{"id":56612,"date":"2023-01-17T11:00:32","date_gmt":"2023-01-17T09:00:32","guid":{"rendered":"https:\/\/www.cocus.com\/?p=56612"},"modified":"2024-06-04T16:59:29","modified_gmt":"2024-06-04T14:59:29","slug":"threat-detection-enterprise-security-siem","status":"publish","type":"post","link":"https:\/\/www.cocus.com\/en\/threat-detection-enterprise-security-siem\/","title":{"rendered":"Threat Detection 101: Corporate Security with Detection and Security Information & Event Management (SIEM)"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThreat detection? What is it, who needs it and how do you implement it? \n

\nAttack detection is currently coming to the fore, especially for companies that are operators of critical infrastructures (KRITIS). With its amendment to the BSI Act<\/a> (BSIG) in December 2021, the German Federal Office for Information Security (BSI) obligated all companies with KRITIS to operate their own attack detection systems from May 1, 2023 at the latest. \n

\nBut attack detection is also becoming increasingly important for organizations without critical infrastructure. Malicious and targeted attacks are now both more advanced in execution (example Lockbit – a recurring successful attacker<\/a>) and more severe in their mission-critical consequences. Detection and Security Information & Event Management (SIEM) are thus becoming important components of enterprise security, for any company regardless of size and type of infrastructure.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Why preventive measures are no longer enough <\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tNowadays, topics such as cyber security, data protection and information security are indispensable in the corporate world. Precautions through security-by-design, various security tools such as anti-malware, firewalls or vulnerability scanners, as well as the establishment and operation of an information security management system remain necessary to avoid continuous damage from opportunistic hacker attacks. \n

\nHowever, the systems described are no longer sufficient on their own to guarantee corporate security. The reason for this is often a few individual gaps in the system that are exploited by hackers for initial access to the corporate network.<\/a> The greatest weak point for an attack is the human being.\n

\nIf one imagines the security architecture of a company as a castle that has fully implemented all technical protection measures (for example, drawbridge, steel gates and a moat), one danger still remains: the population. Since each inhabitant of the castle has a password for access, there is a risk that the password may be inadvertently or even intentionally transmitted to attackers, or that the inhabitant himself may become the attacker. Once the castle has been penetrated, even the sturdiest drawbridge and the deepest moat no longer serve as protection. \t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

The consequence for companies and the security industry<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tApplied to the corporate world of today, this means that social engineering and phishing are a daily problem for all companies. In addition, the issue of insider attackers is also part of everyday life in German companies, i.e., employees who intentionally or unintentionally endanger information security. Many successful attacks are actually carried out with regular accounts, sometimes even with admin accounts. \n

\nFrom here, attackers move around the network like a seemingly legitimate user, identifying and exploiting further vulnerabilities until they finally execute the actual malicious action. The goals of the attack can vary from encrypting important data, exfiltrating sensitive information, to sabotaging systems. \n

\nToday’s world is characterized by a constant arms race to see who can find and close the next security gap first, or exploit it. The term “arms race” also refers to the ongoing battle to see who can execute the next malware undetected or prevent it. Hundreds of thousands of malware variants are sighted every day, and yet there is still the risk of infection by malware that is not yet detected by endpoint protection. \t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

BSIG: This will change for companies as of May 2023 <\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe amendments to \u00a78a of the BSIG stipulate that operators of critical infrastructures regulated by the BSIG must implement attack detection systems by May 1, 2023. This implementation must in turn be externally validated and proven to the BSI no later than two years later. \n

\nThe BSIG only roughly specifies what this means in concrete terms: “The systems used for attack detection must continuously and automatically record and evaluate suitable parameters and characteristics from ongoing operations. They should be able to continuously identify and prevent threats and provide appropriate remediation measures for incidents that have occurred.”<\/em>\n

\nFunctionally, such an attack detection system must essentially provide logging, log analysis and detection as well as an appropriate response. In essence, then, we are talking about SIEM systems. \t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

How detection and SIEM systems contribute to attack detection <\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The basic principle of attack detection is to identify anomalies or traces of attacks. Typically, modern SIEM systems are used for this purpose. A SIEM system aggregates, normalizes and analyzes data against known attack patterns and provides the results to Security Operations Center (SOC) analysts. The SOC analysts can trigger appropriate response processes based on the results. In some cases, these tasks can also be automated so that responses are faster and more efficient. Additionally, a SIEM system informs the relevant people about the current security status of the company. Some simple examples of such events are: <\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t