This article examines practical use cases: How we’ve used SIEM solutions for incident management. It demonstrate how SIEM strengthens security operations and prevents costly incidents.
Security Information and Event Management (SIEM) solutions are often seen as complex and expensive. However, their true value lies in mitigating financial, compliance, and third-party risks through early detection and automation.
We refer to actual security projects (both planned, and incident response) in this article, in order to provide a detailed account of how MSIEM and MDR solutions effectively address data exfiltration and sophisticated phishing attacks, using real-world scenarios and practical implementations.
Security Information and Event Management (SIEM) solutions are often seen as complex and expensive. However, their true value lies in mitigating financial, compliance, and third-party risks through early detection and automation. This article examines practical use cases that demonstrate how SIEM strengthens security operations and prevents costly incidents.
We refer to actual security projects (both planned, and incident response) in this article, in order to provide a detailed account of how MSIEM and MDR solutions effectively address data exfiltration and sophisticated phishing attacks, using real-world scenarios and practical implementations.
Many organizations grapple with the challenges of detecting and preventing data exfiltration and phishing attacks. This post will delve into four specific case studies where existing security measures fell short, allow us to describe how we implemented solutions using MSIEM and MDR, including the steps taken and results achieved.
Security Information and Event Management (SIEM) solutions are often seen as complex and expensive. However, their true value lies in mitigating financial, compliance, and third-party risks through early detection and automation. This article examines practical use cases that demonstrate how SIEM strengthens security operations and prevents costly incidents.
When discussing security, it’s easy to get lost in technical details, but at its core, SIEM is about managing risks before they turn into full-blown crises. Whether you’re dealing with cyberattacks, compliance regulations, or third-party security concerns, SIEM plays a critical role in keeping things under control.
Every organization faces risks, and those risks can be treated, accepted, managed, or ignored. Ignoring them is rarely a good strategy—just ask any company that has faced a major data breach. Proactively managing risk is where SIEM excels. It allows organizations to spot and mitigate threats before they escalate into security incidents that cost money, damage reputations, or lead to compliance penalties.
We use our MSIEM service to support a number of customer needs:
Let’s look at four past projects:
One of the most persistent threats to financial security is account compromise, particularly within business email environments. Attackers routinely exploit stolen credentials to manipulate financial processes, often by redirecting payments or modifying invoice details. Incidents involving compromised Microsoft 365 accounts have led to substantial financial losses worldwide, and fraudulent forwarding rules, unauthorized access to sensitive emails, and payment fraud schemes can have devastating effects on organizations.
dotSec’s challenge was to establish a robust monitoring framework capable of detecting and preventing these attacks before financial transactions were affected. SIEM was leveraged to track suspicious account activity and alert security teams in real-time.
A company’s finance team is targeted by attackers attempting payment fraud via compromised Microsoft 365 accounts.
Monitors Microsoft 365 audit logs for newly created rules and filters, and newly (sometimes oddly-named) folders.
Flags suspicious rules, such as forwarding emails with “invoice” in the subject line to an external account.
Alerts security teams to fraudulent activity before a financial transaction occurs.
The organization detects and stops financial fraud before funds are transferred to an attacker.
One of the most significant challenges in cybersecurity is detecting data exfiltration. This issue is not theoretical; major breaches such as those at HWLE (2.2 million files), Equifax (165 million contacts), Optus (10 million contacts), and NPD (2.9 billion contacts) demonstrate the scale and impact of such incidents. These events lead to class action lawsuits, regulatory fines, mandatory reporting obligations, and significant damage to company brands and valuations.
The task at hand was to develop an automated monitoring service capable of detecting indicators of data exfiltration activity without generating excessive false positive alerts. This required a deep understanding of what constituted normal behavior and the ability to identify deviations that signaled potential threats.
An organisation’s security team must identify stolen credentials before attackers gain full access.
Detects user authentication attempts from unexpected locations (e.g., outside Australia).
Flags repeated failed login attempts with Error Code “50074”, which indicates an MFA failure.
Identifies patterns suggesting an MFA fatigue attack (i.e., excessive authentication prompts until the user mistakenly approves one).
The security team receives alerts before data is exfiltrated, preventing unauthorized access.
Configuration errors (without malicious intent) on critical business systems can be as dangerous as an actual malicious attack. A simple misconfiguration—whether caused by human error or unauthorized activity—can inadvertently expose internal systems to external threats. Firewall changes, network rule misconfigurations, and improper access controls can all widen an organization’s attack surface.
To address this, organizations needed a method to continuously monitor system changes, ensuring that any unintended modifications were detected and corrected before they could be exploited. SIEM played a key role in identifying unusual administrative activity, allowing teams to respond before damage was done.
An administrator makes a configuration change on a network firewall, unintentionally exposing sensitive VLANs to internet traffic.
Tracks administrator activity logs and network traffic signals.
Detects misconfigurations affecting compliance scope (e.g., PCI DSS violations).
Identifies attackers attempting to exploit unintended network access.
Triggers alerts so administrators can revert misconfigurations before an attack occurs.
The security team is alerted before an attacker can exploit the misconfiguration, preventing a potential data breach.
Security vulnerabilities are inevitable, but failing to address them in a timely manner is not. Unattended vulnerabilities can lead to significant compliance violations and increased risk exposure. Many high-profile breaches have resulted from unpatched vulnerabilities that attackers exploited long after fixes were available. Regulations such as PCI DSS 4.0 demand timely remediation, but tracking vulnerability life cycles across large infrastructures is a complex challenge.
dotSec’s goal was to create an automated monitoring and alerting system that ensured vulnerabilities were prioritised and patched within defined SLAs. SIEM was used to track scan results, monitor patching status, and provide early warnings on ageing vulnerabilities before they became a security liability.
An organization needs to ensure that all high-risk vulnerabilities are patched within the required timeframes.
Security teams address vulnerabilities before they cause compliance issues, reducing exposure to potential exploits.
As we noted in a previous post, ASIC has commenced a law suit in the Federal Court of Australia, alleging that, “from March 2019 to 8 June 2023, FIIG Securities Limited failed to take the appropriate steps, as is required by an Australian Financial Services (AFS) licensee, to ensure it had adequate cyber risk management systems in place. ”
As ASIC noted in the Concise Statement, “Had FIIG had the Missing Cybersecurity Measures in place, it would have detected suspicious activity on its network on or shortly after 19 May 2023, identified that its system had been compromised by on or about 23 May 2023, and prevented the threat actor from downloading some or all of the stolen data or, alternatively, had the opportunity to do so.”
We’ve said it before: We are quite proud of our achievements and qualifications:
SIEM can be a pro-active business enabler that will help you dictate the costs and terms upon which your security-maturity costs are incurred. Give us a call and we can tell you more about the case studies we’ve outlined above, as well as many more, and show you how SIEM can help you do more business, more securely.
