A Security Information and Event Management (SIEM) system is used by organizations to log and provide alerts for any changes and access to critical systems. For the most part, it’s required for compliance (e.g., PCI) and a common appliance at larger organizations. With the rise of ransomware and phishing leading to wire fraud, smaller businesses are finding themselves as victims with very limited insight to identify root causes and true impact due missing security controls.
Small businesses utilize similar technologies that larger organizations use (e.g., Office 365, Gmail for Business, Virtual Private Networks) but with much less budget. With budget being a primary concern, smaller organizations tend to forego any sort of alerting or log aggregating. However, there are budget conscience solutions that involve deploying in-house or using a third-party managed service provider (MSP). Depending on available resourcing and budget, using an MSP may be the best option solely because the monitoring per system can be less expensive than using full-time, qualified staff.
Why do you need one?
Organizations that have been breached confirmed that attackers were in their networks, undetected, for months at a time. The Citrix breach of 2018 went undetected for 6 months! For smaller organizations, this could lead to the theft of intellectual property, theft of customer lists, and wire transfer procedures being disclosed, intercepted, or even modified.
While wire fraud may sound out of the ordinary, it happened to the province of Ontario (which led to a loss of over 500 thousand dollars), and countless other organizations that sometimes choose not to disclose the incident publicly.
Having a logging system in place with the appropriate alerts configured could notify you of unauthorized individuals within your email or network and provide sufficient time to respond. A common misconception made by smaller organizations is that it requires employees available at all hours of the day to watch the alerts, but that’s not the case. Even if employees are only available during working hours to review alerts, it’s better than not being notified at all.
What can you do?
There are three options that we recommend.
Deploy Canary devices. A canary device will sit in your environment and mimic a real infrastructure system or appliance. It can be deployed to look like a Windows, Linux, networking, or Scada device. If an attacker is in your network and looking for high value targets, the Canary, when probed, will notify your team of the behaviour. A Canary comes in at a fraction of the price of the other solutions and will notify you if the attacker is in the network. The SIEM would notify you of the movements conducted by the attackers leading up to the Canary alert and would assist in identifying a root cause and the potential impact of the breach much easier.
Build an in-house SIEM. Doing this will require full-time staff reviewing alerts and logs, tuning the SIEM and adding new rules to keep up with industry threats.
Use a Managed Service Provider (MSP) that will ingest all of your logs and do the reviewing, tuning and escalations on your behalf.
Using a Canary in addition to the second or third option is also acceptable. Once the decision has been made on an in-house or MSP solution, the best way to test the efficiency and deployment is to conduct a purple team exercise. A purple team exercise involves using a red team (penetration testers) to attack the infrastructure while the blue team (the MSP or in-house employees) look to identify if the attacks are appropriately being classified and alerted on. The only way to confirm the SIEM is working as intended is to appropriately test it before a real attack happens.
At Packetlabs, we have the expertise to assist teams with purple team exercises, deployments and configuration of Canaries and guidance on SIEM deployment and alerting. Reach out to us if you are investigating any of the solutions above or if you are still unsure of whether or not you need a logging and alerting solution.