Hackers aren’t going to rob you overnight, so centralise that log data and check it every day
US-based cyber security intelligence platform LogRhythm is an industry leader. The company has built a platform based on next-generation SIEM (Secure Information and Event Management), log management and end-point analysis.
Before a talk given at Singapore’s Red Dot Museum on Wednesday, e27 got the opportunity to sit down with LogRhythm Co-founder and CTO Chris Petersen to talk about security strategies that companies should implement into a business strategy. LogRhythm partners with companies like Dell, FireEye,Cisco and Bromium, so this was a great opportunity to learn from the big boys.
Below are the edited excerpts…
Do you notice any types of attack that are more common for SMEs, or that are more devastating?
Definitely IP theft. Right now, Silicon Valley is being bled dry by hackers. Anybody who is a startup should be concerned about industrial espionage.
We have big e-commerce here. Does that fall [under the risk of] IP theft?
If they are small, absolutely. Credit cards, cyber crime. [Companies should be] very concerned about that.
But a lot of these small startups generally do not put the defenses in place. So, cyber criminals try to steal someone’s invention and sell it on the black market. It’s pervasive. Companies in Silicon Valley are being robbed.
So how do you stop that?
Well you have to do the basics: Firewall and anti-virus. After that, you should probably invest in some monitoring service. If you can’t afford that, minimally, centralise your log data. Make sure you have somebody in IT who is reviewing your logs.
The nice thing about a small environment is it is easier to understand what is normal.
So, if a company is five people and all it does is centralise its logs — the record of who logged in when, from where and who accessed what — if someone looks at that daily, the company should be able to identify strange things in the environment because [the environment] is not that big.
I would say if I were thinking back to where we were 10 years ago, it is fundamentally important to look at your log data.
For SMEs, I would point them to ELK stack, it is an elasticsearch and kibana. It is an open-source package that gets you very effective visibility into your log data. It is a very good way for a small company to centralise data as well as quickly search and build dashboards based on what is happening in their environment.
Then get somebody to review [the logs] everyday.
Why the daily reviews?
Even if you are a five-person organization, chances are somebody is not going to come in and rob you overnight. They are going to get on somebody’s endpoint and try to find out where the source code is.
If somebody is going after a software startup, they are trying to get the source code. That is the IP, the value. If it is an e-commerce company, it will be the database with credit cards, email address, passwords and all that.
To get to the data of interest takes some time because when they get into the environment, they have no idea what is what. And when they are [trying to figure that out] they are going to make noise.
That is why you look at the logs. Because you are going to see… “Why is Joe’s system scanning and touching other systems?” And that will be a tip-off, “I think his endpoint is compromised.” Then you can get it off the network and the source code is secure.
At what point to do I tell my customers the company had a breach?
A company should tell their customers when they could have been impacted by the breach. By breach, I mean customer data has been stolen. Some real risk.
If the company feels like, as a result of this data breach, customers have some risk, then I think they have some obligation to tell them. But within a reasonable time frame.
The reason why I say reasonable time frame is [the company] may want to bring in law enforcement to investigate. That might take time and if the company tells customers about it, then it might tip off the cybercriminals and compromise the investigation. But that timetable should be [in] weeks.
If somebody got into the network, you saw them and got them out of the network before data was stolen there is no reason to go tell [customers] about it.
That stuff happens every day.
One place where a startup might struggle compared to the big boys is incident response. What is a good management strategy for an effective incident response protocol
I think if you are a SME and you want to be better prepared for security incident response, my general advice is to identify someone in your organisation and have them become responsible for managing the incident response internally. They can be the point of management for an identified security incident.
This person doesn’t even need to be technical. [It should be] someone who is process oriented. It could be the CFO the CEO or the Head of Operations. The person should have broad reach across the organization, where they minimally understand what is the security incident and who internally should get involved to help stop it.
Then, I would recommend having a trusted partner on call to support you — and outsource that. There are a lot of companies that will do retained incident response services. [Companies can] buy small blocks. Even we do this.
For example, “I’m going to buy eight hours of incident response on retainer.” And then the company knows it can call us and we can come in to help.
Most organizations can’t do this internally so the key thing is to have somebody to call when needed; and have that lined up in advance. Then have someone internally who can manage that relationship.
Switching gears a bit, do you actively look into startup acquisition?
We do but we haven’t done any acquisitions. That is not to say that we wouldn’t.
The reason that we have not is because acquisitions are very hard to do and to do well. Especially if you are not a company that is built to go do that all the time.
Also, we have built a very well integrated platform. One that is designed to work, as a whole, very well together. So, an M&A strategy can be in conflict with that platform strategy.
The software may be written in languages [we] don’t typically write in, it may follow architectural design principles that are different. So, it may take a long time to integrate the technology into the codebase so it is effective, works well, and the user experience is good.
So, for us, we would need to find technology that really aligns seamlessly. That’s what makes it difficult. We mostly focus on our own organic development.
Many of our companies cannot afford LogRhythm, are there any creative ways they can use what you offer?
Definitely go look at the ELK Stack we talked about earlier. LogRhythm products use a lot of those same technologies but adds more refinement on top of it.
The other thing is to look at our freemium network-monitor product, which we will be launching globally in the near future. It is a full packet capture and Layer 7 flow product. The benefit is a small company can use it to monitor and get visibility into your Internet traffic.
It’s a great way to look at threats in the environment because any threat trying to steal something is going to transfer that data across your Internet connection. So, it gives you deep visibility.
Is there anything you would like to emphasise before we wrap this up?
In thinking about this, especially for your reader base, they really should be concerned about protecting their IP.
The post Companies should focus on IP protection: LogRhythm CTO Chris Petersen appeared first on e27.
from e27 http://ift.tt/1OgLxbx