I was recently reminiscing with an ex colleague of mine from my days working for a Managed Security Service Provider in the early part of the noughties.
It was around the time that the first Intrusion Detection Systems (IDS) came onto the market and were hailed as the greatest defence against those that have managed to find their way past your firewall.
There was of course that debate about whether IDS should sit behind the firewall or in front of it. Neither of which as it transpires was either correct or incorrect.
The fundamental problem with IDS is that without the necessary skills to tune these devices and constantly update and retune them, all you got was a lot of noise that eventually was simply ignored.
In fact it can be argued that IDS in the early days was counterproductive as people placed a reliance on this technology and felt just by purchasing some they would be more secure. Without the people part of this equation in balance with the technology it was no more than another thing to look after (badly in most cases) and gave people a false sense of security.
Technology has moved on significantly since those days yet the underlying problem is still the same. The approach is sound when we think about the purpose of a proper Security Incident and Event Management (SIEM) solution. Yet without people it again is just another thing to manage and adds nothing to the real life purpose of Information Security that is to protect a business’s most critical systems and data.
I have written previously about the importance of “understanding what is going on inside the castle walls”. The old approach of building the perimeter higher and putting more barbed wire on the top is simply outdated thinking when attempting to deal with the complex and constantly evolving cyber threat landscape faced by organisations today.
So what is the strategy for SIEM and how can I deliver this to my business? What are the challenges to doing so and making sure I know when I have been breached? What else do I need to have in place to deal with a breach once I know I have one? These are the questions we need to ask and answer in order to get to a place where we can balance the equation and get some real value out of technology and people and better place our organisations to cope with the reality of today’s world.
Speak to a SIEM vendor and they will happily sell you anything that you have deep enough pockets for and believe me for some solutions we are talking about extremely deep pockets indeed. But this will not solve anything.
For large and complex enterprises with a robust risk management approach to business and teams of people in compliance and information security and access to large budgets this can of course be achieved in house. However for the majority of businesses this is simply just not the case. These systems need to be tuned as IDS did in the early days. Given, the levels of automation and the underlying “cleverness” is unrecognisable from those first systems we saw on the market, but notwithstanding they still need people and people who know what they are doing.
In our always on always connected planet we need those guardian angels all around the clock, responding to alerts, meaningful alerts and translating them to the actions we need to take. This is a skilled job. This is an expertise that most organisations do not have and could in no way commercially justify.
We need to build and segregate our networks and make it as difficult as possible once someone finds their way in to a) get any further, b) go undetected and c) get at the data. All of this can be done by combining technology and people. Having robust incident response plans and to treat these in the same way we do (should) treat business continuity plans because this is exactly what they are if we consider the potential impacts of undetected breach.
The only real answer for most businesses is to outsource this as a service to someone that does this for a living. You may or may not have seen these referred to as SOC/SIEM service (SOC being Security Operations Centre). There are lots of these out there and that sector is growing like billy-o. From traditional security tin shifters and licence resellers to security consultancies building out managed security service divisions of their businesses.
They have knowledge, they have the expertise and they are there 24*7*365 watching the skies. In addition to this the sharing of data globally allows these “agencies” to be absolutely up to the minute with the current state of play. Almost meteorologists of cyber space, forecasting based on trends and patterns where the next storm is coming from.
We believe this is the right way to achieve the desired outcome of a better level of security for our customers. Plus we have the old adage of “who guards the guards” when it relates to platforms and services that we build and manage for our clients. Who is watching what we do? To answer both of these points directly we work with our partners in this SOC/SIEM world and build out solutions for our customers with them. We have no direct access to the data gathered and can in no way interfere and manipulate this, which provides a much more reliable audit trail. Collusion between internal teams is ruled out and simply provides more robust security for those who opt to take on this as part of their service from us. The combination of their expertise managing this complex technology and raising meaningful alerts for our teams of experts to apply their knowledge of the underlying platforms and systems to, is the perfect blend of technology and people.