Background
Average detection time is around 200 days. Usually because nobody was watching.
Questions to ask yourself
- Does our website log security-relevant events?
- Does anyone read those logs?
- Are we alerted automatically on obvious anomalies?
- Are logs stored somewhere an attacker can't reach?
What you can do today
Cheap monitoring beats no monitoring
You don't need a SIEM. You need someone reading the right thing.
- 01Log authentication, admin actions, and errors. Send logs off the server.
- 02Set basic alerts: failed-login bursts, new admin users, bulk data exports.
- 03For serious sites, a managed monitoring service should be watching out of hours.