection capabilities by expanding its industry-leading data schema with more than 20 additional metadata fields. These added fields complement the platform’s industry-leading support for over 785 unique data sources. LogRhythm 7.2 also advances customers’ visibility into cloud-based systems, including AWS, Salesforce, Box and Microsoft Office 365.

Only SIEM provider to deliver “one-stop-shop” for holistic threat detection across user, network, and endpoint-borne threats

  • LogRhythm 7.2 customers will see accelerated detection and investigation of user-borne risks—such as compromised accounts and insider threats – due to extensive enhancements to the User and Entity Behavioral Analytics (UEBA) module. The UEBA module extensions also include new threat detection algorithms, stronger kill-chain corroboration and new real-time dashboards for more targeted threat hunting.

Eliminates costly and inefficient workflow API integrations via embedded Security Automation and Orchestration

  • Security teams will realise improved efficiency and more rapid response to threats due to the security automation and orchestration capabilities embedded into the new LogRhythm 7.2 platform. It helps reduce total cost of ownership by eliminating the need to buy, integrate and maintain expensive third-party solutions and API integrations.
  • LogRhythm 7.2 delivers extensive workflow and UI enhancements based on real-world customer feedback, such as direct in-workflow access to threat intelligence services. The release also adds 20 new SmartResponse actions that provide customers with automated playbooks for an incident response.

 

Cybersecurity 101: The criticality of event logs

by

From CSO Online – Dwight Davis

Coaches love to talk about “the basics” – the fundamental skills their athletes need to master before they can move on to more advanced techniques. The basics can seem simple and even dull, but without them as a foundation, ultimate success can prove elusive.

Cybersecurity programs have their own set of “the basics.” Sadly, one of the most critical of these essentials is also one of the most neglected: the collection and regular review of event logs. Good log practices can pay big dividends throughout the entire cybersecurity lifecycle, from helping to profile “normal” activity, to identifying and preventing attacks, to, if necessary, performing post-breach forensics and remediation.

Even organizations that understand the importance of event logging can be overwhelmed by the sheer volume of events that routinely occur across even modest IT environments. Operating systems, firewalls, network routers, applications and dozens of other infrastructure elements can each generate their own event logs. Large corporate environments may log thousands of events per second and millions of events per day. With the proliferation of mobile devices and Internet-of-Things endpoints, today’s staggering log volumes will only continue to grow.

The embarrassment of riches in raw log information can result in operational paralysis more than information insight if organizations fail to implement sophisticated log filtering systems. Such filters need to strike a balance between collecting any and all event information versus filtering out so many logs that potentially meaningful data is lost.

Once the data is collected, organizations need log retention policies that ensure that pertinent data is still available if needed to detect, prevent or analyze some future security incident. Many companies will need outside experts to help them institute optimal log collection and retention policies.

Once they have good log information in hand, organizations can use it to create profiles of typical networking and user activities. When paired with security information and event management (SIEM) systems, this baseline log information can help security professionals identify suspicious activity that falls outside of expected norms. In this way, the logs form the core of an early warning system that can help organizations counter threats before they even gain a foothold.

When suspected or actual breaches do occur, the log data serves to help in the identification and isolation of any intruder or malware. Then it provides an audit trail for tracking which network elements, processes or users were involved in the attack. While of obvious value, this critical log data is often lacking.

In a recent AT&T Cybersecurity Insights report, Todd Waskelis, executive director of Security Consulting Services at AT&T, said, “We consistently go in and find that the evidence [log] data we need just isn’t there or readily accessible. This makes it difficult for us as we try to figure out what happened.”

Log data can even play a crucial role in mitigating the regulatory or legal ramifications associated with any significant breach. The audit trail provided by the logs may help an organization prove that a breach didn’t occur because of its own negligence or through some other internal fault.

In the cybersecurity realm, where attention is often focused on the latest big attack or on the newest cutting-edge security control, lowly event logs can sometimes be overlooked. But without good log collection, retention and analysis capabilities, an organization’s security program will rest on very unstable ground.

For information on the various SIEM technologies available – give us a call at 866-431-8972 or email us at sales@symtrex.com.