Posts

Goldilocks Security Operations Architecture: Finding the Perfect Balance for Your Security

Organizations today are aware of their cybersecurity risk, but many struggle to determine what is the best way to stay protected. Finding the right balance between using internal resources and outsourced managed services is the key to a successful cybersecurity program. But how do you weigh your need to control technology and operations with the size and skills of your cybersecurity staff?

Grant Slender, CISO and Head of Security, Cloud and Support of Queensland Investment Corporation (QIC), spoke at Splunk’s .conf19 about how they achieved this balance. In his presentation, he explained how QIC uses Proficio’s managed security services and Splunk’s Cloud technology in what he coined as a “Goldilocks Architecture”.

The underlying aspects of all strong cyber defense programs are the people, process and technology:

  • People – Security teams must have the skills to manage your devices and monitor security alerts, but also to build the appropriate content to quickly and accurately detect threats within your environment
  • Process – Having good processes in place keeps the team running smoothly and ensures that security events are documented and handled consistently
  • Technology – Selecting the right technology mix to put in your environment is essential for having a strong cybersecurity posture

Allocating resources to each of these elements and defining how they work together can be a challenge – one that can take several iterations before getting it right. More and more organizations are moving towards hybrid SOC models where security operations are shared by in-house staff and an outsourced partner.

To determine the right model for your team, consider the following:

SIEM Ownership

For some enterprises, purchasing and maintaining a SIEM is the ideal option. It gives you full ownership of both the technology and content and allows you to build a security infrastructure that meets your needs.

But purchasing a SIEM is expensive and comes with its own set of challenges.

When looking at this option, one must consider things like:

  • Who is going to install the SIEM? Where will it be deployed?
  • Who will monitor security events?
  • Who will create the searches and analytics you use to discover threats? Will they be regularly updated and tuned for your environment?
  • How do you integrate and curate threat intelligence into your analytics?
  • How much time will your team spend managing the system?
  • How do you increase capacity as your organization grows?
  • Do you need a redundant architecture?

Staffing is often the biggest challenge as many organizations struggle to recruit and retain qualified individuals to manage and monitor their SIEM. You will need to ensure you have 24/7 coverage, including staff committed to working the graveyard shift to avoid coverage gaps, and building a Security Operations Center (SOC), that will need multiple skill sets including SIEM Content Developers, Security Engineers, and Incident Responders. Organizations that do not have the ability to support specialization often look into outsourcing some or all of their security operations.

Fully Managed Model

If owning the SIEM is not a viable option for your organization, you may consider fully outsourcing your security operations. Under this approach, a managed security service provider (MSSP) sends security events from multiple clients to a centrally hosted SIEM. The MSSP takes responsibility for detecting indicators of attack or compromise and alerting their clients accordingly.

Using a fully managed service is attractive to some organizations because it does not require users to buy complex software or staff a SOC. Moreover, MSSP clients benefit from an OPEX model, reduced cost of ownership, and a service that can scale to meet the needs of a growing business. But there are also  trade-offs of this approach, including reduced opportunity for customization and lessor control of data and technology. In addition, some MSSPs use proprietary SIEM technology and are challenged to keep their software competitive with industry leaders, causing the accuracy and quality of security alerts to decline over time.

Hybrid Model

QIC tried managing an on-premise SIEM but found it difficult and complex. Then they tried using a fully managed SIEM but realized that they needed more control over their technology stack and data. Their last approach, the Goldilocks architecture, left them most satisfied; this co-managed service pairs Splunk Cloud with Proficio managed security and monitoring services.

“It was just the right balance between having a technology stack that we had ownership on, where we understood what the data was doing (and) where it was transitioning into security events… but we also had that global scale coverage, 24×7 cover, processes and people. For me, it was that Goldilocks architecture that enabled us to be successful.”

Grant Slender, CISO & Head of Security, Cloud and Support, QIC

Partnering with an MSSP to create a hybrid model allows you to own the technology components but outsource the 24/7 monitoring and management, reducing staffing challenges and lowering your OPEX. A good MSSP will create a personalized runbook, set up business context modeling to understand your high-value assets, and provide you with metrics, so that you can present your security posture to the board. They should also be experts who can help you properly configure your SIEM – from data ingestion to use cases – and be available to tune it over time to keep it running optimally.

Selecting the right MSSP is critical, as they are an extension of your team. Since most organizations cannot staff a 24/7 SOC, their in-house team should not feel threatened by the possibility of job loss; rather, they should embrace the opportunity to focus on more varied and challenging tasks.

What’s Next?

The threat landscape continues to evolve. Attackers will only get smarter, faster and more creative, so organizations need to stay ahead of tomorrow’s cyberthreats. Whatever approach you choose, make sure you’ve got a partner with experience and a vision for the future.

Proficio is an industry leading Managed Detection and Response service provider, utilizing next-generation technology and methods to detect advanced threats and automate responses. Contact Proficio to learn about our customized security options and see how we can help your company stay protected.