Key considerations for establishing a security monitoring program
The old narrative that you focus on deterrent cyber controls doesn’t make sense any more. Most enterprises now concede that if a capable threat actor targets them, it will likely get in.
This realisation has forced a change in narrative, from cyber security to cyber resilience. Forward leaning enterprises are taking a balanced approach, investing in defences but also building capabilities to rapidly detect, contain and eradicate cyber threats, minimising business and customer impacts from inevitable attacks.
Yet, at the same time, several enterprises still struggle to build effective security monitoring systems. During my interactions with several cyber security leaders, three key challenges have emerged:
- The high volume of security alerts and system events is frustrating. This was affirmed by Imperva, a global data and application security solutions company, which found that a “staggering 27 percent of IT professionals confirmed that they received more than one million threats daily, while 55 percent received more than 10,000.” Unsurprisingly, the same survey revealed that majority of IT professionals (53%) conceded that they struggled to isolate bonafide security incidents amid all this noise.” Consequently, for most cyber security teams, searching for genuine threats amidst this noise is like wadding through oatmeal.
- The gravity of the above issue is further compounded by the endemic shortage of security professionals. Large enterprises are struggling to find experienced cyber security staff, and several SME enterprises don’t even have any cyber security staff.
- Over the last few years, cyber security threats have deepened in sophistication, while most security environments have stagnated. They still rely on old-school, signature-based defenses. As I wrote in my book, this is akin to deploying a fleet of North American Aviation P-51 Mustangs – 1940 long-range fighter-bombers used during World War II and the Korean War – to fight an adversary equipped with the modern F-35 Lightning IIs – 5th Generation fighter jets equipped with advanced stealth, supersonic speed, exceptional agility and several other superior capabilities. Its therefore unsurprising that Mandiant, a leading cyber incident response firm, predicted that in 2019, “attackers will continue to operate undetected in environments (dwell time) for a duration that far exceeds their needs to complete their mission.”
The above issues have prompted several organisations to invest in 24/7 SOCs and other cyber response measures. But a question I often get talking to my clients is: “Should we build internal SOC or outsource to a third party? If we outsource, what are some key issues to consider? There is certainly no black and white answer, but based on my experience, there are seven critical issues to consider:
- Understand the SOC provider’s ability to tune their technology to identify bonafide, security incidents, not consistently set-off hailstorms of useless alerts. When you have a small cyber security function, solutions that generate high percentages of false positives will drain resources from value adding and mission critical activities. Your team will feel overworked and underpaid, and security fatigue will quickly creep in. It’s therefore important to validate this key area with the provider’s existing customers before committing to any arrangements. Solutions that utilise advanced analytics capabilities to sift through large data sets, reference multiple threat intelligence sources (victims as well as threat groups) and self-train to exclude usual behavior, can help quell the noise.
- Required skill sets versus budget – A clear understanding of your internal capabilities is always a starting point when making any outsourcing decision, and security response is no exception. An effective security response program requires several complementary skills: threat researchers, malware reverse engineers, incident responders, forensic examiners, data analysts, etc. It’s important to note that these guys don’t come cheap. For instance, according to Pay Scale, a malware analyst can take home up to USD $124,516. Therefore, without deep pockets, it’s advisable outsource this to a managed security provider, who can deliver this service at scale. Additionally, attracting elite cyber operations experts, such as threat hunters – “security professionals who proactively and iteratively detect, isolate, and neutralize advanced threats that evade automated security solutions” – may be quite difficult for SME enterprises. They are in short supply, so they choose whom they want to work for.
- Speed of deployment – Establishing a fully functioning SOC is not a trivial task. As Comcat, a UK based, Cyber Security and IT Managed Service Provider asserted, “Setting up a security operations team takes time, energy, resources, and money. From setting up the physical infrastructure and hardware, researching and procuring security technologies, to recruiting, training and managing qualified security analysts, the timescales required for an operational and effective security monitoring programme is significant – a minimum of 6-12 months.” Another security managed services provider, Proficio, recons building a SOC can take up to 18 months. The longer it takes to set-up a security monitoring center, the higher the likelihood of undetected breaches. This factor is also critical when choosing the right SOC provider – take time to get references from existing clients and determine the speed and quality of their deployment. The key question, then, is: Can you afford to spend 12-18 months without effective monitoring in place, or it’s better to engage a third party who can rapidly deploy a 24/7 security monitoring capability?
- Appetite for risk – Before deciding to outsource your SOC, or whom to outsource to, have a clear understanding of the nature of data that will be sucked out of your environment, where it will be shipped against your enterprise tolerance for risk and local data residence laws. Ask several questions: Are we willing to store data in public cloud or retain control on premise? Does the SOC provider ship data to foreign jurisdictions, and does this comply with internal policies or data sovereignty laws? You should, however, not be overly rigid about it – most SOCs only ship security logs and system events, not personally identifiable customer information. So, this comes down to conducting a proper risk assessment that considers the nature of information involved against risk appetite.
- The aim of any SOC is to detect, contain and eradicate threats at the shortest possible time, thus reducing downstream impacts to customers. Therefore, ensure that whatever SOC model you embrace, internal or outsourced, provides continuous monitoring. It only takes one missed security alert (which was the case for Target in 2018), to cause a damaging data breach. Hackers work 24/7, and don’t care whether you are playing charity golf or on annual leave. Hence, it’s important to ensure your embraced model has a true 24/7 monitoring capability. You don’t want your SOC to represent only form, not substance.
- Have a clear understanding of the cost model before you sign any contracts. Some providers charge per endpoint/server/device, while others use a variable cost model (based on data volume processed per day). Variable model can bring a significant level of cost unpredictability, so ensure your budget can accommodate any unforeseen growth.
- Scope of SOC monitoring service – The traditional security perimeter is fast dissipating, and high-value data is now held in disparate locations, spanning onsite servers to public cloud platforms. Before signing any contracts, have a clear understanding of platforms that host your crown jewels, and ensure the vendor solutions can support those environments. Don’t make assumptions; Understand your technology road map and ensure your security investment supports the enterprise goals. Sounds obvious, but no need to subscribe to a solution that can only monitors AWS and on-prem servers when you intend to migrate your work-loads to Microsoft Azure. More importantly, don’t buy “security road maps”. With security solutions, believe what you see, not what you’re told.
- Also, several vendors have expanded their offerings beyond traditional security information and event management (SIEM) to fully managed security services. Additional services include, but are not limited to fully managed firewalls, web proxies, email security gateways, endpoint protection, intrusion prevention systems. So, understanding the full set of services you need can simplify your security environment, and of course give you leverage to negotiate discounts.
- A critical element of cyber security monitoring is having a cyber security incident response retainer, which gives you access to skilled expertise should you experience a material breach. But before you subscribe to a security incident response retainer, check the provisions of your insurance policy to determine if your cover provides a similar service. No need to waste your budget on redundant services. Alternatively, if you purchase an incident retainer prior to buying insurance cover, check with your insurance provide if they can provide a discount to factor proactive security measures.