One thing that the SAPs require (especially if you have a mission critical/confidential risk assessment), is log review. Here is a quick takeaway for those of you that might not know what to look for.
Verizon Business’ latest Data Breach Investigations Report shows insiders as a growing threat — but increase comes from a selective data set
One lesson learned from the Verizon report: Check your logs. According to the report, 90 percent of the time, companies had logs available from the time of the incident, but only managed to discover breaches in five percent of cases. “We have little doubt … that if the organizations we’ve studied had tuned their systems to alert on abnormalities like this and actually looked into them when alarms went off, that five percent [of discovered breaches] would be a lot higher,” Verizon stated in the report.
Finding evidence of an attack is easier when you know there has been a breach, but Verizon points to three flags in log files that indicate an attack has happened: a large increase in logged data, entries in the log that are abnormally long, or an abrupt decrease in log data. Rather than searching for exact signatures in the logs — the proverbial needle in a haystack — look for the major characteristics, the company advises.
“It cannot be a pleasant experience to learn that the six months of log data you’ve been collecting contained all the necessary indicators of a breach,” Verizon says in the report, adding, “the value of monitoring — perhaps we should say ‘mining’ — logs cannot be overstated. The signs are there. We just need to get better at recognizing them.”