Using a SIEM to Detect BEC & Other Cyber Attacks

Corserva blog

Business email compromise (BEC), or imposter email, continues to plague businesses. In these scenarios, criminals gain access to an email account. Then, using the compromised account, they attempt to trick someone into sending money or sensitive information.

In 2018, the FBI's Internet Crime Complaint Center (IC3) received 20,373 complaints about BEC incidents, with losses totaling well over $1B. 

These criminal schemes have become ever more sophisticated because the potential payoff is huge.

Protect • Detect • Respond 

Managed SIEMIn the simple security model of protect, detect, and respond, you already have tools in place to prevent cyberattacks. 

But technology alone is insufficient to prevent breaches.

In the modern workplace, creating a secure environment requires a multi-pronged approach: along with the correct security technologies, corresponding controls in the form of policies, procedures, and the adoption of a security focused culture within the organization.

Since it's impossible to prevent all attacks, you need to implement solutions to help you detect when these attacks occur so you are better equipped to deal with them.

A SIEM is the perfect way to track cyberattacks. It provides deep insights into security threats within a corporate IT infrastructure far beyond the capabilities of firewalls and other security solutions.


Not sure why you need a SIEM when you already have a firewall?
Read the blog post, "SIEM Versus Firewall." 


A SIEM Does Much More Than Log Management

SIEM (Security Information and Event Management) is a management layer that resides above your existing systems and security protocols. The SIEM layer connects and unifies the information provided by your existing systems, allowing it to be analyzed and cross-referenced within a single interface.

A SIEM collects and stores logs from your network devices and computers. On an ongoing basis, the SIEM analyzes the log file information, highlighting events that require deeper analysis.

At its most basic level, a SIEM stores and analyzes log files from all the myriad devices throughout your IT infrastructure.

But a SIEM is much more advanced than simple log management.


Early Detection – Knowing When You've Been Hacked

CybersecurityA major part of a cyberattack is getting away with it — removing and falsifying log files so that victims never know (or are delayed in finding out) that they have been compromised.

When a security breach does occur, a SIEM can provide valuable forensic analysis you wouldn't otherwise be able to get.


Examples of Activities a SIEM Detects

Some of the types of events that a SIEM can detect include:

  • When a user logs in from another country
  • When a user creates suspicious email rules (such as diverting emails to a folder not commonly used)

These types of activities are common in BEC attacks. Once the attacker gains access to an employee's email account, they will review previous emails sent and received in preparation for sending a phishing email.


Attacks Don't Necessarily Happen Right Away

It's important to note that cyberattacks have become much more sophisticated in years past. After breaking in, attackers will be waiting and watching — learning about your environment — so they can strike at the perfect time. With a SIEM, you can better detect these types of attacks.

For example, if a cybercriminal can get into your Office 365 account, there's potentially a lot they can do, including:

  • Send malware-laden email messages to people inside and outside your company
  • Steal confidential data stored in Office 365
  • Access applications in the cloud that provide attackers with information or access to banking details to commit further fraud

Most email security solutions do not protect against this specific attack vector.

In the case of an email sent from a compromised user account to another employee in the company, the email may never actually route through a security solution meant to protect a company from emails coming in from the outside. Also, by studying email within the compromised account, these emails look virtually identical to a real one.


Forensic Analysis Capabilities of SIEM

With timely access to the correct log file information, you can pinpoint exactly what happened. Without a SIEM solution, it is much more difficult to locate and access all relevant log files for further analysis.

It may seem as if the likelihood of success of BEC attacks is small. However, the potential payoff is huge.

Attackers can target multiple victims/companies and spend a lot of time crafting just the right message to increase their chances of success.


SIEMs are Expensive

There are significant costs and time commitments involved in adopting and managing a SIEM solution. A SIEM can be expensive — to purchase, implement, and manage.

Once you've made the commitment to adopting a SIEM, you want to make sure you maximize the value you can get from it.


Get a Quote


Required Steps When Setting Up a SIEM

A successful SIEM project requires advanced cybersecurity expertise and available resources to manage the project.

Setting up a SIEM involves these activities:

  1. Deployment – initial installation and configuration of the SIEM
  2. Tuning – creating, revising, testing rules
  3. Ongoing Maintenance – weekly analysis & reporting, daily review of alarms
  4. Incident Response – remediation steps to take during an attack


Deploying a SIEM

When preparing to deploy a SIEM, you need to gather information.

You will need access to logs and alerts generated from security controls and infrastructure within your environment. This includes:

  • intrusion detection
  • endpoint security (antivirus, etc.)
  • data loss prevention
  • VPN concentrators
  • web filters
  • honeypots
  • firewalls
  • routers
  • switches
  • domain controllers
  • wireless access points
  • application servers
  • databases
  • internet applications
When deploying a SIEM, it's helpful if you have a network topology diagram.


Next, you will need information about the IT infrastructure, including:

  • configuration
  • locations
  • owners
  • network maps
  • vulnerability reports
  • software inventory

In addition, it will be beneficial to understand the business processes within the organization and to know the right people who need to be involved during any remediation activities.


Tuning a SIEM

To ensure you derive maximum value from your SIEM, you need to configure it properly by "tuning" it.

The tuning phase can be the most critical part of a successful SIEM project. Without previous experience implementing SIEM, you run the risk of your SIEM becoming shelfware.


Read the blog post, "SIEM Optimization: Tuning Your SIEM." 


Tuning a SIEM is the process of eliminating the false positives, reducing the noise, and making the adjustments necessary to alert on the important things that happen in your environment. It is what makes the SIEM valuable to you for cybersecurity as opposed to just another logging system that sits in the corner gathering dust.

Tuning a SIEM can be separated into three parts:

Alarms — Too many alerts

Events — Reducing the noise

Rules — Alerting on the important things

Configuration of the SIEM is not a one-time activity, rather it is an ongoing process. As new events occur and as your network changes, you need to update rules and create new ones.


Managed SIEM


Managed SIEM Versus In-House

Once the decision has been made to add a SIEM solution to the security mix, companies with their own IT staffs may initially assume they should deploy and manage the SIEM with their own internal IT staffs.

For some companies, that will make sense.

But not for many small- to mid-sized companies.

Companies that have committed to a SIEM solution and started deploying it may find the project will stall and end up taking far more resources (time and expertise) than they expected.


Don't Let Your SIEM Project Get Sidetracked

Frequently a SIEM project will get sidetracked during the deployment phase. Or, a company may make it through the initial deployment only to find they are unable to derive real value from the solution without the proper tuning.

Companies that don't have the resources in-house to dedicate to deploying and maintaining a SIEM should consider a managed SIEM service.

A managed SIEM service is offered by an MSSP (managed security services provider) to deliver 24x7x365 threat detection and remediation. The MSSP's staff monitor and support the SIEM service from security operations centers.


Get a Quote


The Benefits of Managed SIEM

A managed SIEM enables you to:

  • Protect your mission critical data at an all-inclusive, fixed, monthly cost
  • Extend your IT department to include highly certified security professionals staffing a local 24x7x365 security operations center
  • Eliminate the need to hire an on-site security team


Questions to Ask When Evaluating Options

Managed SIEMIf you answer 'yes' to one or more of these questions, you should consider using a managed SIEM service from an MSSP.

  1. Do you already have a SIEM in place, but are finding it difficult to get useful, actionable data out of it?
  2. Are you buried in alerts and false-positives?
  3. Do you have limited resources or time to dedicate to a SIEM solution?
  4. Are you lacking an abundance of in-house IT professionals with security incident response expertise who have the time available to dedicate to managing a SIEM?


Corserva's Managed SIEM Service

With Corserva’s managed SIEM service, you gain enterprise level cybersecurity for a fixed monthly cost, with no hefty licensing fees and no additional staffing requirements.


>>> Sign Up for a Free 14-day Trial. <<< 


We collect and store logs from any or all of your network devices and computers. Devices can be classified as within scope of your compliance requirements, and reports can be generated when needed. Common incidences are identified, prioritized, and acted on. The solution is integrated with a threat intelligence feed and is updated on an ongoing basis to accelerate detection of new threats.

The best tools in the world have limited use if the right people aren’t there to manage them. Corserva’s staff have key security certifications including CISSP, CISM, CGE IT, CRISC, CEH, and CompTIA Security+. We provide 24x7x365 support for our clients from our US based security operations centers.

Corserva's managed SIEM offers the best of both worlds — enterprise security protection with an affordable cost model.


Managed SIEM

Post Date: January 15, 2020 // 3:03 PM

Topic category:



Lisa DeVoto

Lisa has 25+ years of experience working for technology companies in B2B marketing and technical communications. She has written on various technology topics including disaster recovery, IT services, and enterprise software. Lisa has an MBA from University of Connecticut and a BS in Computer Science from Rensselaer Polytechnic Institute.