The importance of visibility – from threat detection to capturing evidence

Having visibility of – and alerts for – unusual activity within your environment is important for threat detection and response, but also for capturing evidence over a long enough period that it could be used in any criminal proceedings. 

Post security breach, a full investigation helps identify what led to the security event. It’s interesting looking at a forensic report, which examines how the attack happened. A lot of it can be very technical, but if you were to pull out key events that indicate unusual activity – such as numerous failed log-on attempts, malicious software being introduced, new Admin users being set up and remote access from a suspect IP address, etc – the journey of the cyber-criminal becomes obvious now that you’re looking at it retrospectively. It’s likely that it took place over a number of days, outside of normal working hours.

System logs are like CCTV footage

Interestingly, most activity on your network is recorded on automatically-generated system logs. Looking at these logs from the malicious activity retrospectively is like examining recorded CCTV footage of criminal activity looking for clues.  If it had been spotted during real time, by someone who understood what was happening, it may have been prevented and the criminals stopped.

The other thing to consider is that being able to detect these threats is an important consideration in meeting compliance obligations under data protection laws. In one example of action taken by the ICO, where the Commissioner considered that appropriate technical and organisational measures had not been taken, the Commissioner’s view was that the data controller had failed to ‘monitor its activity log (which was defective) in order to check for activity of concern such as bulk extractions of data’

The problem with system logs

How much information is collected is completely configurable by the system administrator.  

However, one of the problems that often occurs is that the allocated space has a finite capacity before old data starts being overwritten.

Effectively, the logs are there for a period of time – maybe as little as an hour – and then they are lost in the ether, replaced by new logs. This is quite a scary thought for someone like me, with a background in finance – imagine auditable records being overwritten! This is an open goal for cyber criminals, so it’s not surprising that some of these cases wouldn’t even get as far as court, simply because there is insufficient evidence, or the integrity of the evidence has been compromised.

Multiply this problem by various servers all collecting their own logs for this finite period, and suddenly identifying, tracing and investigating unusual events is a huge task. It will depend on which events are set up to be logged – for example, failed log-on attempts, access denied attempts etc. 

So, if there was something that needed to be investigated, it could easily be missed, and soon deleted.

The importance of visibility 

Having visibility of – and alerts for – unusual activity within your environment is important for threat detection and response, but also for capturing evidence over a long enough period that it could be used in any criminal proceedings. 

Being able to identify and analyse those activities, removing false positives and providing visibility, becomes very important – especially when we have a workforce who are working remotely, and internal resources that are put under additional stress.

This is where security information event monitoring (SIEM) solutions capture these important activity logs, extending the retention period and intelligently highlighting those that need further investigation and analysis.  A Security Operations Centre provides staff with the knowledge to understand and make sense of those alerts and respond accordingly. 

How we can help

Our SOC and SIEM solutions were developed specifically for SMEs, with the aim of making enterprise-level technology available to smaller businesses, so they can enjoy the same level of visibility normally reserved for large corporates.

To find out more, check out Pete’s blog – My quest to launch a SOC and SIEM solution that’s actually suitable (and affordable) for SMEs – or our SOC and SIEM solutions page.