The digital landscape continues to grow increasingly complex, and security risk and operational costs rise as digital transformation accelerates. According to research by McKinsey and Company, more than 70 percent of security executives believe that their budgets for fiscal year 2021 will shrink. In this environment, modern logging management technology provides the visibility security teams need to efficiently and cost-effectively manage risk.
More Data, Less Visibility
Log data is critical for understanding how systems operate and for monitoring the IT environment for malicious activity. This is particularly important for modern systems that lack an audit trail, such as multicloud and DevOps environments, microservices and containers. These technologies change rapidly, and represent a significant increase in system components and complexity. New security tools are continually deployed to combat the threat landscape, each driving huge log volumes. Web applications require application logs and logs from the supporting infrastructure. As more companies embrace remote work as a permanent option, the number of endpoints, and the heightened security risk they pose, increases.
According to IBM Security and Ponemon Institute’s Cost of a Data Breach Report 2020, security system complexity, created by the increasing number of enabling technologies and a lack of in-house expertise, amplified the average total cost of a data breach by an average of $291,870. Migration to the cloud was associated with higher-than-average data breach costs, increasing the average cost by an average of $267,469.
Eliminate Logging Blindspots
As data volumes grow, budget constraints force security operations teams to pick and choose which logs to collect and analyze and how long to keep them. Some logs are inevitably left out, creating blindspots where the security operations team lacks visibility. Those blindspots grow as the collected log data represents a smaller and smaller portion of the IT environment. Bigger blindspots mean more risk and greater financial liability, as the security operations team’s ability to effectively detect and respond to threats in the environment is hampered.
As Gartner noted in a recent report, “Modern security operations center activities require access to log data from a variety of sources that may be too expensive to consume in a SIEM solution. However, analysts investigating events may need access to this additional data for context and correlation, and threat hunters need access to a broad scope of data to do their job.”
During an advanced persistent attack, threat actors can remain undetected on a network for weeks – even months. During this time, attackers might exfiltrate data or simply sit on the network and “listen.” A blindspot is a perfect place to hide. Other log data might indicate something is amiss, but without a complete set of logs against which to correlate these findings, it takes the security operations team longer to detect the intrusion. The longer it takes to detect an intruder, the greater the risk of data loss, fraud or other damage – and the higher the organization’s incident response costs.
Millions in Avoidable Loss
According to the Cost of a Data Breach Report 2020, on average, companies required 207 days to identify and 73 days to contain a breach in 2019; combining for an average “life cycle” of 280 days. Each additional day it takes to contain a breach impacts the bottom line. Researchers found that the average cost savings of containing a breach in less than 200 days, versus more than 200 days, equaled $1.12 million.
Blindspots also impact the speed and efficacy with which security teams can respond to and investigate threats. Tracking down and piecing together logs that weren’t previously collected can add weeks to a threat hunt. Often, log retention stops at 30 days, but a threat actor can be in an environment for months; even years. If the environment isn’t instrumented correctly, or the organization doesn’t retain logs that cover when the adversary initially gained access to the environment, there’s no way to determine root cause or to be sure that all traces of the compromise have been removed. Attackers may leave dormant malware to reactivate later when the defense focus has shifted. Without assurance that all parts of the compromise have been removed, security teams either accept this risk, or overcompensate and remediate more of their environment than necessary, adding to the incident cost and duration.
Getting to the Bottom of Things
Understanding root cause is crucial for effective incident response. Security operations teams must understand how the environment was compromised so that they know what to fix. Until the root cause is addressed, the exposure or gap remains in the environment, allowing the adversary to return repeatedly. In this scenario, an enterprise can incur hundreds and hundreds of hours in incident response services before an attacker is effectively evicted from the environment. Sophisticated attacks often involve multiple points of attack and compromise, as well as diversion tactics that make it challenging to have full confidence in identifying the full extent of the attackers’ activities.
Without a comprehensive set of log data, assigning attribution is also difficult. Log data can indicate the techniques, methods and tools the adversary is using, in addition to which assets they’re looking at. SecOps teams can use these clues to determine whether a cybercriminal, nation-state actor or terrorist organization is executing the attack. If there’s a lack of data to identify the tradecraft, then it becomes difficult to attribute the attack to a particular adversary, and makes engagement with law enforcement less effective. Intelligence gathered as part of a full investigation, with access to all relevant logs, results in a rich data set to inform protective and detective controls in the future.
The key to obtaining better visibility into the IT environment is to log everything. Collect all log data and make it searchable so that security operations can query and analyze the data, both after the fact and in real-time. This is achievable with modern log management solutions, which are built specifically for the purposes of logging everything and answering anything.
With streaming observability, security operations teams can monitor and alert on incidents in real-time, enabling them to respond immediately and reduce detection and response times.They can search data more quickly and effectively because they aren’t constrained by what they can ask of their data. They have complete flexibility to ask anything and get an instant response – enabling them to uncover root cause faster.
Blazing fast, sub-second search times across petabytes of data also gives threat hunters the freedom to unleash their creativity and curiosity. The speed of search in today’s modern logging solutions enables new methods of threat hunting, as analysts aren’t constrained by technology limitations and can work how they’re most comfortable.
No one can predict where the next cybersecurity threat will come from. When organizations collect all of their log data, they don’t have to decide between reducing cybersecurity risk and managing a SIEM solution. With the ability to log everything and answer anything, security operations can be better prepared for the unknown.