The Pipeline Attack — Is Log Analysis Enough for Cybersecurity?

Many MSSP’s use SIEMs and other log management/aggregation/analysis solutions for cybersecurity visibility, but is log analysis enough? We’re hearing more and more about holistic security solutions like XDR platforms that claim to cover the entire attack surface, especially because the latest pipeline attack reinforced the compound nature of today’s sophisticated multi-stage cyberattacks. The attackers admitted they did not expect their attack to shut down the pipeline, but the result has been devastating. Let’s take a quick look at what we get from logs, and what we don’t get from logs.

Logs by their very nature are a view into the past. They give us visibility into the activity of file and application servers, user management systems like Active Directory, e-mail servers, and other tools. When the logs are properly correlated and analyzed, we can know when anomalies occur in these systems.

But what about zero-day attacks? If there is no reputation for a ransomware file, how do you detect it? The answer is you can’t until it has proliferated in your environment to the point where it is noticeable through multiple alerts AFTER it has infected a significant portion of your environment.

So, how do we gain this greater visibility? First instead of just ingesting raw logs we need to consider how to pull the security metadata out of those logs from multiple sources. Next, we need to run that data past multiple threat intelligence feeds. If there is no hit on the file from threat intelligence, there needs to be an automated way to share that file with a sandbox. Once the sandbox classifies it, that reputation needs to be included in the event. This is why the idea of XDR pulling these steps together into a single dashboard is becoming such a hot topic — complex attacks are not easy to see with siloed teams and tools.

Ultimately, this automation would significantly simplify the workflow for the SOC analyst. They could focus on correlated events instead of waiting for situations to generate a significant number of alerts before it gains their attention. This will significantly reduce the MTTD. Armed with the right information they can also act quickly, reducing the MTTR.

Logs have their place in cybersecurity from a compliance perspective. But if you are relying on logs alone for analysis and remediation, you’re missing a big opportunity to leverage automation and visibility across tools and detections to improve your security posture and reduce the possibility of an attack that could significantly affect your business operations.

You can see how MSSPs are leveraging Stellar Cyber’s “Open” XDR to drive high margin revenue here, or reach out to me directly brian@stellarcyber.ai.

--

--

--

Stellar Cyber’s Open XDR platform delivers Everything Detection and Response by unifying all currently disjointed security tools and data sources.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Hoverboard Drift Sim Simulator- Tricky Hover Board Hack Free Resources Generator

AWS Security Tips #003: CIS Controls Framework

BrillLock Fingerprint Door Lock review: Biometric security on a budget

Hello I am John Ben,

Security Update

{UPDATE} Blocky XMAS Hack Free Resources Generator

Tachyon Protocol Weekly Report #55

Why Public Service Credits are a Pure Digital Currency

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Stellar Cyber

Stellar Cyber

Stellar Cyber’s Open XDR platform delivers Everything Detection and Response by unifying all currently disjointed security tools and data sources.

More from Medium

To Infinity and beyond??? Why DevOps only makes life better

predict the severity of accidents

How to do a capacity analysis in InfoWorks ICM? — Part 2

Journey of Cloning of the website AJIO