Many MSSP’s use SIEMs and other log management/aggregation/analysis solutions for cybersecurity visibility, but is log analysis enough? We’re hearing more and more about holistic security solutions like XDR platforms that claim to cover the entire attack surface, especially because the latest pipeline attack reinforced the compound nature of today’s sophisticated multi-stage cyberattacks. The attackers admitted they did not expect their attack to shut down the pipeline, but the result has been devastating. Let’s take a quick look at what we get from logs, and what we don’t get from logs.
Logs by their very nature are a view into the past. They give us visibility into the activity of file and application servers, user management systems like Active Directory, e-mail servers, and other tools. When the logs are properly correlated and analyzed, we can know when anomalies occur in these systems.
But what about zero-day attacks? If there is no reputation for a ransomware file, how do you detect it? The answer is you can’t until it has proliferated in your environment to the point where it is noticeable through multiple alerts AFTER it has infected a significant portion of your environment.
So, how do we gain this greater visibility? First instead of just ingesting raw logs we need to consider how to pull the security metadata out of those logs from multiple sources. Next, we need to run that data past multiple threat intelligence feeds. If there is no hit on the file from threat intelligence, there needs to be an automated way to share that file with a sandbox. Once the sandbox classifies it, that reputation needs to be included in the event. This is why the idea of XDR pulling these steps together into a single dashboard is becoming such a hot topic — complex attacks are not easy to see with siloed teams and tools.
Ultimately, this automation would significantly simplify the workflow for the SOC analyst. They could focus on correlated events instead of waiting for situations to generate a significant number of alerts before it gains their attention. This will significantly reduce the MTTD. Armed with the right information they can also act quickly, reducing the MTTR.
Logs have their place in cybersecurity from a compliance perspective. But if you are relying on logs alone for analysis and remediation, you’re missing a big opportunity to leverage automation and visibility across tools and detections to improve your security posture and reduce the possibility of an attack that could significantly affect your business operations.