David speaks: Detecting and Tracking Events or Have You Been Hacked?

Since March 2020, the FBI has reported a 300% increase in cyber crimes, while in Australia criminal attacks remain the leading cause of data breaches with 61% of breaches reported to the Office of the Australian Information Commission (OAIC) linked to malicious or criminal activity. 

In the OAIC report January - June 2020 the top 5 industries for data breaches in the Notifiable Data Breach (NDB) Scheme were:

  1. Health service providers 
  2. Finance (incl. superannuation)
  3. Education 
  4. Insurance
  5. Legal, accounting & management services

With the legal industry consistently reporting in the top 5 industries our August Cyber Security webinar, in conjunction with the College of Law, on Detecting and Tracking Events or Have You Been Hacked was a critical one.

Australian Privacy Principles 1 and 11 (APPs) state that if an entity suspects that an eligible data breach has occurred, they must undertake an assessment into the relevant circumstances, including:

  • the cause or source of the breach
  • the type of personal information that was accessed or disclosed
  • and the number of individuals who were at risk of serious harm as a result of the breach.

OAIC reported that notifying entities who did not have audit or activity logging enabled on their network or email servers/accounts, or could not undertake retrospective traffic analysis of their internet gateway, had difficulty determining whether a malicious actor who had gained access to their network in a cyber attack had accessed or exported (exfiltrated) personal information. 

This is where Security Information and Event Management (SIEM) can help discover key elements of NDB compliance obligations for all industries.

What is SIEM? 


SIEM is the flashlight to find the problem under the rocks so you can fix it vs the bug spray that kills them off


In short, SIEM is software and services put in place to help organisations discover anomalies in your system that could be due to hacking including:


It works like this:



And for those who like a little more detail:



SIEM is often coupled with a Security Operations Centre (SOC) and software like EndPoint Detection & Response (EDR) so it gives the tools and people once SIEM has identified the problem.

Compliance


Going back to meeting the compliance requirements for the Notifiable Data Breach (NDB) Scheme, here is where SIEM comes into its own, allowing organisations to find the cause or source of the breach, the type of personal information that was accessed or disclosed and the number of individuals who were at risk of serious harm as a result of the breach through the following:



Tips


If you are looking to implement SIEM software in your organisation for compliance reasons or general security, here are some tips on the factors to be taken into consideration:

  • Define requirements for monitoring, reporting and auditing, consulting all relevant stakeholders before deploying a SIEM
  • Determine the scope of the SIEM – which parts of the infrastructure it will cover, necessary credentials, and log verbosity

  • Define audit data accessibility, retention, how to achieve data integrity, evidentiary rules, and disposal for historical or private data
  • Have an Incident Response plan in place


Ensure you leverage the SIEM to monitor and report on all of the following:

  • Access monitoring – transgression and anomalous access to key resources
  • Perimeter defences – status of perimeter defences, possible attacks and risky configuration changes
  • Resource integrity – critical network resources – status, backups, change management, threats and vulnerabilities


If you are interested in implementing a SIEM but are not sure where to start, FortiTech is here to help, just give us a call on 1300 778 078 or email