Skip to content
Lisa DeVoto January 15, 2020 8 min read

Using a SIEM to Detect BEC & Other Cyber Attacks

Business email compromise (BEC), or imposter email, continues to plague businesses. In these scenarios, criminals gain access to an email account. Then, using the compromised account, they attempt to trick someone into sending money or sensitive information.

In 2018, the FBI's Internet Crime Complaint Center (IC3) received 20,373 complaints about BEC incidents, with losses totaling well over $1B. 

These criminal schemes have become increasingly sophisticated because the potential payoff is huge.

Protect • Detect • Respond 

Managed SIEMIn the simple security model of protect, detect, and respond, you already have tools in place to prevent cyberattacks. 

But technology alone is insufficient to prevent breaches.

In the modern workplace, creating a secure environment requires a multi-pronged approach: along with the correct security technologies, corresponding controls in the form of policies and procedures, and adopting a security-focused culture within the organization.

Since it's impossible to prevent all attacks, you need to implement solutions to help you detect when these attacks occur so you are better equipped to deal with them.

A SIEM is a perfect way to track cyberattacks. It provides deep insights into security threats within a corporate IT infrastructure far beyond the capabilities of firewalls and other security solutions.

Not sure why you need a SIEM when you already have a firewall?
Read the blog post, "SIEM Versus Firewall." 

A SIEM Does Much More Than Log Management

SIEM (Security Information and Event Management) is a management layer that resides above your existing systems and security protocols. The SIEM layer connects and unifies the information provided by your existing systems, allowing it to be analyzed and cross-referenced within a single interface.

A SIEM collects and stores logs from your network devices and computers. On an ongoing basis, the SIEM analyzes the log file information, highlighting events that require deeper analysis. SIEM stores and analyzes log files from all the myriad devices throughout your IT infrastructure at its most basic level. But a SIEM is much more advanced than simple log management.

Early Detection – Knowing When You've Been Hacked

CybersecurityA major part of a cyberattack is getting away with it — removing and falsifying log files so that victims never know (or are delayed in finding out) that they have been compromised.

When a security breach does occur, a SIEM can provide the valuable forensic analysis you wouldn't otherwise be able to get.

Examples of Activities a SIEM Detects

Some of the types of events that a SIEM can detect include:

  • When a user logs in from another country
  • When a user creates suspicious email rules (such as diverting emails to a folder not commonly used)

These types of activities are common in BEC attacks. Once the attacker gains access to an employee's email account, they will review previous emails sent and received in preparation for sending a phishing email.

Attacks Don't Necessarily Happen Right Away

It's important to note that cyberattacks have become much more sophisticated in years past. After breaking in, attackers will be waiting and watching — learning about your environment — so they can strike at the perfect time. With a SIEM, you can better detect these types of attacks.

For example, if a cybercriminal can get into your Office 365 account, there's potentially a lot they can do, including:

  • Send malware-laden email messages to people inside and outside your company
  • Steal confidential data stored in Office 365
  • Access applications in the cloud that provide attackers with information or access to banking details to commit further fraud

Most email security solutions do not protect against this specific attack vector.

In the case of an email sent from a compromised user account to another employee in the company, the email may never actually route through a security solution meant to protect a company from emails coming in from the outside. Also, studying email within the compromised account makes these emails look virtually identical to a real one.

Forensic Analysis Capabilities of SIEM

You can pinpoint exactly what happened with timely access to the correct log file information. Without a SIEM solution, it is much more difficult to locate and access all relevant log files for further analysis. It may seem as if the likelihood of success of BEC attacks is small. However, the potential payoff is huge. Attackers can target multiple victims/companies and spend a lot of time crafting just the right message to increase their chances of success.

SIEMs are Expensive

Significant costs and time commitments are involved in adopting and managing a SIEM solution. A SIEM can be expensive — to purchase, implement, and manage. Once you've made the commitment to adopting a SIEM, you want to make sure you maximize the value you can get from it.

Required Steps When Setting Up a SIEM

A successful SIEM project requires advanced cybersecurity expertise and available resources to manage the project.

Setting up a SIEM involves these activities:

  1. Deployment – initial installation and configuration of the SIEM
  2. Tuning – creating, revising, and testing rules
  3. Ongoing Maintenance – weekly analysis & reporting, daily review of alarms
  4. Incident Response – remediation steps to take during an attack

Deploying a SIEM

When preparing to deploy a SIEM, you need to gather information.

You will need access to logs and alerts generated from security controls and infrastructure within your environment. This includes:

  • intrusion detection
  • endpoint security (antivirus, etc.)
  • data loss prevention
  • VPN concentrators
  • web filters
  • honeypots
  • firewalls
  • routers
  • switches
  • domain controllers
  • wireless access points
  • application servers
  • databases
  • internet applications
When deploying a SIEM, it's helpful to have a network topology diagram.

Next, you will need information about the IT infrastructure, including:

  • configuration
  • locations
  • owners
  • network maps
  • vulnerability reports
  • software inventory

In addition, it will be beneficial to understand the organization's business processes and know the right people who need to be involved during any remediation activities.

Tuning a SIEM

To ensure you derive maximum value from your SIEM, you must configure it properly by "tuning" it. The tuning phase can be the most critical part of a successful SIEM project. Without previous experience implementing SIEM, you risk your SIEM becoming shelfware.

Read the blog post, "SIEM Optimization: Tuning Your SIEM." 

Tuning a SIEM eliminates the false positives, reduces the noise, and makes the adjustments necessary to alert to the important things that happen in your environment. It is what makes the SIEM valuable to you for cybersecurity as opposed to just another logging system that sits in the corner gathering dust.

Tuning a SIEM can be separated into three parts:

  • Alarms — Too many alerts
  • Events — Reducing the noise
  • Rules — Alerting on the important things

Configuration of the SIEM is not a one-time activity, rather, it is an ongoing process. As new events and your network change, you must update and create new rules.

Managed SIEM Versus In-House

Once the decision has been made to add a SIEM solution to the security mix, companies with their own IT staff may initially assume they should deploy and manage the SIEM with their own internal IT staff.

For some companies, that will make sense. But not for many small- to mid-sized companies. Companies that have committed to a SIEM solution and started deploying it may find the project will stall and take far more resources (time and expertise) than they expected.

Don't Let Your SIEM Project Get Sidetracked

Frequently, SIEM projects will get sidetracked during the deployment phase. Or, a company may make it through the initial deployment only to find they cannot derive real value from the solution without the proper tuning.

Companies that don't have the resources in-house to dedicate to deploying and maintaining a SIEM should consider a managed SIEM service.

An MSSP (managed security services provider) offers a managed SIEM service to deliver 24x7x365 threat detection and remediation. The MSSP's staff monitor and support the SIEM service from security operations centers.

The Benefits of Managed SIEM

A managed SIEM enables you to:

  • Protect your mission-critical data at an all-inclusive, fixed, monthly cost
  • Extend your IT department to include highly certified security professionals staffing a local 24x7x365 security operations center
  • Eliminate the need to hire an on-site security team

Questions to Ask When Evaluating Options

Managed SIEMIf you answer 'yes' to one or more of these questions, you should consider using a managed SIEM service from an MSSP.

  1. Do you already have a SIEM in place but find it difficult to get useful, actionable data out of it?
  2. Are you buried in alerts and false positives?
  3. Do you have limited resources or time to dedicate to a SIEM solution?
  4. Are you lacking an abundance of in-house IT professionals with security incident response expertise who have the time available to dedicate to managing a SIEM?

Corserva's Managed SIEM Service

With Corserva’s managed SIEM service, you gain enterprise-level cybersecurity for a fixed monthly cost, with no hefty licensing fees and no additional staffing requirements.

We collect and store logs from any or all of your network devices and computers. Devices can be classified as within the scope of your compliance requirements, and reports can be generated when needed. Common incidences are identified, prioritized, and acted on. The solution is integrated with a threat intelligence feed and is updated on an ongoing basis to accelerate the detection of new threats.

The best tools in the world have limited use if the right people aren’t there to manage them. Corserva’s staff have key security certifications, including CISSP, CISM, CGE IT, CRISC, CEH, and CompTIA Security+. We provide 24x7x365 support for our clients from our US-based security operations centers.

Corserva's managed SIEM offers the best of both worlds — enterprise security protection with an affordable cost model.

TALK TO AN EXPERT

avatar

Lisa DeVoto

Lisa has 25+ years of experience working for technology companies in B2B marketing and technical communications. She is driven to help people solve problems through educational content. Lisa has an MBA from University of Connecticut and a BS in Computer Science from Rensselaer Polytechnic Institute.