COCUS_Blog_Security_Header_ohne_Text Angriffserkennung

Threat Detection 101: Corporate Security with Detection and Security Information & Event Management (SIEM)

Threat detection? What is it, who needs it and how do you implement it?

Attack detection is currently coming to the fore, especially for companies that are operators of critical infrastructures (KRITIS). With its amendment to the BSI Act (BSIG) in December 2021, the German Federal Office for Information Security (BSI) obligated all companies with KRITIS to operate their own attack detection systems from May 1, 2023 at the latest.

But attack detection is also becoming increasingly important for organizations without critical infrastructure. Malicious and targeted attacks are now both more advanced in execution (example Lockbit – a recurring successful attacker) and more severe in their mission-critical consequences. Detection and Security Information & Event Management (SIEM) are thus becoming important components of enterprise security, for any company regardless of size and type of infrastructure.

Why preventive measures are no longer enough

Nowadays, topics such as cyber security, data protection and information security are indispensable in the corporate world. Precautions through security-by-design, various security tools such as anti-malware, firewalls or vulnerability scanners, as well as the establishment and operation of an information security management system remain necessary to avoid continuous damage from opportunistic hacker attacks.

However, the systems described are no longer sufficient on their own to guarantee corporate security. The reason for this is often a few individual gaps in the system that are exploited by hackers for initial access to the corporate network. The greatest weak point for an attack is the human being.

If one imagines the security architecture of a company as a castle that has fully implemented all technical protection measures (for example, drawbridge, steel gates and a moat), one danger still remains: the population. Since each inhabitant of the castle has a password for access, there is a risk that the password may be inadvertently or even intentionally transmitted to attackers, or that the inhabitant himself may become the attacker. Once the castle has been penetrated, even the sturdiest drawbridge and the deepest moat no longer serve as protection.

The consequence for companies and the security industry

Applied to the corporate world of today, this means that social engineering and phishing are a daily problem for all companies. In addition, the issue of insider attackers is also part of everyday life in German companies, i.e., employees who intentionally or unintentionally endanger information security. Many successful attacks are actually carried out with regular accounts, sometimes even with admin accounts.

From here, attackers move around the network like a seemingly legitimate user, identifying and exploiting further vulnerabilities until they finally execute the actual malicious action. The goals of the attack can vary from encrypting important data, exfiltrating sensitive information, to sabotaging systems.

Today’s world is characterized by a constant arms race to see who can find and close the next security gap first, or exploit it. The term “arms race” also refers to the ongoing battle to see who can execute the next malware undetected or prevent it. Hundreds of thousands of malware variants are sighted every day, and yet there is still the risk of infection by malware that is not yet detected by endpoint protection.

BSIG: This will change for companies as of May 2023

The amendments to §8a of the BSIG stipulate that operators of critical infrastructures regulated by the BSIG must implement attack detection systems by May 1, 2023. This implementation must in turn be externally validated and proven to the BSI no later than two years later.

The BSIG only roughly specifies what this means in concrete terms: “The systems used for attack detection must continuously and automatically record and evaluate suitable parameters and characteristics from ongoing operations. They should be able to continuously identify and prevent threats and provide appropriate remediation measures for incidents that have occurred.”

Functionally, such an attack detection system must essentially provide logging, log analysis and detection as well as an appropriate response. In essence, then, we are talking about SIEM systems.

How detection and SIEM systems contribute to attack detection

The basic principle of attack detection is to identify anomalies or traces of attacks. Typically, modern SIEM systems are used for this purpose. A SIEM system aggregates, normalizes and analyzes data against known attack patterns and provides the results to Security Operations Center (SOC) analysts. The SOC analysts can trigger appropriate response processes based on the results. In some cases, these tasks can also be automated so that responses are faster and more efficient. Additionally, a SIEM system informs the relevant people about the current security status of the company. Some simple examples of such events are:

These examples are simple and their monitoring should be part of the basic building block of an attack detection system. An effective SIEM also implements the detection of atomic indicators down to the process or packet level, using both proven frameworks such as Mitre Att@ck or the Cyber Kill Chain as well as current detection patterns from threat intelligence sources.

Such detections do not necessarily have to represent an attack, but can result from errors or simply legitimate yet unusual usage scenarios. Therefore, these cases must be examined in detail. Modern SIEM systems provide important support for this: they correlate data from other log sources to such events or offer functions to obtain further information on such events. This enables the security analyst to decide more quickly and reliably whether an actual attack has occurred.

We support you

By implementing a SIEM system, every company ensures that potential and also advanced attacks can be detected as quickly as possible. For KRITIS companies, these systems are the recommended option to comply with the legal regulation that will apply from 01.05.2023. COCUS AG supports companies in the introduction of SIEM systems, but also in the optimization of existing implementations or the migration and replacement of old SIEM systems with more modern ones.

We offer you full protection when it comes to the security of your business.

Share this post