Recently, I’ve observed an interesting trend in the news cycle: two parallel streams of news popping up in our subscribed media channels around - (1) COVID-19 wrecking the human race and (2) Attackers being on a spree to wreck industries. While medical professionals and researchers are busy combating the devastation caused by COVID-19, cybersecurity professionals are equally engaged in managing the data security risks caused by the many types of cyber attacks launched during this tumultuous time.
CRN news reports that, “more than 3.2 million records were exposed in the 10 biggest data breaches in thefirst half of 2020, with eight of the top 10 breaches occurring at medical or health-care organizations.” Businesses are also seeing a shift in the way they operate due to the challenges that come with remote and home bound workforces, vendors and partners. The emerging supply chain is led by the remote, internet, and cloud-based digital economy.
Predictably, data profiles are increasingly diversifying as they move through various applications, platforms and environments. The diversification of data profiles across disparate technologies and geographies increases the inherent data security risks enterprise face. Now, the human behavioural variance fuelled by working remotely significantly contributes to the attack surface.
Organisations experience data breaches once or more throughout their life cycles - these breaches mostly go unnoticed until the data loss negatively impacts the business in a noticeable way. Fundamentally, a ‘data breach’ is known to be any successful attainment of confidential, sensitive, and/or PII data by an unauthorized user that does not leave any apparent impact in the data dynamics. ‘Data loss’ refers to the alarm that triggers the awakening of the business because of more direct impacts that are caused by the compromise of any or all of the ‘confidentiality – integrity –availability’ triad.
CISOs, CSOs and CROs are having a hard time dealing with the increasing number of cybersecurity breaches and losses in the pandemic-driven business transformation. The IBM Cost of a Data Breach Report cites that "CISOs are being faulted for breaches, despite limited decision-making power. 46% of respondents said their CISO/CSO was ultimately responsible for the breach, despite only 27% stating the CISO/CSO is the security policy and technology decision-maker".
Though the stigma of requesting investment in technologies and tools for security management from the board has been lifted, decision makers are struggling to clearly see a return on the investments (ROI) made. Organizations might have state of the art technologies deployed, but they are still facing a skills shortage in the workforce. Additionally, state of the art technology can only do so much when it comes to preempting and preventing breaches. The IBM Cost of Data Breach Report states that these breaches cost companies an average of $3.86 million per year globally.
Enterprises are using log management to preempt, prevent, detect, and/or contain breaches and losses. Log management is nothing new and includes a variety of events and activities within the context of risk management. Many organizations implement log management as an ad-hoc process mostly driven by vendor-specified and/or default logging recommendations. Implementing log management in this way lessens the efficiency of the whole process.
Instead of relying on log management alone, enterprises should approach the whole value chain of log management with a ‘design thinking’ approach - keeping in mind the widened attack surface in this new normal. The following is a three-dimensional approach that can adopted for managing breaches through effective log management:
1.Profile your logs, thresholds and clipping limits: Privileged access logs are commonly reported as one of the prime entry points for attackers. However, there are other key logs that need to be identified, profiled, and configured for ongoing analysis, including but not limited to system logs, application logs, API logs, container logs, and virtual machine logs. Since working remotely is the new normal, it is critical that remote access logs from many layers of technologies and systems be monitored intently.
While a balance between risk and spend is essential, the type of logs an organization will capture must be determined, the method of collection must be selected, and the exact cause of an alarm must be specified. Log profiling processes must be monitored according to a precise determination of the clipping levels that warrant the generation of an alert.
2.Co-create a logging and monitoring eco-system: Next, a multitude of stakeholders across the business should identify the appropriate technologies that will be used. While technologists can help with the system-specific implementation, analysts can provide inputs on patterns, behavioural aspects, and the necessary integration between various platforms. As businesses around the world focus on adopting cloud and multicloud solutions, it’s imperative to have a multi-party, multi-platform, and multi-technology log management integration. Log correlation and orchestration with threat intelligence platforms are very important for breach and loss integrators.
While traditional security information and event management (SIEM) systems are paramount, today’s disruptive AI and data science technologies are extremely beneficial in threat detection and prevention, especially when powered by the right integration of log management systems.
3. Integrate your business KPIs to reflect the key KRIs: Enterprise dashboards must create a well-defined space that outlines cybersecurity risk indicators (KRIs), thereby empowering the C-suite to make decisions with a bird’s-eye view of the threat landscape. Such a dashboard also enables the C-suite to recognise the ROI related to cybersecurity spend. When using a design-thinking approach, the enterprise log management system, powered by AI and data science, can yield a periodic risk dashboard bundled with broader business results.The goal of this design thinking approach is to arm the C-Suite with a better view of the potential and real breaches and losses that their businesses experience, while they embark on a journey of digital transformation.
The idea of the above pointers is to enable the C-Suite with a better view of the potential and real breaches & losses, that their businesses go through. This would ensure better business risk management as the whole lot of data losses can be prevented or contained within acceptable time limits – in turn, preventing business losses due to regulatory penalties, customer churn or competitor advantages. Least to mention, engaging the right set of Cybersecurity advisors would be key to provide industry insights, subject matter expertise and contextual advisory, also address the cybersecurity skills gap.
Download the complete CODB report here.
