Ensuring cybersecurity and operational efficiency is becoming increasingly important for corporate information systems. However, while the volume of data to be managed is growing and security requirements are becoming more complex, IT budgets are currently remaining at only moderate growth. In this article, we will explain the latest trends in SIEM (Security Information and Event Management) operations: how to utilize data pipeline products to smartly collect, transfer, and analyze vast amounts of data, along with the benefits of implementation. Based on industry trends and specific use cases, we will guide you from the current challenges to their solutions

​Current status and challenges in SIEM operation design

- The Gap Between Increasing Data Volume and IT Budgets

When considering the implementation of a SIEM, many companies struggle with the amount of data to be ingested. In reality, the data that needs to be managed is surging every year, while the increase in IT budgets remains gradual.

This indicates that the volume of data companies must manage is growing at a pace that significantly exceeds IT budgets. The background to this includes the spread of remote work, an increase in cyberattacks, and further strengthening of compliance, all of which are accelerating the rapid expansion of data volume.

In such a situation, a fundamental challenge arises: "We want to manage all data if possible, but it is difficult in terms of cost." This is because high-performance log analysis tools often charge based on data volume, necessitating practical operational ingenuity.

- The Problem of Data Utilization Silos

As the data sources to be collected diversify, "siloing"—a state where data operations become individually isolated—is prone to occurring at operational sites.

For example, when various connection and transfer methods such as cloud storage, endpoints, and various security products are mixed, individual agents must be introduced or different settings managed each time. As a result, overall optimization becomes difficult, leading to an increase in operational load and personnel costs.

- Demands for Flexible Collection, Analysis, and Transfer
​
Needs for data collection, analysis, and transfer are shifting toward those requiring higher speed and versatility. Nowadays, different data processing and masking are required for each purpose, such as "for analysis," "for auditing," and "for incident detection." Conventional individual development and script-based operations have limits in scalability and efficiency, which also hinders timely incident response.

Fundamental Challenges of SIEM Operations Solved by Data Pipelines
​
- What is Data Pipeline Products?

​"Data pipeline products" can centrally manage these operational challenges. A data pipeline seamlessly collects necessary data from various sources, performs deletion of unnecessary items, advanced processing, and masking, and then routes it to the appropriate analysis platform or storage depending on the purpose and priority.

A key feature is that they come standard with various protocol connectors (Syslog/REST API/Cloud, etc.) and are capable of real-time data processing and distribution. As a result, companies can move away from individual development and script-based operations, allowing for the integrated management of overall operations.

Benefits of Implementation for SIEM Operations

By introducing a data pipeline, the following benefits can be realized:

• Reduction of Data Volume and Cost Suppression: By excluding unnecessary items, more useful data can be utilized within the budget.
• Resolution of Operational Silos: Data collection, processing, and transfer are centralized, enabling overall optimization.
• Flexible Data Design: Processing rules and destinations can be defined for each purpose, and simultaneous real-time transfer to multiple systems is also achieved.

While SIEM operational costs and manual labor are significantly reduced, this also leads to the advancement of security operations themselves.

Use Cases: Replacement of OSS ETL
​​At one major corporation, challenges had arisen in operations using conventional OSS ETL tools, such as data loss on the scale of hundreds of GBs daily and delays in batch processing, which meant incident analysis took a long time. Furthermore, adding new data sources or making operational changes was based on script development, which carried a high risk of individual dependency and low scalability of the analysis platform.

Therefore, the company introduced a data pipeline (Cribl) for the purpose of flexible, real-time streaming data processing and reduction of operational man-hours. Through GUI-based operations, rapid connection and processing became possible, and they migrated to an environment where masking of personal information and log filters for each platform could be processed automatically in real-time.​

Results Gained from Data Pipeline Optimization 
​​
- Advanced Threat Detection and Data Utilization

What is important in SIEM operations is the prediction and early discovery of threats, followed by a rapid and comprehensive response. To achieve this, it is essential to appropriately collect vast and diverse data and process and utilize it according to each purpose. By optimizing the operation of data pipeline products, companies can promote overall operational optimization and level up their security operations.

Conclusion

The environment surrounding SIEM operations continues to evolve rapidly. While budgets and human resources are limited, data pipeline optimization leads to a fundamental resolution of operational challenges. By choosing a smart operational structure utilizing the latest products like Cribl, let’s achieve safer and more efficient cybersecurity.
​

1. The Increasing Number of Vulnerabilities and Evolving Paradigms in Vulnerability Management

​Traditionally, many organizations have relied on CVSS (Common Vulnerability Scoring System) scores to prioritize vulnerability management. Organizations typically addressed vulnerabilities with a score of 7 or higher, or aimed to patch all reported vulnerabilities whenever possible. This approach was feasible when the number of vulnerabilities was relatively low.

The urgency around vulnerability management increased significantly around 2014 due to prominent vulnerabilities such as Heartbleed in OpenSSL and Shell Shock in Bash, both of which allowed for easy exploitation from remote locations. These events highlighted the importance of vulnerability management and the need for timely patching.

For a few years following these incidents, the number of vulnerabilities remained manageable, allowing organizations to maintain their strategy of addressing all vulnerabilities. However, around 2017, the number of vulnerabilities began to rise exponentially. By 2019, the threat posed by ransomware had become severe. Vulnerabilities that were not addressed could lead to critical incidents, and the growing volume made it challenging for many organizations to keep up.

Many of the vulnerability management practices based on CVSS were established between 2014 and 2016. However, It is clear that the situation has significantly changed since then, as demonstrated by the increase in both the number and the growth rate of vulnerabilities.

​In response to these changes, the standard approach to vulnerability management is evolving. Rather than attempting to address all vulnerabilities or prioritizing solely based on a CVSS score of 7 or higher, the focus is shifting toward prioritizing "high-risk vulnerabilities." This approach involves considering the location and business value of the assets, and utilizing specialized solutions to effectively manage the limited resources available.

​2. Two Major Misconceptions About Vulnerabilities
 
Before discussing what constitutes a "high-risk vulnerability" that should be prioritized, it is important to address two common misconceptions about vulnerabilities.

Misconception 1: All risks are inherently dangerous and should be addressed.

Nearly 30,000 vulnerabilities are published annually. However, many of these vulnerabilities have not been publicly proven to be exploitable. Only a small fraction of vulnerabilities pose a real-world risk and have the means to be exploited.

Exploitable vulnerabilities can be categorized into various risk levels, ranging from those with documented attack methods and proof-of-concept (PoC) code to those that can be successfully exploited under specific conditions. Although rarely, some vulnerabilities allow easy attacks by any threat actor, most remain theoretical. Studies from various research organizations suggest that only about 3% of disclosed vulnerabilities pose real-world risks.

Of the nearly 30,000 vulnerabilities disclosed each year, only about 3% require urgent attention. Most other vulnerabilities are unlikely to be realistically exploited, reducing the need for immediate mitigation. This reflects the current approach to vulnerability management. If sufficient resources were available to address all vulnerabilities, the situation would be different. However, given the substantial workload faced by those responsible, it is crucial to prioritize responses to realistic risks while optimizing resource allocation.

Misconception 2: CVSS scores are an effective indicator for determining which vulnerabilities to address.

Another common misconception is that CVSS scores effectively differentiate between vulnerabilities that need attention and those that do not. Many organizations use a CVSS score of 7 as a threshold for action. However, a white paper published in 2018 from the organizations that develop CVSS states that using CVSS scores for prioritization is a misuse.

CVSS scores indicate the theoretical severity of vulnerabilities rather than their real-world risk. Historically, over half of all vulnerabilities have CVSS scores above 7. Prioritizing based on CVSS leads to almost all vulnerabilities requiring urgent attention, which is impractical. Conversely, some high-risk vulnerabilities with scores below 7 may be exploited in attacks and thus could be overlooked using this method.

​The concept of prioritizing high-risk vulnerabilities is exemplified by the launch of the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021. As a key agency promoting cybersecurity measures across the U.S. federal government, CISA implemented a significant shift in its vulnerability response approach in 2021. Instead of addressing all vulnerabilities, the revised policy now focuses on vulnerabilities that are actively exploited, which represent 3% of the total, as previously mentioned.

The KEV catalog, maintained by CISA, lists vulnerabilities known to have been exploited. From 2021, this catalog became the primary reference for prioritizing vulnerabilities, with a legal mandate for federal agencies to address listed vulnerabilities typically within three weeks. CISA's adoption of this focused approach underscores its importance as a shift in vulnerability management strategy in a leading cybersecurity nation.

3. The Importance of "Proof of Concept" (PoC) and "In The Wild" (ITW)

When evaluating vulnerability information disseminated by web media and other sources, it is crucial to focus on certain key information. Two significant keywords to note are "PoC" and "ITW."

PoC, or Proof of Concept, involves detailed explanatory information regarding the existence and potential exploitation of a vulnerability. It refers to the steps necessary to actually manifest the vulnerability. There is a significant gap in risk between the public announcement of a vulnerability and the release of a PoC. Once a PoC is available, it provides information on how the vulnerability can be exploited, greatly increasing the risk of it being used in attack activities. Therefore, it requires careful attention.

ITW, which stands for "exploit in the wild," refers to actual attack activities that have been observed using the vulnerability. This term is already commonly used as an idiomatic expression in the English-speaking countries. Even if a PoC exists, exploiting the vulnerability might require tricking a system administrator into specific actions, or the necessary settings for exploiting the vulnerability might not be enabled by default, making real-world exploitation impractical in many cases. However, when information indicating ITW is released by vendors or the media, it means the vulnerability has already been exploited in real attacks, necessitating maximum caution and prompt response.

​4. Considering the integrity of vulnerable assets
​
In addition to prioritizing realistic risks, there is a growing recognition that the nature of the assets containing the vulnerabilities should also be considered when addressing vulnerabilities.

For example, if a server with vulnerabilities is directly accessible from the internet, attackers can access it at any time, making it highly risky. In contrast, if the server is accessible only from within the organization, the risk is lower because attackers would need to infiltrate the organization's internal network first. If the device operates in a standalone mode and is not connected to any network, the risk of attack is almost negligible.

Additionally, the business value of the assets must be considered. For instance, whether the asset holds critical business information, personal data, or if it is just a test server significantly affects the risk evaluation. Prioritizing vulnerability mitigation should account for the nature of the asset.

5. Emerging Trends: SSVC, CVSS 4.0, and EPSS
 
Three significant keywords have emerged in recent years in response to the trends discussed earlier: "SSVC," "CVSS 4.0," and "EPSS." Let’s take a closer look at each.

• SSVC
  • The theoretical understanding of prioritizing vulnerabilities based on realistic risks and the nature of assets may be clear, but implementing this in organizational operations and rules might not be straightforward for everyone. SSVC (Stakeholder-Specific Vulnerability Categorization) is a framework designed to assist in this implementation. Developed to address the global challenge of having to deal with nearly all vulnerabilities if prioritization is based solely on CVSS scores, SSVC guides prioritization through decision trees.
  • The decision trees in SSVC include three types: "Supplier Tree," "Deployer Tree," and "Coordinator Tree," based on the user’s role. Most companies would use the "Deploy Decision Tree," which evaluates four broad criteria: presence of exploit code or PoC, the asset’s location, its usefulness to attackers, and the impact if the asset is compromised. By selecting from these criteria, the vulnerability’s priority for mitigation is output in four levels. SSVC is a framework requiring no specific tools, and several resources demonstrate decision tree structures graphically for better understanding. 
    • SSVC Demo Site
      • [https://certcc.github.io/SSVC/ssvc-calc/](https://certcc.github.io/SSVC/ssvc-calc/) ​​

​​

• EPSS
  • EPSS (Exploit Prediction Scoring System), developed by FIRST (the organization behind CVSS), uses a unique machine learning model to predict the likelihood of a vulnerability being exploited within the next 30 days. Comparable to a weather forecast, EPSS scores are accessible on websites like CVEDetails. The percentile ranking shows the position of the vulnerability's EPSS score relative to the entire dataset, indicating its risk level. However, the practical reliability of EPSS may vary, and it is currently advisable to use caution when making decisions based solely on its scores.
    As machine learning models continuously improve, EPSS is expected to become more accurate and applicable in real-world operations. Organizations should keep an eye on its development. 

In conclusion, risk-based prioritization is becoming a major trend in vulnerability management. As keywords such as SSVC and EPSS gain attention, organizations still reliant solely on CVSS for prioritization should consider transitioning to a risk-based approach to address challenges in vulnerability management effectively.

If you are interested in more details, please feel free to contact us.

​SOURCE

1. Changing Perspectives on Data Protection
With the widespread adoption of cloud services, files are now stored not only within internal IT environments but also in SaaS and IaaS environments. This shift has introduced new challenges for corporate data security measures.

Traditionally, it was possible to prevent data leaks by monitoring the pathways through which files traveled, as organizations had a good grasp of where sensitive files were stored. However, with the proliferation of cloud services, the storage locations of files have diversified, making it difficult to keep track of and monitor confidential files. As a result, the approach to data protection has shifted from "monitoring pathways" to "protecting the data itself," known as data-centric security.

2. The Importance of File Visibility
PDF, Office documents, images, and other files can be easily manipulated or taken out if not properly managed, increasing the risk of data leaks due to human errors or internal misconduct. Therefore, it is essential to visualize and appropriately manage where and how these files are stored. Common causes of data breaches includes "mislabeling/mistransmission", "mistakeable removal/theft," and "loss/misdisposal”

3. The Challenges of Detecting Confidential Files
Methods such as "regular expressions," "keyword searches," and "machine learning" are often used to detect confidential files. However, these methods alone make it extremely difficult to accurately identify all sensitive files.

• Challenges of Regular Expressions and Keyword Searches
  • These techniques detect matches based on patterns without considering the context (confidentiality), which can result in stringent information protection policies being applied to non-confidential files, thus lowering work efficiency. When we tested these methods in-house, we found that the accuracy rate for classifying files as confidential or not was only about 20%.
  • Additionally, using regular expressions requires deep technical knowledge, such as the syntax of regular expressions, special characters (e.g. %, &, .*), nested structures, and negation conditions. Mistakes in the syntax can lead to unintended results. Such knowledge also depends on programming experience, making it challenging for beginners to utilize regular expressions.

 

• Challenges of Machine Learning
  • Machine learning leverages existing data as training data to enhance the detection rate of sensitive information. However, like regular expressions and keyword searches, it also has a tendency to detect data without considering the context. Moreover, it cannot discover new sensitive data that is not included in the training data.

4. What is DSPM?
DSPM (Data Security Posture Management) is a solution that incorporates the data-centric security approach to solve the challenges mentioned above and protect the data itself. The goal of DSPM is to "monitor the data itself and create an environment where data leaks are less likely to occur."

The components of DSPM functionality include:
 
    ① Data Discovery
    Scan storage in SaaS, IaaS, and on-premises environments
 
    ② Data Classification
    Visualize what kind of data is stored where
 
    ③ Data Risk Assessment
    Evaluate whether the data is being handled properly based on discovery and classification results
 
    ④ Leakage Detection and Prevention
    Detect and prevent activities suspected of causing data leaks

For instance, using DSPM solutions like Forcepoint, it is possible to detect confidential files with consideration to context and respond to new sensitive data. If you are interested in more details about the product, please feel free to contact us.

​In recent years, information leakage incidents involving SaaS platforms have increased. Due to human errors such as configuration mistakes, incidents caused by the exploitation of OAuth, and inadequacies in identity management, have also been observed. This article delves into real-world cases to deepen understanding of emerging threats and outlines effective measures to enhance SaaS security.

Table of Contents: 

1. Current Landscape of SaaS Security
2. Case Study 1: Midnight Blizzard’s Breach of Microsoft
3. Case Study 2: GitHub Token Leak in Software Development
4. Case Study 3: Slack Name Change Avoids Detection for Months
5. Conclusion

1. Current Landscape of SaaS Security
​The rapid adoption of remote work and distributed teams has led many organizations to transition from physical offices to cloud infrastructures. SaaS solutions have advanced significantly with the rise of generative AI tools such as ChatGPT, increasing dependency on SaaS products.
 
According to The 2023 State of SaaSOps Report by Better Cloud Monitor, companies use an average of 130 SaaS applications.
​ 
Security concerns related to SaaS are growing, with 37% of companies citing "SaaS application security" as their top concern during adoption, reflecting the heightened focus on SaaS security aspects.

​SaaS Usage and Security Risks
Key security concerns include initial security checks during SaaS adoption, tracking user activity logs, data protection, and misconfigurations in file-sharing settings. SaaS usage also entails risks such as insider threats, policy violations, malware infections, data leaks, unauthorized access, impersonation, and phishing attacks.
 
SaaS Shared Responsibility Model
 
Managing users and data falls under the responsibility of the SaaS user. Recently, accountability, including internal and stakeholder reporting, has also become a user-side responsibility. Understanding risks and implementing appropriate measures is essential for secure SaaS usage. The following sections provide specific incident cases and actionable insights.

2. Case Study 1: Midnight Blizzard’s Breach of Microsoft
​
Overview
In late November 2023, threat actors used password spray attacks to compromise non production test environment accounts. By compromising these accounts, attackers gained access to Microsoft employee email accounts, including some containing management and executive communications, leading to the exfiltration of emails and attachments.

Key Causes

• Test environment accounts lacked sufficient security.
• Over-permissioned credentials in both test and production environments.
• Multi-factor authentication (MFA) was disabled on the compromised accounts, facilitating password spray attacks.
• OAuth application tokens were exploited, making malicious actions harder to detect.

Countermeasures

• Enable MFA and enforce stricter lockout and password complexity policies in test environments.
• Leverage ITDR (Identity Threat Detection and Response) for detecting compromised identities.
• Deploy SSPM (SaaS Security Posture Management) and CASB (Cloud Access Security Broker) to identify malicious OAuth applications.

 
Increase in attacks exploiting OAuth applications
In recent years, there has been an increase in attacks exploiting OAuth applications. Attackers trick users into entering their authentication credentials on a fake authentication screen that resembles the legitimate OAuth authentication page, thereby illegally obtaining OAuth access tokens. This is a form of phishing attack known as "consent phishing."
 
OAuth itself is a secure protocol. However, when exploited, it can have high attack persistence and is difficult to detect, making it important to exercise caution during implementation and operation.

4. Case Study 3: Slack Name Change Avoids Detection for Months

​Overview
Upon leaving a company, an employee changed their Slack icon to mimic Slackbot and altered their name using Unicode (“SlackbＯt”) to avoid their account being deleted. This allowed the account to remain active even after leaving, posing a risk of sensitive information leaks if users mistook it for a legitimate bot.

Key Causes

• Ineffective offboarding procedures.
• Shared accounts remained operational.
• Difficulty distinguishing malicious actors from legitimate tools like meeting bots.

Countermeasures

• Strengthen account management during normal operations, including offboarding account deletions and regular audits.
• Use IDaaS (Identity as a Service) solutions and conduct periodic account reviews.
• Employ UEBA (User and Entity Behavior Analytics) and ITDR to monitor SaaS-connected apps and detect suspicious behaviors.

​5. Conclusion
As SaaS continues to play a pivotal role in modern business, securing these platforms requires a proactive approach. By learning from real-world incidents and implementing robust measures such as MFA, ITDR, and CASB, organizations can significantly mitigate risks and safeguard their SaaS environments.

We provide solutions specifically designed to mitigate the unique risks associated with SaaS environments. If you’d like to learn more, don’t hesitate to get in touch with us!

Related Products

• Menlo Security
  • Menlo Security isolates and executes all Web content in the cloud, enabling users to safely interact with websites, links and documents online without compromising security.
• Cato Networks
  • Cato Networks integrates CASB (Cloud Access Security Broker) to monitor and secure cloud services, DLP (Data Loss Prevention) to prevent data loss, and authentication features to ensure secure access control to resources. These features work together to protect sensitive data, control cloud app usage, and ensure that only authorized users can access critical systems.

Recently, SD-WAN, SASE, ZTNA, etc. have been attracting attention, and an increasing number of customers are considering introducing them.

This time, we will focus on the connection method between overseas bases and DC (data center) and explain the available connection methods.
​
Previously, when connecting to an on-premise DC environment from an overseas base, it was necessary to use a VPN or prepare a dedicated line.

In this article, we will discuss connection methods from overseas bases and how to consider them, including new technologies and connection methods.

We hope this will help you decide which connection method is best for your company.

Table of contents

• Characteristics, advantages and disadvantages of new connection methods such as SD-WAN, SASE, and ZTNA, and perspectives required for zero trust
• Summary of the features of each connection method: Dedicated line, SD-WAN, SASE, ZTNA
• SD-WAN, SASE, ZTNA and other connection methods and security
• How to choose between dedicated lines, SD-WAN, SASE, and ZTNA based on your communications environment
• summary

​

We have focused on and introduced the connection method from overseas bases to DC.
The ideas introduced in this article are just examples, so we hope that you will use them as a reference when considering the optimal connection method for your customers.
​