The ABC’s recent Four Corners program ‘Cyber War: How hackers are threatening everything from your bank account to the nation’s secrets.’ is a must-see for anyone using technology today. This well-researched and easily consumable report provides insight into a global economic, social and political issue that affects us all.
One story particularly stands out for me because it is so alarming; the example of NewSat and their IT manager. On investigation, they found that the breach had gone undetected for more than two years, potentially exposing designs, financial data and other sensitive information to the organisation or government behind the breach. One comment, in particular, gave me pause: “With the more specialised security tools that we had we were able to determine the location of the attacks and the majority of them were coming from China.”
All the technology, but no insight
This is what our team come across every time we talk to a potential customer. Most organisations have invested significant amounts in security technologies (e.g. firewalls, intrusion protection systems, web gateways, antivirus etc.) and I suspect NewSat was no different. Almost certainly, when NewSat was breached, one or more of their technologies logged information, which, if analysed, would have indicated the breach. So why weren’t they aware?
Finding the needle in the haystack
The reason is all too common. Existing security devices are logging vast amounts of valuable information. To give this context, an average sized organisation will log around 1500 or more events per second. Yet, in most organisations, these logs are just stored away and only reviewed after an incident has been detected. By that point, ransomware has already encrypted valuable files or data has already been copied and publically released, which too late of course!
So, what are your options?
By actively monitoring event logs, Threat Intelligence services detect attacks at the time they are attempted and provide the necessary assistance to prevent significant impact. The message for any organisation is to ask if your IT team has the ability to make the most out of the security infrastructure in place and to actively monitor and analyse all of the data your devices produce. If not, then perhaps it is time to talk about how you can maximise the protection afforded by your existing security investment.