Data Breach Preparation and Centralized Logging

Posted by Mark Greisiger

A Q&A with Branden Williams, of Sysnet Global Solutions
Many insured organizations are not as prepared for cyber breach incidents as they could be. Without a centralized logging system known as SIEM in place, it can be exceedingly difficult and expensive to investigate and remedy a breach situation. I talked to Branden Williams, executive vice president of Sysnet Global Solutions about SIEM and its advantages.

Please explain in layperson terms what SIEM is.
SIEM stands for security information and event management. A SIEM tool collects security-related information from all of the devices in your infrastructure and manages it in a centralized place. This allows you to look at multiple logs at the same time and understand correlation, in context, so that if you have 20 or 30 devices that are all having a security issue, you could go back and see that yes, someone tried and failed to log in several times before they were successful. These patterns allow you to understand how and when these incidents occur. The technology, in its current iteration, has been around for a decade or so but in the last three years more people have adopted it beyond the compliance use case. However, many companies still use it as a catchall to make auditors go away—and we know that compliance measures are usually behind the eight ball as solutions to real world threats—and they are not using it in the most effective manner. Proper deployment of a SIEM is costly and so even companies that are using a SIEM correctly are often only using it in specific areas and not across their infrastructure.

How can SIEM help a company with decentralized operations and multiple business units?
It’s difficult to track threats that go through the network if you can’t centralize your logs and this becomes even more complicated in a large company with many operations.  Being able to maintain logs in a single place can help you track data across functions and identify issues early, including inefficiencies. Another major reason to use SIEM is to prepare for the case of a natural disaster or major outage—it’s much easier to access log information when it’s all in one place, even if your satellite location is offline.

How can a SIEM help a forensic investigator in a data breach situation?
If a system is a complex one, an investigator could have a difficult time determining where an incident came from. If you have a functioning, wide-scale SIEM in place, an investigator can review the logs and see which machines are impacted. Narrowing down the investigation’s scope saves money, time and effort. For example, in a prominent breach we were involved in, it took about six weeks to figure out the cause due to the lack of logs. Ultimately, it turned out that one of the machines we originally dismissed was the original infiltration point that led to the larger breach. We could have shaved two weeks off of the investigation and saved the company about $50,000 dollars.

In summary…
Recently, an insurance executive whose company offers cyber liability coverage to healthcare entities told me his clients that suffer data breach events rack up immense claims costs for computer forensics, due to the lack of SIEM. And it’s a problem for sectors beyond healthcare. Investigations may take weeks as opposed to days. Because this type of proactive solution can ultimately help organizations better manage security threats while decreasing the future cost of a breach investigation, companies—especially those with decentralized IT operations—should give it thoughtful consideration.