An official at Penn State stated, “In fact, on an average day last year, Penn State alone repelled more than 22 million overtly hostile cyber attacks from around the world”. This is an interesting number. However, we would surmise that they are actually counting the number of Internet drive-by attacks based source IP addresses being blocked using a firewall, VPN, and IPS rules.
What is more important are the number of known abusive attackers that are hitting their perimeter, how many of these attacks are permitted through their firewalls, and how many of those are targeted attacks or return communications to already compromised devices.
In our Security Operations Centers we find that organizations similar in size to a single College at Penn State need to monitor over 250 million security events per day. From these millions of events a day, the security team must detect 3 to 5 incidents that indicate a compromise and should be blocked in the ‘kill chain’ within minutes to prevent the attack from resulting in a breach or malicious event.
Putting this into more perspective, we find on average an organization of this size will be attacked by known abusive attackers more than 10,000 times per day and roughly 3-5% of these communications are permitted through their firewalls. Most organizations can’t or don’t block this traffic because they have to keep certain ports open for normal business communications or they do not enforce strong perimeter security policies. Of the 3-5% of permitted communications from known abusive attackers that we track for our clients, we discover on average 2 to 3 targeted attacks per day performing reconnaissance or staging and 2-3 correlated events per week indicating some level of compromise.
Even with the best SIEM 2.X generation technologies with finely tuned advanced correlation and behavior algorithms in place, an organization will only reduce the 250 million security events per day down to 100 suspicious threats per day. They will need to investigate further to find the 3-5 events that require immediate action on a daily basis.
This is a two-part challenge. First, recruiting and retaining trained security analysts to monitor and investigate 100 suspicious threats per day is very difficult. Then there is the challenge of how to immediately break the communication with the abusive attacker, quarantine the device, or disable the user account while you wait for your remediation response team or contracted forensic investigators to roll?
In our view, most organizations just don’t have the capital, desire, or ability to staff and manage a 20 (or more) person Security Operations Center to perform advanced SIEM management, 24×7 security event monitoring, or incident investigations. The answer to this equation today is to partner with a SOC-as-a-Service company that also offers a SIEM-as-a-Service. These companies provide the world-class SOC services needed by all sizes of organizations to counter the large number of world-class threat actors.
We would also recommend selecting a provider that is more than a traditional MSSP providing general firewall management. Look for next-generation SOC-as-a-Service providers that offer advanced use case correlation tuned to your business context and automated active breach prevention to stop communication with abusive attackers, quarantine devices, or disable a user accounts. These providers also provide visibility into your security posture, knowledge of who is attacking you and what they are targeting, as well as active defenses allowing you time to take action to protect your data.