Everyday, countless businesses are targeted for attack by malicious hackers. It’s no longer a matter of if. This was highlighted by an experiment run by Sophos, a data security company.
Sophos sought to identify how quickly attackers would be able to identify a vulnerable system on the internet. To do this, they created 10 cloud-based machines in data centers around the globe. These machines, called honeypots, were purposefully misconfigured to be vulnerable. On average, it took 52 seconds before attacks began, and over the course of 30 days the honeypots were attacked 5 million times.
What can attacks happen so promptly and frequently? Most of these attacks are automated to scan the internet and probe any potentially vulnerable system found. To counter this, most security providers and IT managers will implement firewalls, antivirus solutions, backups, etc. But how can an IT manager or business identify when these things fail to provide adequate protection? It’s often not that the software or hardware fails to protect the business, but that a simple human error causing misconfiguration provides a savvy attacker the means to breach a business’ security measures.
Even if we assume that everything is configured perfectly, how can an IT team confirm that, as Sophos reports, 5 million attacks a month are being successfully buffered? Often these attacks come in waves of data that involve lines and lines of packet data that turn 5 million attacks into a deluge of logs to review. Below we see actual footage of a lone IT tech deciphering that quantity of logs.
This is where a SIEM (Security Information and Event Management) and SOC (Security Operations Center) solution comes into play.
A SIEM takes the logs from all of your security tools, servers, endpoints, etc., and stores them in a central location. This provides the ability to review logs across potentially hundreds of systems in a single location. Additionally, the SIEM utilizes machine learning and data provided by threat feeds procured from around the globe. This allows for what would be impossible for a human. It combs through all of the logs and filters out the potentially malicious attacks occurring within the business’ network. Now a human can take the logs that are identified and determine if further action is required to protect the business.
But attacks don’t just happen during business hours when your IT team is working. This is where a SOC kicks in. A SOC is a fully staffed team dedicated solely to monitoring these filtered results 24×7 against whatever SLA you have with your SOC. It’s no secret that attacks have become much more frequent during holiday weekends, when your staff may not be readily monitoring and reviewing alerts from the business. The SOC monitors the business regardless of holidays or time of day, leaving no window of attack available for an attacker to strike.
It’s for this reason that Axxys believes all businesses should highly consider implementing a SIEM/SOC solution to further protect your assets. Contact us to discuss if it makes sense for your business.