Example blog

Log Data Dependency | Growing vulnerability to threat actors

No one uses logs to build a house anymore, so why does the cybersecurity industry keep selling them to you?

Are you sure that log files are the best source of information on which to base your entire cybersecurity program?

Log data is the cornerstone of all traditional cybersecurity platforms, including SIEM (Security Information and Event Management), UEBA (User and Entity Behavior Analytics), and xDR (Detection and Response).

Using newspaper-based tools for cybersecurity is a bit like living in a log cabin in the 21st century.

Log cabins have provided shelter and warmth to millions and millions of people for many years, but no one (mostly) wants live in a log cabin today and you don’t see them lining the streets of the suburbs. Why is that? It’s quite simple, modern homes are equipped with technological upgrades that make them much safer, more efficient, more cost effective, and ultimately safer than a log cabin.

The same goes for log data when it comes to cybersecurity. Just as a log cabin can provide some protection, it is much less impervious to the elements, log data only gives you some protection against threats and is hardly an acceptable solution for modern cyber defense. Using log data as the sole source of truth for your cybersecurity program is a dangerous gamble.

Background: Fundamental flaws in newspaper-based cybersecurity

Logs are time-stamped files that create audit trails for system events by recording information about behaviors and identifiers such as application type or IP addresses. Log files make it easy to extract relevant information about single events. A few decades ago, log files provided a level of knowledge that security analysts did not previously have, but today we need to consider which log files exclude.

The threat landscape has changed dramatically in recent years, for example the Ponemon Institute recently found that 42% of attacks next year will be zero-day attacks never seen before, and that currently 80% of successful breaches occur. due to attacks never seen before. . Security systems that depend on analyzing log files to identify threats are among the most vulnerable, leaving organizations in a dangerous position.

“42% of all attacks next year will be zero-day attacks”

The Ponemon Institute

“You’re going to miss a significant percentage of everything,” says Geoff Coulehan, head of strategic alliances at MixMode. “Logs provide relevant information primarily for research, investigation and after-the-fact audit functions, but exclude detailed information deemed unnecessary or irrelevant to this application. However, details are critically important to dealing with modern cyber threats in real time, ahead of replication, lateral movement and exfiltration. “

But who can say what information is really unnecessary? It would be impossible to confidently assess a company’s true security threat posture based on the inherently limited reach of log-based security platforms. The information is often considered irrelevant to a specific application or operation and excluded from the basic log-based analysis performed by traditional security tools today.

A true correlative analysis of all behavior in an environment relies on a complete picture beyond simple log-based analyzes. This is a fundamental failure of cybersecurity platforms that rely on log data and cannot be overcome by aggregation, consolidation or standardization. The data literally does not exist because it has been filtered from the start.

Next week, we’ll continue this discussion by delving into SIEM and proprietary log data, SIEM hidden costs, and other SIEM limitations.


Source link