Posts

Goldilocks Security Operations Architecture: Finding the Perfect Balance for Your Security

Organizations today are aware of their cybersecurity risk, but many struggle to determine what is the best way to stay protected. Finding the right balance between using internal resources and outsourced managed services is the key to a successful cybersecurity program. But how do you weigh your need to control technology and operations with the size and skills of your cybersecurity staff?

Grant Slender, CISO and Head of Security, Cloud and Support of Queensland Investment Corporation (QIC), spoke at Splunk’s .conf19 about how they achieved this balance. In his presentation, he explained how QIC uses Proficio’s managed security services and Splunk’s Cloud technology in what he coined as a “Goldilocks Architecture”.

The underlying aspects of all strong cyber defense programs are the people, process and technology:

  • People – Security teams must have the skills to manage your devices and monitor security alerts, but also to build the appropriate content to quickly and accurately detect threats within your environment
  • Process – Having good processes in place keeps the team running smoothly and ensures that security events are documented and handled consistently
  • Technology – Selecting the right technology mix to put in your environment is essential for having a strong cybersecurity posture

Allocating resources to each of these elements and defining how they work together can be a challenge – one that can take several iterations before getting it right. More and more organizations are moving towards hybrid SOC models where security operations are shared by in-house staff and an outsourced partner.

To determine the right model for your team, consider the following:

SIEM Ownership

For some enterprises, purchasing and maintaining a SIEM is the ideal option. It gives you full ownership of both the technology and content and allows you to build a security infrastructure that meets your needs.

But purchasing a SIEM is expensive and comes with its own set of challenges.

When looking at this option, one must consider things like:

  • Who is going to install the SIEM? Where will it be deployed?
  • Who will monitor security events?
  • Who will create the searches and analytics you use to discover threats? Will they be regularly updated and tuned for your environment?
  • How do you integrate and curate threat intelligence into your analytics?
  • How much time will your team spend managing the system?
  • How do you increase capacity as your organization grows?
  • Do you need a redundant architecture?

Staffing is often the biggest challenge as many organizations struggle to recruit and retain qualified individuals to manage and monitor their SIEM. You will need to ensure you have 24/7 coverage, including staff committed to working the graveyard shift to avoid coverage gaps, and building a Security Operations Center (SOC), that will need multiple skill sets including SIEM Content Developers, Security Engineers, and Incident Responders. Organizations that do not have the ability to support specialization often look into outsourcing some or all of their security operations.

Fully Managed Model

If owning the SIEM is not a viable option for your organization, you may consider fully outsourcing your security operations. Under this approach, a managed security service provider (MSSP) sends security events from multiple clients to a centrally hosted SIEM. The MSSP takes responsibility for detecting indicators of attack or compromise and alerting their clients accordingly.

Using a fully managed service is attractive to some organizations because it does not require users to buy complex software or staff a SOC. Moreover, MSSP clients benefit from an OPEX model, reduced cost of ownership, and a service that can scale to meet the needs of a growing business. But there are also  trade-offs of this approach, including reduced opportunity for customization and lessor control of data and technology. In addition, some MSSPs use proprietary SIEM technology and are challenged to keep their software competitive with industry leaders, causing the accuracy and quality of security alerts to decline over time.

Hybrid Model

QIC tried managing an on-premise SIEM but found it difficult and complex. Then they tried using a fully managed SIEM but realized that they needed more control over their technology stack and data. Their last approach, the Goldilocks architecture, left them most satisfied; this co-managed service pairs Splunk Cloud with Proficio managed security and monitoring services.

“It was just the right balance between having a technology stack that we had ownership on, where we understood what the data was doing (and) where it was transitioning into security events… but we also had that global scale coverage, 24×7 cover, processes and people. For me, it was that Goldilocks architecture that enabled us to be successful.”

Grant Slender, CISO & Head of Security, Cloud and Support, QIC

Partnering with an MSSP to create a hybrid model allows you to own the technology components but outsource the 24/7 monitoring and management, reducing staffing challenges and lowering your OPEX. A good MSSP will create a personalized runbook, set up business context modeling to understand your high-value assets, and provide you with metrics, so that you can present your security posture to the board. They should also be experts who can help you properly configure your SIEM – from data ingestion to use cases – and be available to tune it over time to keep it running optimally.

Selecting the right MSSP is critical, as they are an extension of your team. Since most organizations cannot staff a 24/7 SOC, their in-house team should not feel threatened by the possibility of job loss; rather, they should embrace the opportunity to focus on more varied and challenging tasks.

What’s Next?

The threat landscape continues to evolve. Attackers will only get smarter, faster and more creative, so organizations need to stay ahead of tomorrow’s cyberthreats. Whatever approach you choose, make sure you’ve got a partner with experience and a vision for the future.

Proficio is an industry leading Managed Detection and Response service provider, utilizing next-generation technology and methods to detect advanced threats and automate responses. Contact Proficio to learn about our customized security options and see how we can help your company stay protected.

CIO Guide: Why Switch to a Hybrid SOC

In today’s heightened threat environment, IT leaders must find creative ways to leverage their resources and better defend against advanced cyber attacks.

Balancing the cost of IT security operations vs. the risk of a security breach is one of the toughest challenges facing IT leadership. CIOs and CISOs are seldom thanked when nothing bad happens and, despite making their best efforts within a limited budget, usually blamed when a security incident does occur.

Hybrid SOC

Modern enterprises can generate hundreds of millions of security events every day and these events must be collected and analyzed around- the-clock to detect actual or pending attacks. Conventionally, organizations have staffed Security Operations Centers (SOCs) and deployed SIEM technology as the corner stone of their security event monitoring programs.

However, today many forward thinking enterprises are adopting hybrid models where some or all of these functions are outsourced to service providers.

The Challenges of Building and Operating a SOC

Hybrid Soc

 

Why Outsource Security Event Monitoring

1.  Challenges in Hiring and Retaining Security Experts

With an unprecedented shortage of qualified cybersecurity professionals, IT organizations face the most challenging job market in history. Cisco estimated the global shortage of cybersecurity professionals to be one million in 2014 and now analysts are projecting 3.5 million unfilled positions by 2021. Many organizations find it difficult to attract and retain qualified  security  experts causing gaps in the efficacy of their security operations. Experts in SIEM technology are particularly expensive to hire and retain. SIEM consultants can backfill gaps in hiring, but they command a very high hourly rate.

Cybersecurity experts find Managed Security Service Providers (MSSPs) to be attractive employers because they offer competitive salaries, opportunities for skill enhancement, and security focused career paths. Service providers can also locate their SOCs close to concentrations of cybersecurity workers – an accommodation that is more difficult for other organizations to make.

2.  Threat Visibility

Cyberattacks are constantly morphing as hackers exploit new vulnerabilities and create new variations of malware. CryptoLocker, CryptoWall, and other variants of ransomware are prime examples of this. Service providers are often the first to see new attack vectors and techniques as their customer base encompasses organizations in many different industries and locations. Compared to individual enterprises, users of a managed security service may also benefit from more sources of third party threat intelligence feeds and advanced correlation analysis between threat intelligence data and other suspicious behavior. Overall, improved threat visibility increases the chance of detecting and preventing a cyber breach.

3.  24×7 VigilanceHybrid Soc Cloud

Advanced cyber attacks frequently originate from Eastern Europe, China and other countries that function outside normal business hours. Just blocking traffic to or from a country like Russia does not address this issue because hackers have anticipated this countermeasure and now launch their attacks from IP addresses in countries perceived to be lower risk.

Effective security requires around-the-clock monitoring to detect and respond to targeted attacks before they result in loss of data and damage to an organization’s brand. Often staffing and managing a 24×7 SOC is beyond the resources of an organization, but service providers can provide this capability to their customers at a reasonable cost.

4.  Lack of SIEM Content

The underlying effectiveness of a SIEM system is driven by the rules and use cases that detect indicators of attack, indicators of compromise, or policy violations. Depending on the size and complexity of an organization’s infrastructure, a fully functioning SIEM may have hundreds of use cases. Default use cases provided by SIEM vendors are often outdated, ineffective and not mapped to the specific technologies and applications used by a SIEM user.

Building SIEM content is time consuming and requires an in-depth understanding of the threat landscape and the logic by which security events are mapped to different attack vectors and vulnerabilities. Well-tuned rules and content help increase the productivity of Security Analysts’ investigations ensuring their time is spent on the most critical events and not chasing false positives. Service providers can leverage the cost of developing SIEM content across many customers and dedicate resources to continuously develop new and customized rules and use cases.

5.  More Effective SOC Analyst Investigations

No SIEM can provide 100% accurate alerts. Security experts are needed to investigate suspicious alerts to determine the criticality of a threat. In a high performance SOC with a well- tuned SIEM, you can expect the following:

  • Half of all high priority actionable alerts are the result of Security Analyst investigations
  • Of all the system alerts requiring analyst action, after investigation, about half turn out to be false positives

These data points underscore the importance of having sufficient human security experts available 24×7.

Service providers augment the existing team of Security Analysts and can often more effectively filter and correlate security events to present Security Analysts with better data. Outsourcing monitoring tasks also improves the morale of existing employees and allows them to focus on other priorities.

6.  Rapid Response

Responding rapidly to security incidents is as important as the ability to detect and prioritize security threats. Critical events require response by senior security analysts and, if needed, remediation actions like wiping a laptop, blocking an IP address, or quarantining a file.

Effective incident response requires security experts to be available on a 24×7 basis, which is not always possible for even large organizations with dedicated CSIRT teams.

Next-generation SOCs are increasingly automating responses to critical security threats. For example, automating blocking an IP address on a firewall after detecting network reconnaissance from a known malicious IP address targeting a high value asset. Temporarily blacklisting an IP address provides IT teams time to investigate the threat and remediate it if necessary. At companies  where  operations teams are not available  outside  standard business hours, this approach is particularly useful. Building automated response actions requires fine-tuned use cases along with integration and testing resources.

7.  Operational Excellence

It is a truism that maintaining effective security operations requires combining the use of people, process, and technology. Managing these elements is non-trivial. The Target stores data breach exemplifies this point as their SOCs in Bangalore and Minneapolis reportedly received priority malware alerts, but failed to act on them.

Maybe their Security Analysts were swamped with other alerts. Perhaps their runbook, which should have described detailed processes and escalation procedures, was not clear or updated. Service providers that have sophisticated support systems, trained personnel, and fine-tuned procedures and workflow can help their customers achieve operational excellence.

8.  Time and Money

The decision to outsource security event monitoring is heavily influenced by the risk of operating at a diminished level of security effectiveness. Building a SOC and tuning a SIEM takes from months, sometimes years, with a long list of dependencies including hiring, training, and system integration efforts. Service providers reduce their customers’ exposure to security breaches during periods where security operations are not operating at full speed.

Service providers also have greater potential to leverage economies of scale than single business entities. This is particularly true in a 24×7 operation where of the 1095 eight-hour shifts in a year, only 260 are during normal business hours.

About Proficio and ProSOC

Proficio is a cloud-based cyber security service provider. We combine state-of-the-art analytics with around-the-clock security monitoring to provide advanced threat detection and breach prevention solutions to enterprises, healthcare providers, and government. Our services include:

  • Security Event Monitoring and Alerting: High-touch SOC services including 24×7 real-time security monitoring, investigations, actionable alerts, escalations, and runbook management
  • SIEM-as-a-Service: Log collection, retention, analysis, alerting, advanced correlation analysis, business context modeling, and behavioral analytics
  • Visibility: Provides full visibility to event logs with easy-to-use ProView web portal, powerful reporting, dashboards, and drill down analytics
  • Threat Intelligence: ProSOC integrates external threat intelligence data and nefarious traffic identified within our customers’ networks into our threat intelligence database
  • SIEM Administration: SIEM administration, operations management, patching, tuning, health and performance monitoring, and trouble-shooting
  • SIEM Content Development: Development and maintenance of advanced security use cases, rules, dashboards, and reports
  • Incident Response: 24×7 investigations, advice, remediation, forensic analysis, and automated response to contain high priority threats
  • Compliance Reporting, Dashboards, and Workflow: PCI, HIPAA, SOX, GLBA, FFIEC, NERC CIP, FISMA, and others
  • Managed Security: Full security device management services including configuring, tuning and patching firewalls, NGFWs, IDS/ IPS, and WAFs
  • Vulnerability Management: ProSCAN (powered by QualysGuard) includes Vulnerability Scanning, Asset Discovery, and Web Application Scanning
  • Security Assessment: Risk Assessments, Penetration Testing, Social Engineering, and Compliance Assessments