Home | Community | Blog

Enhancing Threat Detection in Enterprise Applications: Using SIEM and Cloud Logs for Proactive Defense

NextLabs Blogs

Enterprise applications are at the core of daily business operations. However, the decentralization across public clouds, private clouds, and on-premises systems has made threat detection increasingly complex. According to IBM’s Cost of a Data Breach Report 2024, 40% of breaches involved data stored across multiple environments, resulting in significant data visibility gaps and an average of 283 days to identify and contain a breach. 

Christophe Foulon, Founder of CPF Coaching LLC and a Security Coach at Quisitive, joins us on the NextLabs Expert Series to discuss Enhancing Threat Detection in Enterprise Applications: Using SIEM and Cloud Logs for Proactive Defense. He shares insights on optimizing SIEM solutions to detect and mitigate threats across enterprise applications and cloud environments, addressing common blind spots and how to address them. The conversation also explores how analytics, automation, and better data integration can strengthen real-time threat monitoring at a scale. 

Christophe is the founder of CPF Coaching LLC and a Security Coach at Quisitive, with over 18 years of experience in the tech & cybersecurity industry. He focuses on helping businesses manage their cybersecurity risks while minimizing friction, which leads to increased resilience and protects people and processes through a solid understanding of the involved technology. He has dedicated his efforts to enabling businesses to optimize their digital and cloud transformation to keep pace with the evolving threat landscape and ensure their organizations remain secure. 

Read his insights below or listen to the podcast on Spotify. 

How can security teams optimize SIEM solutions to detect and mitigate threats in enterprise applications and cloud environments?

First, it starts with understanding what logs you need in order to get the right visibility to take the right action. So, first, it starts with ensuring that you have an accurate inventory of your systems – whether those are internal systems, on-prem, cloud systems within a CSP environment, or all your SaaS systems that your organization might be working with. Those typically come in via a connector. So, you want to ensure that you have a connector for the logging and identity and access management – those types of decisions from your SaaS providers that feed into your SIEM.  

From there, you want to look at how you normalize what needs to be an alert – what is normal based on the risk posture of the organization. So, for example, a multinational organization would expect users to log in from IPs all around the world. But if they don’t have a presence in Africa or the Middle East, logins in those regions shouldn’t be expected. So, they would want to highlight quickly that they’re not supposed to have logins in those regions and potentially block logins from those regions.  

Same thing goes for cloud providers and SaaS providers. If your organization doesn’t use a cloud storage solution that allows stakeholders to upload files to the cloud, you would want to make sure you block access to those types of SaaS applications unless they have been approved by the organization. So, once you start to see the type of cloud access that your organization needs, then you can alert on the anomalies or the unexpected aspects of those. 

So, looking more closely at evolving attack surfaces in the cloud, what are some common blind spots in cloud-based threat detection, and how can they be addressed?

I would say some of the common blind spots in cloud-based threat detection come from the fact that there are so many different signals that defenders need to look at. Each cloud has several layers – you have your identity layer, you have your permission layer, and then you have your data layer. So, being able to understand which user can use which application and access which data becomes an important component of your cloud-based strategy.  

But oftentimes, once you start to combine SaaS applications and logins from different applications, the connection from the endpoint to the identity using the service trying to access the data – oftentimes, connecting the dots between those is a challenge. So, sometimes organizations have to go out to other providers that really have grown to connect the dots between the identities of outside or SaaS providers and internal identities from your cloud providers. That way, you can more easily make that connection of who’s really trying to access that piece of data in the cloud using this ID – is this an internal stakeholder, or is this a compromised account that a threat actor is using to try to access the data? 

When it comes to staying ahead of threats, how can organizations leverage analytics and automation to enhance threat intelligence?

Well, it goes back to your inventory – understanding all of the applications within your technology stack that your organization uses and creating threat intelligence feeds and alerts that monitor activity in those areas. That way, teams can quickly evaluate whether a threat or a vulnerability in a particular piece of software will affect the organization. And if it does, they can quickly take action on what needs to be done – either by putting compensating controls in place for that application or potentially blocking access to it until the vulnerability has been remediated.

And tying it all together at scale – what are the biggest challenges when integrating multiple data sources for real-time threat monitoring?

You said it right there; Once you start to integrate multiple sources and multiple feeds, you are going to have a large amount of data that you need to parse. So, you need to have a system that either allows you to segregate the logs from those different feeds or parse the specific fields you need from those logs for the important actions you are looking out for. And then, at scale, you need to be able to take some automated action when you see something irregular happening.   

For example, a user based in California is suddenly logging in from Sudan, that is an unexpected action and potentially an impossible travel scenario. That is a perfect situation that can be easily automated to disable the account access for that period of time, automatically generating an alert for the security team to investigate. While the stakeholder might not have access until the issue is resolved, it allows your organization to quickly try to mitigate the threat of a compromise account attempting to log in from another country. 

Thank you very much, Christophe, for sharing these valuable insights with us. It's been an enlightening conversation, and we're grateful for your insights.

Discover more from NextLabs’ Expert Series, featuring industry experts in educational and thought-provoking conversations on Data-Centric Security, Zero Trust Architecture, Safeguarding AI, and more.

To comment on this post
Login to NextLabs Community

NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.