Last Updated on April 27, 2020
As an SMB, you’re probably thinking you’re too insignificant for a targeted cyberattack.
That’s not even a little bit true.
Recently, I sat down with Danielle Russell, Director of Product Marketing Management at AT&T Cybersecurity, to hear about SIEM solutions for SMBs and SMEs.
“For the SMB space, there’s no such thing anymore as security through obscurity,” Danielle said.
To SIEM or not to SIEM?
Increasingly in the SMB/SME space, there’s the recognition that log monitoring or security information management is more than just a good idea.
Even though a SIEM solution is becoming key, not everyone knows when to run out and get an AT&T SIEM cybersecurity solution.
“There’s no magic milestone that when an organization has a certain size or hits a certain age or is in a certain industry that they should consider getting some type of log management or SIEM solution,” Danielle said.
Cybercriminals are operating at scale. They’re operating opportunistically. And they’re targeting businesses of all sizes.
One frightening fact: 43% of attacks targeted small businesses in 2018.
“What that means for a small business is that it’s important to take a close look at your cybersecurity posture and your cyber risk posture,” she said.
So, when does an organization need a SIEM?
First, you should assess where you are in your cybersecurity maturity. There are many reasons to have log management, but from a security standpoint, the purpose is to be able to do threat detection.
At some point, the organization will recognize it not only needs to protect against potential cyberattacks but it also wants to detect and respond to things within the perimeter or environment. “That really becomes, I think, a strong motivator for a SIEM log management tool,” Danielle said.
Small organizations are a target
One of the biggest mistakes SMBs make is assuming they’re too small to be specifically targeted.
Whether or not that’s the case, a large percentage of breaches and threats are opportunistic. “If you’re being chased by a pack of lions, you want to make sure you’re not the slowest runner,” Danielle said.
These are equal opportunity attacks.
“Who’s the low hanging fruit? Cyber criminals today are able to operate at scale and to use a lot of automation to scale out their operations and attacks,” she said.
The truth is that SMBs are vulnerable to both kinds of attacks — targeted and opportunistic…
Meaning that there is really no such thing as “too small” or “too obscure” to protect against cyber criminals.
“Compliance is a strong driver and strong motivator,” Danielle said.
When you look at a compliance regime that has some sort of cyber risk aspect (PCI, DSS, HIPAA, or others) there’s usually some prescriptive log management function built in.
A common situation is that organizations just getting started with evaluating SIEM tools are either preparing for an audit — or have failed an audit.
The big picture of compliance is whether you can demonstrate that you’re doing security well. Maintaining and monitoring logs gives organizations the opportunity to disrupt or mitigate a threat before it becomes a long-term or large-scale problem.
SIEM is also useful for forensics. “In the event that you didn’t catch the attacker while they were in your environment, forensics analysis would demonstrate that you were acting in good faith and you were doing what was reasonable to to maintain those logs,” Danielle explained.
Given that it’s about 4.5 months between a breach and detection, SIEM compliance minimizes the impact of a breach.
“Does a SIEM automatically help us to do threat detection and incident response? The answer is no,” Danielle said.
The SIEM is a detection and response tool, but it doesn’t prevent all breaches or protect against all risks.
How to get started with the SIEM
If you’re an SMB that’s determined you need a SIEM, there are a few things to consider before you make your selection.
- Analyze where your sensitive information is. Some SIEM providers say that more data is better, but deliberate data collection is better than needles and haystacks.
- Decide who will be responsible for managing the SIEM. This could let you know whether you’ll be hiring dedicated staff or third-party management.
- Select services and features that align with your SIEM goals. If you begin the process with the understanding that less is more, you won’t be susceptible to all the latest features… just the ones that provide the tools you need.
“When you look at it from a resource perspective, the characteristics or quality that I would advocate most strongly for a small to medium sized business to evaluate a SIEM against would be ease of use,” Danielle said. “Simplicity throughout.”
Beyond whether it’s easy to deploy, another requirement that SMBs should consider in a SIEM solution would be the quality of the threat intelligence that the SIEM platform uses.
Threat data is just a thumbprint, like saying Someone’s trying to kill you.
Threat intelligence, however, provides actionable information based on the context of what’s happening within your environment: Assassins are coming at 4:00 on Friday in a white van.
“At AT&T, we’re taking that threat data and actually transform that into threat intelligence that includes correlation rules, and directives that our platform uses to automatically detect threats so that you’re not getting a lot of alerts that might result in false positives or volatile types of indicators,” Danielle explained.
“What is going on in this environment? How am I at risk? That’s really the crux of being able to do good threat detection,” she said.
This post is based on a portion of an episode of The Virtual CISO Podcast, featuring Danielle Russell. To hear this episode in its entirety and others like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.