Every year, the data breach lifecycle gets longer.
In fact, the lifecycle extended by nearly 2 weeks between 2015 and 2021, according to IBM’s Cost Of A Data Breach Report—from 275 days to 287 days this year.
What is the data breach lifecycle? IBM defines it as the time elapsed from the first detection of a breach to its containment.
“If a breach occurred on January 1 and it took 287 days to identify and contain,” writes IBM, “the breach would not be contained until October 14.”
The longer it takes to identify a breach, the more expensive it becomes. IBM also found that breaches with a lifecycle of 200 or more days cost an average of $4.87 million, compared to a lifecycle of less than 200 days costing $3.61 million.
One way to reduce a breach’s lifecycle is with threat detection and response with a tool like a SIEM.
What Is SIEM?
SIEM stands for security information and event management.
A SIEM tool collects logs from different pieces of hardware and applications into one centralized location, and then analyzes those logs for potential security events.
Having a SIEM allows regulated entities, such as those in financial services and healthcare, to meet compliance requirements.
But, in our experience, there is much more that can and should be done when it comes to SIEMs regarding security incident response.
How Do SIEMs Work?
SIEM technology come in all different forms and price points.
At its base, a SIEM has logic in place so that if a cybersecurity incident is detected, the business receives security alerts.
For instance, a SIEM can detect unusual, disparate activities on a server, firewall, and a workstation.
Independently, those anomalies may not mean anything.
Together, those events could add up to a cybersecurity incident.
The SIEM should deliver an alert to the organization’s internal cybersecurity team and/or their outsourced IT provider so that they can make sense of the alert.
Many times, we see that teams are unsure whether the alert is actionable or just noise.
Why Is SIEM Used?
Basic SIEM tools retain system logs, or syslogs.
An organization should set policies on log management—as an example, regulated entities are required to keep syslogs for up to 12 months.
Security teams can mine the logs retained by the SIEM for up to a year (or however long their retention policy is) and look for cybersecurity breaches within them to help determine:
- Was data exfiltrated?
- What was the source of the cybersecurity breach?
- What did the breach allow hackers to gain access to?
In our experience, businesses think SIEM tools will solve their problems until they discover that analyzing the alerts is more time-consuming than it appears.
Other Considerations For SIEMs
As mentioned, basic SIEM tools offer syslog retention and can sometimes correlate cybersecurity events together.
However, more premium SIEM solutions send those alerts to a 24x7x365 security operations center, also known as a SOC.
Someone at a SOC provides real-time monitoring at all times throughout the day.
A SOC’s location is determined by the type of business. Banks throughout the United States, for example, must work with a SOC based in North America.
In addition to thinking about where data aggregation, businesses may also consider what else integrates with the SIEM.
Basic SIEMs plug into a company’s physical hardware alone, while more robust SIEMs integrate with antivirus software, endpoint detection & response solutions, and even email providers to combat threats like phishing.
When your business considers its first or its next SIEM, consider what protections it offers—and doesn’t offer—for your sensitive data. Know what trade-offs you’ll be making, and have a plan in place for what to do with alerts your SIEM sends your way.
If 287 days sounds like too long for a data breach lifecycle, you’re right. SIEMs can help reduce financial and reputation risks throughout that time.
If you need help selecting a SIEM or separating its perceived noise from actionable alerts, consider contacting Integrity Technology Solutions for help.