Why Responding to a Cyber Attack with a Traditional SIEM Leaves You Vulnerable

by Ana Mezic on February 2, 2021

At the very end of 2020, a massive breach of software firm SolarWinds allowed hackers to spend months exploring thousands of U.S. government networks and private companies’ systems around the world.

The hackers attached their malware to a software update from SolarWinds, a software meant to monitor computer networks, and the breach went undetected from March until June of 2020, meaning the hackers, believed to be Russians, could have been spying on those customers for six to nine months.

People were outraged that it took months to figure out the government had been breached, but this has unfortunately become the norm, with most security systems still being woefully unprepared for an advanced and targeted breach like the one that was led against the US.

As evidence to that, the Mandiant Security Effectiveness Report 2020 found that 53% of successful cyber attacks infiltrate organizations without being detected, and 91% of all incidents didn’t generate an alert.

The statistics for how long it takes to detect these hacks are even more abysmal. According to IBM, a 2020 report found that it took an average of 280 days to even identify a breach., another estimates it at 196 days, regardless, that is plenty of time to cost millions and cause irreparable damage.

Sponsorships Available

An enterprise’s inability to detect cyber attacks has tangible effects on its productivity and profitability. Various reports have noted a correlation between the time it takes to spot an intrusion and the cost of recovery.

An IBM study estimated that organizations that contained a breach in under 30 days saved more than $1 million compared to those that take longer.

“The problem is that breaches take too long to detect with traditional SIEM systems, and what we have learned from the recent Government hack, is that there needs to be an AI security program monitoring not only the network baseline, but also the software and updates to ensure nothing unusual is happening,” said Dr. Igor Mezic, CTO at MixMode.

Although a Ponemon Institute report suggests that organizations should aim to identify a breach within 100 days, it found that the average cost of identifying a breach within this time was $5.99 million, but for breaches that took longer to identify, the average cost rose to $8.70 million.

There is a similar correlation in terms of containing a breach. Breaches that took less than 30 days to contain had an average cost of $5.87 million, but this rose to $8.83 million for breaches that took longer to contain.

The good news is that organizations have become significantly better at containing breaches, with the average time dropping from 70 days in 2016 to 55 days. This, however, is still a dangerous amount of time for an enterprise to be exposed to bad actors.

This issue clearly begs a solution, particularly when classified Government information is at stake.

“Most breaches are in excess of 6 months to 12 months, this is why base security compliance requires keeping logs for so long. This is all attributed to the fact that SIEM is really not a proactive solution, they are meant to be used as post mortem tools,” said Mike Yelland, Senior Sales Engineer at MixMode.

But there is a better way. With new advances in AI, MixMode has pioneered a preemptive cybersecurity solution with real-time AI-first analytics that allows for predictive detection of attacks based on advanced anomaly detection and correlative analysis.

This also feeds into how SIEM is using AI to manage data and not provide threat and risk intelligence until after the breach.

“For example, with SolarFlare, the government breach, Third-Wave AI would have detected the outbound traffic that had never been seen right away and traced it back to origin and secondary in a matter of clicks of the red dot. Everyone else had to wait for the IOC to be published and almost 3 weeks for these to evolve and not have false positives. If the IOC had never been published we would still have active attacks and it would be the logs that are archived that would provide the cookie crumbs. So, by design SIEM isn’t meant to identify threats without rules. By default they will always be behind on the curve,” Yellands explains.

A classic SIEM will also alert you when it detects a problem on the network, but it has no baseline of normal behavior to work off of so it is very difficult to tell the real timely issues from some random alert. SIEMs tend to get absolutely bogged down by false positives and negatives, which makes it really difficult to tell which network anomalies are truly problematic.

“The customer had absolutely no defense because this was an update. The only defense against this is to monitor the behavior of that software. Right now in this particular case with Russia, it would be necessary not only to be monitoring the network but also the behavioral analytics of the software in order to detect it behaving differently after the update. The only way this would be possible is with a Third-Wave AI security system capable of monitoring the baseline of both network traffic and all security applications, so as soon as some odd behavior occurred an alert would let the security teams know,” said Dr. Mezic.

It is massively important to be able to identify the threats as they happen because every minute a hacker has access to classified data is a minute to wreak havoc and lose the organization a lot of money. In the case of classified government data, each minute makes the hack more dangerous, not to mention the days and months it took in the SolarWinds Scenario.

Particularly in the case of zero-day or non-fingerprinted threats, organizations need to prepare themselves to catch what they cannot see and the only way to do that is with a baseline monitored by Unsupervised AI. SOAR technology is more of the same, relying on third-party platforms and human operators to take action.

We need to shorten this timeline in order to protect our government, hospitals, and organizations vulnerable to hacks. So the next time a major attempt to breach government data occurs, it can be thwarted by the Predictive AI before hackers get the chance to access classified files. There needs to be a huge shift in the industry towards predictive technology and Third Wave AI will be leading the pack.

Learn more about MixMode and request a demo today.