When a cyber-attack strikes, your ability to respond depends on one critical factor: visibility. Yet, most organisations can only see about 62% of their IT environments, leaving massive blind spots for attackers to exploit.
Despite this, 87% of businesses rate their threat detection capabilities as "good" or "excellent." That confidence often shatters when teams realise they’re missing the data they need to answer essential questions: How did they get in? What did they access?
In the latest episode of our CheckITout podcast, cyber security leaders Stephen Moore of Exabeam and Thomas Naylor of The Missing Link explored this disconnect and offered solutions to bridge the gap. Here’s what they shared and how you can apply it to your organisation.
Why blind spots persist
Many organisations don’t discover their visibility gaps until it’s too late—often when an external party, like law enforcement, informs them of a breach. By then, logs may have rolled over, expired, or been scattered across different systems, leaving the organisation piecing together fragments of the story.
Stephen Moore shared a common scenario: “The FBI might call and inform you that your business has been breached. At that moment, you realise your logs are incomplete, and you’re missing key details about what happened.” This lack of preparedness often stems from poor logging practices and outdated systems.
Three common reasons for these blind spots include:
- 1. Incomplete logging: Key systems, such as authentication servers or endpoints, aren’t being monitored.
- 2. Overwhelming alerts: Misconfigured systems flood analysts with noise, making it easy to miss real threats.
- 3. Budget and resource constraints: Many teams lack the tools, expertise, or time to maintain effective logging practices.
Organisational context is often overlooked in logging strategies, further complicating the ability to prioritise alerts. For instance, during remote work periods, VPN logins may appear suspicious if context isn’t applied. By tailoring systems to your organisation’s unique activities, you can significantly reduce false positives and improve detection accuracy.
A well-established Security Operations Centre (SOC) can help centralise and enrich these logs, enabling consistent visibility across your environment. As Moore aptly put it, “You can’t protect what you can’t see.”
Building the foundation: The pyramid analogy
Logging is often considered the foundational block of cyber security—a concept Moore likened to a pyramid. Without strong, centralised logging practices at the base, more advanced capabilities like anomaly detection and threat hunting become difficult or even impossible.
According to Naylor, “Good logging is about more than just collecting data. It’s about enriching that data, cutting down noise, and ensuring it’s meaningful and actionable.”
This is where a cyber security strategy becomes critical. A thoughtful strategy ensures logging practices align with your broader business goals, prioritising investments and building capabilities that evolve with your organisation’s needs.
Continuous service improvement plays a vital role here. Regularly reviewing and fine-tuning logging processes ensures your system adapts to evolving threats and operational changes.
The basics of effective event logging
A robust logging strategy doesn’t require expensive overhauls to get started. It’s about focusing on the essentials and building from there.
Here’s where to begin:
-png.png?width=1243&height=768&name=Event%20logging%20(2)-png.png)
Proactive threat hunting: The next step
Once you’ve established strong logging practices, you can begin to proactively hunt for threats that might otherwise go unnoticed. Threat hunting goes beyond automated detection, relying on analysts to investigate potential risks based on behaviours and patterns.
For example, if news breaks about a specific type of attack, your team can investigate whether similar activity has occurred in your environment. This is where enriched logs and centralised data become invaluable.
If your organisation doesn’t have the resources to handle this in-house, Managed Detection and Response (MDR) services can provide the expertise and continuous monitoring needed to detect and respond to advanced threats in real-time.
Practical steps for your organisation
Improving your cyber security visibility is achievable, even with limited resources. Start by:
- Assessing your current state: Identify which systems are being logged and which aren’t.
- Prioritising critical areas: Ensure your core systems, like endpoints and identity platforms, are covered first.
- Implementing best practices: Use frameworks like the Australian Signals Directorate’s Essential Eight for guidance.
- Continuously improving: Regularly revisit your logging and detection practices to adapt to changes in your organisation and the threat landscape.
- Leveraging SOC and MDR services: Centralise your logging and ensure continuous monitoring through a trusted partner.
Turning blind spots into Insights
Cyber security is a continuous journey, not a destination. By addressing blind spots and building a culture of proactive detection, you can stay ahead of evolving threats.
At The Missing Link, we specialise in helping organisations like yours achieve this transformation. From logging and monitoring to 24/7 threat detection, our solutions ensure you’re never left in the dark. Ready to take control? Let’s talk.
