How To Prevent Cyber Attacks with Logging & Monitoring
Detecting and preventing cyber incidents
Adam Gleeson, Vendor Alliance Manager at CyberLab, explores how logging and monitoring can help your organisation in the detection of cyber threats and securing your digital landscape. He covers:
- Why do we need logging and monitoring?
- How do we do logging and monitoring?
- Identifying the right solution
- Our Recommendations
Cyber security is a big concern for businesses today. Over the past year alone, nearly half a million businesses reported cyber incidents. As our workplaces and digital systems grow, so does the chance of cyberattacks. These attacks are getting smarter, and as a result, the risk of being targeted is increasing.
Why do we need Logging & Monitoring?
The dark web has been hugely commoditised and it is now very likely that multiple cyber criminals will gain awareness that you are vulnerable. This happens when one attacker, called an access broker, gains access to your environment and then sells that access to multiple other attackers. Their goal? Making money, causing chaos, stealing secrets, and holding your data hostage.
The risk and cost for organisations that are victim to cyber attacks are also increasing. The result of cyber attacks are often downtime, disruption and data loss. There are also other consequences many organisations face such damage to reputation, hefty fines for compromised data, losing trust from valued customers, and even the loss of hard-earned certifications.
While it might seem like a digital doomsday out there, here’s the secret: cyber attacks leave footprints. The art of prevention lies in spotting these traces before the attack compromises your systems and data. It’s like catching a thief in the act before they can make off with the loot. If you can detect unauthorised activity before damage is done, you can stop or prevent the attack being successful and limit the damage. That’s where logging and monitoring solutions come in.
They have a secondary function as well, anyone who has suffered a cyber attack will tell you that despite having the initial detection of something untoward going on, it can be really difficult to actually feel confidence that you can see the whole picture and you are aware of everything that’s going on – logging and monitoring helps with that as well.
How do you do Logging & Monitoring?
In even relatively small IT environments, the scale of log information that will be generated is overwhelming. Especially if it’s scattered across multiple environments like public/private cloud/SaaS etc.
The first challenge? Gathering all these pieces into a single, meaningful picture. Endpoint Detection & Response and eXtended Detection and Response (EDR/XDR) and Security Information and Event Management (SIEM) solutions provide this central location to collate and view the log information from multiple sources.
So, you’ve got all your puzzle pieces in one place, but they’re still just random bits until you put them together. That’s where the real magic happens: processing. EDR/XDR and SIEM solutions typically sift through the sea of data to block out the ‘noise’.
Solutions such as LogPoint leverage some form of AI or ML intelligence to give an indication of how likely a particular event is going to be related to malicious activity. LogPoint’s version is called UEBA, which stands for User Entity Behaviour Analytics. UEBA uses AI and ML to correlate multiple events and link related ones together to give a fuller picture than looking at individual events in isolation.
EDR/XDR solutions usually do something similar but typically the events they are correlating are limited to information coming from endpoint security or proprietary network devices. LogPoint and other SIEM tend to have a much broader scope of interoperability and call pull event information from pretty much anywhere that it’s being generated.
How Do I Know Which Solution Is Right?
It can be difficult to know which solution is right for your organisation, and its often a case of selecting which fulfils your need the best. If you don’t need to monitor extensive hardware devices, web sites, databases, etc, then an EDR/XDR solution might be for you. If you have multiple databases or databases that hold sensitive information, it’s probably a good idea to be watching them closely via a SIEM solution as they will be a prime target for an attacker.
With both types of solution the information still needs to be monitored by a human. LogPoint mitigate this through the use of their Security Orchestration and Response (SOAR) technology that aims to take automated action based on certain triggers when particular activity is detected. EDR/XDR solutions often have similar functionality but it’s probably fair to say they are not quite as extensive or complex as a SIEM solutions.
These automated response solutions are great, but they can also be incredibly disruptive if allowed free reign over systems. Very quickly users will be complaining they cannot carry out their duties because things are being blocked. This brings me to the final challenge with logging and monitoring, it invariably means a security specialist with “eyes-on-glass” (i.e., watching the screen) is necessary to manage both types of solutions effectively.
Again, the approach to take to manage this final challenge depends on any number of factors – the size of business, the driving forces behind the adoption of logging and monitoring, the desire for Opex over Capex, or the constant problem of getting skilled Cyber security staff, to name just a few.
What would I recommend?
If you don’t already have skills in house but can see the value and importance of logging and monitoring, follow the trend I am increasingly seeing with my customers and adopt a managed service approach to logging and monitoring, using third party suppliers with dedicated security specialist teams to do the hard work for you. Plus, probably one of the most important things to me, allowing you to sleep at night knowing your systems are being actively protected 24/7.
If you haven’t done so already, our Posture Assessment tool is a quick-and-easy way to identify your strengths and weaknesses, and get a better picture of your overall security posture.
We have put together a page of recommendations for improving your Logging and Monitoring, and which tools can help, which you can read here.
If you’d like to learn more about how to secure your organisation and keep your data secure, book a consultation with one of our experts.
Featured in this Episode
Cyber Security Consultant, Sophos
Kostandino Kustas
With 15 years of experience in a variety of technical IT roles, and with a passion for anything tech-related, Kosta joined Sophos 4 years ago with the view to help organisations (big or small) face the ever-evolving security threats that continue to disrupt the digital world.
Regional Director, MSP & Strategic Accounts, EMEA
Matthew Rhodes
Matthew has been with Logpoint for two years. Logpoint help arm cyber security professionals with automation and precision to solve complex cybersecurity issues and efficiently mitigate threats, resulting in a safer organisation.
Cyber Security Vendor Alliance Manager, CyberLab
Adam Gleeson
Adam has a passion for IT and cyber security. With over 15 years of experience in the industry, Adam’s resume boasts a wealth of knowledge around keeping businesses cyber secure.
Detect. Protect. Support.
Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.
Leave a Reply
You must be logged in to post a comment.