Actual posts from #therealMSIEM
Security Information and Event Management (SIEM) solutions are often seen as complex and expensive. However, their true value lies in mitigating financial, compliance, and third-party risks through early detection and automation. This article examines practical use cases that demonstrate how SIEM strengthens security operations and prevents costly incidents.
We refer to actual security projects (both planned, and incident response) in this article, in order to provide a detailed account of how MSIEM and MDR solutions effectively address data exfiltration and sophisticated phishing attacks, using real-world scenarios and practical implementations.
Many organizations grapple with the challenges of detecting and preventing data exfiltration and phishing attacks. This post will delve into four specific case studies where existing security measures fell short, allow us to describe how we implemented solutions using MSIEM and MDR, including the steps taken and results achieved.
Understanding the role of SIEM
Security Information and Event Management (SIEM) solutions are often seen as complex and expensive. However, their true value lies in mitigating financial, compliance, and third-party risks through early detection and automation. This article examines practical use cases that demonstrate how SIEM strengthens security operations and prevents costly incidents.
When discussing security, it’s easy to get lost in technical details, but at its core, SIEM is about managing risks before they turn into full-blown crises. Whether you’re dealing with cyberattacks, compliance regulations, or third-party security concerns, SIEM plays a critical role in keeping things under control.
Every organization faces risks, and those risks can be treated, accepted, managed, or ignored. Ignoring them is rarely a good strategy—just ask any company that has faced a major data breach. Proactively managing risk is where SIEM excels. It allows organizations to spot and mitigate threats before they escalate into security incidents that cost money, damage reputations, or lead to compliance penalties.
We use our MSIEM service to support a number of customer needs:
- Reducing Financial Risk. Security breaches aren’t just technical headaches—they come with hefty financial consequences. Recovering from an incident is expensive, especially if it goes undetected for too long. SIEM helps by catching threats early, reducing the likelihood of prolonged exposure and minimizing recovery costs. Automated processes also lighten the load on security teams, ensuring faster and more cost-effective responses.
- Ensuring Compliance. For organizations bound by regulations like PCI DSS 4.0, compliance isn’t optional. SIEM helps automate security monitoring, ensuring systems stay within defined security parameters. It also simplifies reporting by tracking access controls, configuration changes, and potential violations—so when regulators come knocking, you’re ready with documented proof of security best practices.
- Managing Third-Party Risks. Even if your internal security measures are solid, third-party relationships introduce additional risks. Clients, partners, and regulators increasingly expect proof that your security practices meet industry standards. A well-implemented SIEM solution provides visibility into potential threats stemming from external sources and ensures you’re prepared for audits from regulatory bodies like APRA, ASIC, or DSS.
Let’s look at four past projects:
Use-case #1: Detecting compromised credentials
One of the most persistent threats to financial security is account compromise, particularly within business email environments. Attackers routinely exploit stolen credentials to manipulate financial processes, often by redirecting payments or modifying invoice details. Incidents involving compromised Microsoft 365 accounts have led to substantial financial losses worldwide, and fraudulent forwarding rules, unauthorized access to sensitive emails, and payment fraud schemes can have devastating effects on organizations.
dotSec’s challenge was to establish a robust monitoring framework capable of detecting and preventing these attacks before financial transactions were affected. SIEM was leveraged to track suspicious account activity and alert security teams in real-time.
Scenario
A company’s finance team is targeted by attackers attempting payment fraud via compromised Microsoft 365 accounts.
How SIEM Helps
Monitors Microsoft 365 audit logs for newly created rules and filters, and newly (sometimes oddly-named) folders.
Flags suspicious rules, such as forwarding emails with “invoice” in the subject line to an external account.
Alerts security teams to fraudulent activity before a financial transaction occurs.
Outcome
The organization detects and stops financial fraud before funds are transferred to an attacker.
Use-case #2: Data exfiltration detection
One of the most significant challenges in cybersecurity is detecting data exfiltration. This issue is not theoretical; major breaches such as those at HWLE (2.2 million files), Equifax (165 million contacts), Optus (10 million contacts), and NPD (2.9 billion contacts) demonstrate the scale and impact of such incidents. These events lead to class action lawsuits, regulatory fines, mandatory reporting obligations, and significant damage to company brands and valuations.
The task at hand was to develop an automated monitoring service capable of detecting indicators of data exfiltration activity without generating excessive false positive alerts. This required a deep understanding of what constituted normal behavior and the ability to identify deviations that signaled potential threats.
Scenario
An organization’s security team must identify stolen credentials before attackers gain full access.
How SIEM Helps
Detects user authentication attempts from unexpected locations (e.g., outside Australia).
Flags repeated failed login attempts with Error Code “50074”, which indicates an MFA failure.
Identifies patterns suggesting an MFA fatigue attack (i.e., excessive authentication prompts until the user mistakenly approves one).
Outcome
The security team receives alerts before data is exfiltrated, preventing unauthorized access.
Use Case #3: Monitoring critical-system changes
Configuration errors (without malicious intent) on critical business systems can be as dangerous as an actual malicious attack. A simple misconfiguration—whether caused by human error or unauthorized activity—can inadvertently expose internal systems to external threats. Firewall changes, network rule misconfigurations, and improper access controls can all widen an organization’s attack surface.
To address this, organizations needed a method to continuously monitor system changes, ensuring that any unintended modifications were detected and corrected before they could be exploited. SIEM played a key role in identifying unusual administrative activity, allowing teams to respond before damage was done.
Scenario
An administrator makes a configuration change on a network firewall, unintentionally exposing sensitive VLANs to internet traffic.
How SIEM Helps
Tracks administrator activity logs and network traffic signals.
Detects misconfigurations affecting compliance scope (e.g., PCI DSS violations).
Identifies attackers attempting to exploit unintended network access.
Triggers alerts so administrators can revert misconfigurations before an attack occurs.
Outcome
The security team is alerted before an attacker can exploit the misconfiguration, preventing a potential data breach.
Use Case #4: Alerting to support vulnerability management
Security vulnerabilities are inevitable, but failing to address them in a timely manner is not. Unattended vulnerabilities can lead to significant compliance violations and increased risk exposure. Many high-profile breaches have resulted from unpatched vulnerabilities that attackers exploited long after fixes were available. Regulations such as PCI DSS 4.0 demand timely remediation, but tracking vulnerability lifecycles across large infrastructures is a complex challenge.
dotSec’s goal was to create an automated monitoring and alerting system that ensured vulnerabilities were prioritized and patched within defined SLAs. SIEM was used to track scan results, monitor patching status, and provide early warnings on aging vulnerabilities before they became a security liability.
Scenario
An organization needs to ensure that all high-risk vulnerabilities are patched within the required timeframes.
How SIEM Helps
Tracks vulnerability scan results and Common Vulnerability Scoring System (CVSS) scores.
Monitors patching status against defined compliance SLAs (e.g., PCI DSS 4.0 requirements).
Flags critical vulnerabilities approaching or exceeding patching deadlines.
Prioritizes remediation based on risk severity and compliance impact.
Outcome
Security teams address vulnerabilities before they cause compliance issues, reducing exposure to potential exploits.
Conclusions: SIEM is a business enabler
As we noted in a previous post, ASIC has commenced a law suit in the Federal Court of Australia, alleging that, “from March 2019 to 8 June 2023, FIIG Securities Limited failed to take the appropriate steps, as is required by an Australian Financial Services (AFS) licensee, to ensure it had adequate cyber risk management systems in place. ”
As ASIC noted in the Concise Statement, “Had FIIG had the Missing Cybersecurity Measures in place, it would have detected suspicious activity on its network on or shortly after 19 May 2023, identified that its system had been compromised by on or about 23 May 2023, and prevented the threat actor from downloading some or all of the stolen data or, alternatively, had the opportunity to do so.”
We’ve said it before: We are quite proud of our achievements and qualifications:
- dotSec has over 14 years of Splunk Enterprise experience, over 8 years of Splunk Enterprise Security experience, and over 25 years of implementation, integration, testing and assessment experience.
- dotSec deploys, services and manages PCI DSS-compliant Splunk infrastructure for clients in the retail, government and legal sectors, and we have references from those clients.
- The dotSec SIEM team includes experts with PCI DSS QSA, and ISO 27001 lead implementer and lead assessor certifications. It also includes experts with certified Splunk Enterprise Security Administrators, CISA, CISM, CRISC, CDPSE, Masters of Information Technology (Computer Networks and Information Security), Masters of Cyber Security and Bachelor of Technology in Electrical & Electronics Engineering.
- dotSec has over 14 years of Splunk Enterprise experience, over 8 years of Splunk Enterprise Security experience, and over 25 years of implementation, integration, testing and assessment experience.
SIEM can be a pro-active business enabler that will help you dictate the costs and terms upon which your security-maturity costs are incurred. Give us a call and we can tell you more about the case studies we’ve outlined above, as well as many more, and show you how SIEM can help you do more business, more securely.