Every year, the data breach lifecycle gets longer.
In fact, the lifecycle extended by nearly 2 weeks between 2015 and 2021, according to IBM’s Cost Of A Data Breach Report—from 275 days to 287 days this year.
What is the data breach lifecycle? IBM defines it as the time elapsed from the first detection of a breach to its containment.
“If a breach occurred on January 1 and it took 287 days to identify and contain,” writes IBM, “the breach would not be contained until October 14.”
The longer it takes to identify a breach, the more expensive it becomes. IBM also found that breaches with a lifecycle of 200 or more days cost an average of $4.87 million, compared to a lifecycle of less than 200 days costing $3.61 million.
One way to reduce a breach’s lifecycle is with threat detection and response with a tool like a SIEM.
SIEM stands for security information and event management.
A SIEM tool collects logs from different pieces of hardware and applications into one centralized location and then analyzes the log data for potential security events.
Having a SIEM allows regulated entities, such as those in financial services and healthcare, to meet compliance requirements.
But, in our experience, there is much more that can and should be done when it comes to SIEMs regarding security incident response.
SIEM technology come in all different forms and price points.
At its base, a SIEM has logic in place so that if security issues are detected, the business receives security alerts.
For instance, a SIEM can detect unusual, disparate activities on a server, firewall, and a workstation.
Independently, those anomalies may not mean anything.
Together, those events could add up to a cybersecurity incident.
The SIEM should deliver an alert to the organization’s internal cybersecurity team and/or their outsourced IT provider so that they can make sense of the alert.
Many times, we see that teams are unsure whether the alert is actionable or just noise.
Basic SIEM tools retain system logs, or syslogs.
An organization should set policies on log management—as an example, regulated entities are required to keep syslogs for up to 12 months.
Security teams can mine the logs retained by the SIEM for up to a year (or however long their retention policy is) and look for cybersecurity breaches within them to help determine:
In our experience, businesses think SIEM tools will solve their problems until they discover that analyzing the alerts is more time-consuming than it appears.
As mentioned, basic SIEM tools offer syslog retention and can sometimes work through cybersecurity event correlation.
However, more premium SIEM solutions send those alerts to a 24x7x365 security operations center, also known as a SOC.
Someone at a SOC provides real-time monitoring at all times throughout the day.
A SOC’s location is determined by the type of business. Banks throughout the United States, for example, must work with a SOC based in North America.
In addition to thinking about data collection and data aggregation, businesses may also consider what else integrates with the SIEM.
Basic SIEMs plug into a company’s physical hardware alone, while more robust SIEMs integrate with antivirus software, endpoint detection & response solutions, and even email providers to combat threats like phishing.
When your business considers its first or its next SIEM, consider what protections it offers—and doesn’t offer—for your sensitive data. Know what trade-offs you’ll be making, and have a plan in place for what to do with alerts your SIEM sends your way.
If 287 days sounds like too long for a data breach lifecycle, you’re right. SIEMs can help reduce financial and reputation risks throughout that time.
If you need help selecting a SIEM or separating its perceived noise from actionable alerts, consider contacting Integrity Technology Solutions for help.
