Dependence on Log Data | An Increasing Vulnerability to Threat Actors

No One Uses Logs to Build a House Anymore, So Why is the Cybersecurity Industry Continuing to Sell Them to You?  

How sure are you that log files represent the best source of information to base your entire Cybersecurity program upon?

Log data is the cornerstone of every traditional cybersecurity platform including SIEM (Security Information and Event Management), UEBA (User and Entity Behavior Analytics), and xDR (Detection and Response). 

Using log based tools for cybersecurity is a lot like living in a log cabin in the 21st century. 

Log cabins provided shelter and warmth for millions and millions of people for many years, but no one (for the most part) wants to live in a log cabin today and you don’t see them lining the streets of suburbia. Why is that? It’s quite simple, modern homes are equipped with the technological upgrades that make them far safer, more efficient, more cost effective, and ultimately more secure than a log cabin.

The same applies for log data when it comes to cybersecurity. Just as a log cabin might provide some protection, they are far less impervious to the elements, log data only provides you with some protection against threats and is hardly an acceptable solution for modern day cyber defense. Using log data as a single source of truth for your cybersecurity program is a dangerous gamble.

Background: The Fundamental Failings of Log-Based Cybersecurity

Logs are time-stamped files that create audit trails for system events by recording information about behaviors and identifiers like application type or IP addresses. Log files make it easier to pull out relevant information about singular events. A few decades ago, log files provided a level of insight security analysts hadn’t had before, but today, we have to consider what log files exclude

The threat landscape has changed dramatically over the past few years, for example the Ponemon Institute recently found that 42% of attacks next year will be zero day never before seen attacks, and that currently 80% of  successful breaches happen because of never before seen attacks. Security systems that are reliant upon log file analysis to identify threats are some of the most vulnerable, leaving organizations in a dangerous position.

“42 percent of all attacks next year will be zero-day attacks”

The Ponemon Institute

“You’re going to miss a significant percentage of everything,” says Geoff Coulehan, MixMode Head of Strategic Alliances. “Logs provide relevant information primarily for after the fact search, investigate, and audit functions, but exclude detailed information deemed unnecessary or irrelevant for that application.  The details are critically important, however,  in addressing modern cyber threats in real-time, before replication, lateral movement, and exfiltration.”

But who’s to say what information is truly unnecessary? It would be impossible to confidently assess a company’s true security threat posture based on the inherently limited scope of log-based security platforms. Information is often deemed irrelevant to a specific application or operation and excluded from the core log-based analysis performed by traditional security tools today.

True correlative analysis of all behaviors across an environment relies on a complete picture beyond just log-based analyses. This is a fundamental failing of Cybersecurity platforms that rely on log data and one that cannot be overcome by aggregating, consolidating, or normalizing. The data literally doesn’t exist because it’s been filtered out from the start.

Next week we will continue this discussion by diving into SIEM and proprietary log data, the hidden costs of SIEM, and other SIEM limitations.