“The fact that a company hasn’t noticed a breach doesn’t mean that it hasn’t been breached” – itgovernance.co.uk
An APT is a type of malware which uses social engineering or various phishing techniques to gain access to a network. Once the malware has gained access, it will conceal itself by hiding in unsuspected files, where it can remain undetected for weeks, months, or even years. In which time, it is able to steal or compromise sensitive data.
Such attacks are hard to defend against as traditional security tools such as antivirus software, firewalls, and IPS/IDS, are not capable of detecting them. As such, a new set of solutions are required.
Cyber-attacks are rapidly evolving and diversifying. They are becoming more targeted, covert, and persistent. More than 100,000 new types of malware are discovered every day, and according a report by Fireeye, it takes organisations an average time of 205 days before they notice they have been compromised. This is clearly way too long. The majority of attacks come from phishing emails that impersonate an organisation’s IT department or anti-virus vendor. As a result of this new wave of sophisticated attacks, there has been a shift towards a new approach that focuses on real-time threat-detection, automated threat-response and advanced data analytics.
What is Advanced Threat Protection (ATP)?
Not to be confused with APT (as mentioned above), Advanced Threat Protection (ATP) is a category of security solutions that are designed to defend against attacks that target sensitive data. Such solutions are available as either software or as managed services. They typically include some combination of endpoint and device monitoring, email security gateways, and a centralized management console that aggregates log data from multiple sources and provides alerts and reports based on important system events.
SIEM and its Drawbacks
Even if Security Information and Event Management solutions alert on suspicious activity that may be associated with a cyber-attack, a huge amount of audit logs will be gathered in the process and administrators will have to sift through this to find the exact event about which s/he was notified. There would be large amount of data to be deal with and most of the times Administrators will not have an idea where to look for a critical event.
Whilst SIEM solutions can be helpful, they don’t come without their drawbacks. It’s important that you consider both the advantages and disadvantages of deploying a SIEM solution. Some of the drawbacks are as follows:
1. The data analysis you receive from a SIEM solution is very difficult to draw any real meaning from. It contains far too much noise and can be very difficult to understand.
2. SIEM solutions do not necessarily provide organisations with the audit data they require to meet regulatory compliances or ensure IT security. It’s hard to use a SIEM solution when you want to quickly find the necessary data for meeting PCI compliance, for example. SIEM reports sometimes need to be adapted for non-tech staff or external regulators.
3. SIEM solutions are expensive. There are serious costs associated with deploying SIEM solutions and training staff to operate them. Read Lepide’s guide to SIEM here
Is there an alternative?
One way many organisations are overcoming the limitations of SIEM solutions and giving themselves better visibility into critical changes taking place in their organisation is with LepideAuditor.
LepideAuditor enables organisations to detect, report and respond to changes to their critical data and systems. It enables them to keep track of permission changes, user account modifications and deletions, inactive user accounts, failed logon attempts, privileged mailbox access and provides reminders about password resets and when passwords are due to expire. On top of this, LepideAuditor is able to generate real-time alerts and over 270 pre-set reports, which can be used to satisfy regulatory requirements. It helps organisations cut through the noise associated with SIEM solutions and provides them with immediately actionable reports for all manner of security, IT operations and compliance challenges.