Capital One Data Breach Part 2: Why SIEM Matters
As we talked about in part 1 of this blog, Capital One Financial Corporation suffered a large data breach earlier this week. The breach affected over 100 million customers, exploiting credit card customer data and even social security numbers.
Capital One claims that the nefarious hacker exploited a "specific configuration vulnerability" in their infrastructure, though they don't elaborate on that the vulnerability was. An external security researcher reported the vulnerability to Capital One, which led them to an internal investigation and therefore to detect the incident. Along with the security tips mentioned in part 1, we can also examine how utilizing SIEM would have been beneficial in this situation.
What is SIEM?SIEM provides real-time analysis of security alerts generated by applications and network hardware. Here are some key reasons on why you need to deploy SIEM
Regulatory standards (GDPR, NYDFS, OCIE, etc.)
Cybersecurity guidelines (such as ISO27001, NIST, CIS)
Log management and retention
Continuous monitoring and incident response
Machine learning technology is used to apply correlation algorithms that systematically transform raw data into useful information. SIEM efficiently provides statistical analysis of data to identify anomalies, patterns, and trends which might indicate a current or future security risk. Log file and alert data is rapidly ingested, parsed, normalized, indexed and enriched using relevant third-party data.
How SIEM Would Have Helped
SIEM would have provided Capital One with a leg up through the analysis of patters and trends, enabling the corporations to know if the company was susceptible to current or future security risks. When Capital One was impacted, with SIEM in place, the organization would have been alerted to the compromise based on suspicious activity. The Computer Security Response Team immediately jumps into action, taking the following remediation steps:
A full anti-malware sweep of the organization’s corporate infrastructure is completed.
All logs associated with the compromised account are retrieved using a Security Information and Event Management (SIEM) tool.
By analyzing the SIEM logs, the Response Team gains detailed records on every command and/or program launched by the intruder. This allows for immediate lock-down of any potentially vulnerable areas
A SIEM does the work for you - it collects and aggregates all the relevant data in a form that helps your analysts quickly spot suspicious behavior that requires further investigation or an attack in progress that needs to be stopped.