One of best ways to stay safe, and maximize your time, is to prioritize your risk. Ben Carr, Qualys CISO, and Zane West, Proficio’s VP of Products and Development, chat about the benefits of solutions like Risk-Based Vulnerability Management and what’s key to better understanding your risk profile. This is critical when dealing with a hybrid workforce, but what else is essential? Learn what they recommend and also hear their tips on how to stay compliant in an increasingly challenging time.
One of the most popular buzzwords today is SOAR, Proficio’s EMEA SOC Director, Carlos Valderrama, and former Gartner Analyst, Oliver Rochford dive into the concept of SOAR in cybersecurity. Oliver provides his unique perspective of how the term came to be while he was working as an analyst at Gartner. Does he think SOAR lived up to its potential? Tune in to find out!
The conversation leads off with their ideas on what the SOC of the Future will look like; they also provide their insight into what aspects are critical for these to be successful. Carlos notes, “we see a lot of vendors push for buzzwords… instead of looking for real solutions.” So where will they go from there?
2019 was another busy year for cybersecurity professionals. There were more security incidents than in any previous year, and they included some of the largest breaches of all time. According to Forbes magazine more than 4.1 billion records were compromised.
Looking forward to the next decade, we expect cyber defenders to still face many challenges. Fueled by the growth of the Cloud, IoT devices, and mobile, the attack surface will continue to grow exponentially. Cybercriminals have been using Machine learning and will expand on its use in the coming year. Nation States will invest more in cyberwarfare to target government, Critical infrastructure, and organizations.
Proficio has been providing our clients managed security services for nearly a decade. Our understanding of the cybersecurity landscape is informed from being both a user and a provider of cybersecurity technology. The following projections define 10 important changes that we see driving the cybersecurity agenda over the next decade:
- AI Gets Real
At Proficio, we have been both experimenting and deploying Machine learning (ML) for years. We think ML is now transitioning out of the early stages of the Hype Cycle into the early stages of broader adoption as a credible cybersecurity technology necessary for a meaningful part of any cyber defense arsenal and playing a significant role for Incident Response (IR) and Security Operations Center (SOC) teams.
There’s been a lot of talk about the potential for ML to replace Level 1 or 2 Security Analysts. We strongly disagree. We see ML as a tool that augments Security Analysts, helping them to identify relationships between seemingly unrelated events, cutting out false positives, and detecting anomalies. Combined with threat intelligence, ML will enable security teams to detect and respond to security incidents faster, more effectively, and with far fewer people than would otherwise be possible.
- Automation to the Rescue
Talk to any CISO and it won’t be long before you hear an anecdote that illustrates the cyber skills gap. Conventional wisdom is the shortage of cyber professionals is now measured in millions, and when you peel back this issue, the gap is more complicated by the range technologies used to ensure a strong cyber defense. In addition to Security Analysts, Incident Responders, and SIEM Engineers, organizations are now in need Data Scientists and ML Experts.
We don’t expect the cyber skills gap to go away in the 2020s, but there is light at the end of the tunnel in the form of SOAR (Security Automation, Orchestration, and Response). Proficio was the first MSSP to create a proprietary SOAR platform and today automation plays a significant role in the services we deliver.
SOAR platforms promise to help SOC and IR teams reduce response times, cut down on manual work, and engineer repeatable, semi-automated processes. By creating standardized, repeatable processes — and automating them where possible — SOAR reduces the burden on security teams. In addition, a SOAR platform integrates with other technologies and provides a single orchestration interface for security teams. Instead of learning to use five or more different tools, security engineers need only become accustomed to a single interface that is integrated into their operational processes.
- GDPR Goes Global
Since the General Data Protection Regulation (GDPR) came into effect in May 2018, organizations with EU customers have had to step up their data privacy compliance processes and systems.
Historically, the major compliance frameworks (PCI-DSS, HIPAA, ISO27001, etc.) were akin to audit checklists. So long as you ticked off certain requirements — and you could prove it — your job was done. It didn’t matter if you were actually secure, as long as you followed the rules.
But GDPR changed the game. Now, instead of a checklist, organizations are responsible for collecting, analyzing, and acting upon security data to ensure the ongoing protection of sensitive assets. If an organization is breached, and sufficient action wasn’t taken to prevent it, irrespective of any checklist, large fines will follow.
We believe that in the next decade GDPR like regulations will be adopted by most developed nations, and the afore mentioned industry specific compliance regulations will adopt a similar stance and have already started to do so.
- The Cloud is the Thing
In terms of decades, if the 2000s were about defining the perimeter and improving perimeter security controls and the 2010s we same the introduction of evasive techniques and more sophisticated maleware that evolved over time bringing about the need for next generation technologies, including endpoint, firewalls and software defined perimeter controls within virtualized platforms, the 2020s will significantly expand on the extension of the security controls into the cloud as the adoption of cloud and hybrid architectures become more mainstream.
Data and applications have been moving to the cloud for a while now. Not only are cloud environments more complex to secure than local datacenters, they’re also vulnerable to a wider range of cyberattacks. For these reasons, some organizations have avoided a complete move to the cloud in favor of a hybrid approach.
Over the next decade, security and IT leaders will need to look for ways to secure complex, multi-cloud environments while retaining control over how cloud services are consumed. IT will need to find a way to be an enabler within the organization by defining standards that allow for the adoption of cloud technologies and limit shadow IT.
Cloud Access Security Broker’s will continue expand its use as more organizations consume cloud services in all areas of their business operations. This is a key enabler that protects corporate assets and data, reduces the burden on IT, and allows the business to explore new and improved technologies that better enable them.
We expect the compensating controls within big cloud infrastructure platforms — Azure, AWS, and Google Cloud, among others — to mature. This is an inevitable response to a clear business need, as cloud providers seek to keep customers ‘on brand’.
Security leaders will need to ensure that tools being used to secure traditionally hosted data and services also extend to the cloud. This may take time to fully realize because many security tools currently don’t work well in the cloud. However, now that cloud usage has become the norm, security vendors are scrambling to ensure their tools remain relevant, you will also continue to see cloud focused security vendors becoming more relevant and even prominent amongst the startups.
- Marie Kondo for Security Tools
When organizations began to take cybersecurity more seriously, they went on a security tool buying spree resulting in a proliferation of tools that often did not work together. This was made worst by the abundance of Cybersecurity startups that claimed to be the next best thing and were trying to define a new market, which has created significant confusion in the industry compounded by baseless opinions often using marketing and global reach as an indication of effectiveness of a technology.
There were two big problems with this approach. First, it was expensive. Second, it introduced another problem: The hidden cost of resources to manage these tools, a “Best of Breed” purchasing strategy creates unnecessary complexity in the architecture requiring more trained resources to manage all the technologies in alignment with the vendor recommended best practices. This approach generally results in duplication of functionality across technologies and as a result ineffective implementations and underutilization of the investment.
Cybersecurity industry is slowly maturing, organizations are realizing that they can’t solve all security problems by purchasing extra tools. It’s often quite the opposite. They need to simplify their technological footprint while focusing on the other two components of a functional security program: a strong team and effective, repeatable processes.
Similar to Marie Kondo’s approach to simplifying and organizing household belongings, we expect security leaders to see that their teams are better off maximizing the value of a handful of core tools rather than they are using just 5-10% of the functionality of many disparate technologies, we expect smarter purchasing decisions that factor in cross vendor integration capabilities or through consuming technology as a service from an MSSP focusing their buying decision on a business outcome.
- The Rise of 5G
The 2020s will be the decade of 5G. Any time there is a greater than 10X change, you should expect significant related affects. The promise of 5G is to improve mobile data rates and latency by 50 to 100 times. This technology will enable new applications, restructure cloud architectures, and notably be used in mission critical enterprise applications like factory automation, robotics, transportation, and more.
5G will accelerate virtualization, proliferate distributed edge networks, and enable hackers to attack more devices at faster speeds. Cyber defenders will need to respond with new policies, security virtualization, tighter access controls, and approaches to device authentication. Next generation endpoint security technologies will need to be far more effective on mobile technologies being more effective of locking down the OS of the devices and access to the hardware capabilities and apps. Think crypto jacking on mobile devices as an example of an attack type that would become viable.
- The SOC of the Future
A Security Operations Center or SOC is the nerve center where a team of security experts monitors and responds to cyber threats on behalf of their organization. Proficio operates a global network of SOCs and is leader in innovating how SOCs operate for maximum effectiveness.
Over the next decade we expect the way SOCs function to change in a number of ways;
Historically, security event monitoring and response has been log-centered. If a log entry flagged as suspicious, an alert was created and investigated by a security analyst. This approach is problematic when it comes to unknown threats because, until a threat has been seen and reported, there’s no rule to detect it. Unless an organization has an active threat hunting program in place, such threats can go undetected for some time. Keep in mind that the current industry average for mean time to detection of a breach is 200 + days.
We expect SOCs to adopt frameworks like the MITRE ATT&CK which encourages security teams to think in terms of tactics, techniques, and procedures (TTPs). While a new threat may contain hashes, C&C infrastructure, or URLs that haven’t yet been categorized as malicious, only a tiny proportion of threats use completely new and innovative TTPs.
As a result, a security program that’s setup to identify TTPs (rather than specific indicators) is much more likely to identify attacks and breaches.
For many organizations, a fully-functional 24/7/365 operation is essential to ensure the ongoing security of sensitive data and assets. For all but the largest and most profitable organizations, however, building a security function of this magnitude is simply not financially viable. Currently the minimum viable number of resources for an average organization of about 3000 employees, to implement a 24X7 SO operation, is 27, this gives them the minimum viable for shift coverage, and this assumes a well rounded optimized technology stack for security control enforcement and monitoring. The challenge with this is that your resources would only have an effective average utilization of less than 20%, which is not very conducive to staff retention . Add this to the ever-present challenge of the cybersecurity skills gap, and it’s easier to understand why many organizations will turn to Managed Security Service Providers (MSSPs) to supplement the capabilities of in-house resources.
Women represent about a quarter of the cybersecurity workforce. We expect this percentage to increase considerably over the next decade with the consummate benefit of reducing the shortage of cyber professionals and adding diversity.
- More Intelligent Patching
Vulnerability Management is key to a mature security program. However, VM Scans can generate so many vulnerabilities that IT teams only have the resources to patch a fraction of the hosts and devices identified as requiring updates. Sometimes the quantity of alerts can be so overwhelming that it slows down remediation or results in no action at all.
The solution to this challenge is to prioritize based on the risk of a vulnerability being exploited in the context of the criticality of the asset, industry vertical, and level of known activity in the wild. Vulnerability Management needs to become a process that prioritizes based on risk, includes expert advice on the best approach to remediation, and measures and reports on progress.
We see Risk-based Vulnerability Management becoming standard to most organizations over the next decade.
- Don’t Forget Humans are Fallible
Human error is the second most common cause of a security breach. Human errors range from configuration errors on cloud architectures, servers and security devices to failure to follow organizational policies by administrators and users alike.
Humans are not going to change. So, to compensate for this reality we urge IT leaders to prioritize training, process control, and use technology where possible to automate tasks and detect issues resulting from simple mistakes.
- In the End It’s All About Risk
It is inevitable that most organizations will experience a security breach at some time. The operational priority for any organization is to quickly detect and remediate a breach.
In the 2020s, we expect IT leaders will increasingly need to explain the magnitude and types of cyber risk that apply to their organizations and provide their executive teams with strategic options to reduce risk.
Shareholders and customers want to understand what organizations are doing to protect important assets and data.
Up until now, security leaders have been forced to spend a huge amount of time preparing reports for board and stakeholder consumption. Many resorted to Excel and manual databases because alternatives weren’t available.
Over the next decade, security leaders will rely on business intelligence dashboards that show the threats facing their organizations and trends by type of attacks and attack targets. These dashboards will summarize the organization’s security posture, identify gaps, and compare risk with that of industry peers in near realtime as apposed to a monthly point in time based on sometimes limited and stale data. Proficio’s ThreatInsight is an example of such a dashboard
2020s: A Decade to Embrace Change
As we wave goodbye to 2019, we are excited about the changes that the next decade will bring and looking forward to helping our clients protect their data and brand.
From all of us at Proficio, we wish you a safe and successful 2020.
Organizations today are aware of their cybersecurity risk, but many struggle to determine what is the best way to stay protected. Finding the right balance between using internal resources and outsourced managed services is the key to a successful cybersecurity program. But how do you weigh your need to control technology and operations with the size and skills of your cybersecurity staff?
Grant Slender, CISO and Head of Security, Cloud and Support of Queensland Investment Corporation (QIC), spoke at Splunk’s .conf19 about how they achieved this balance. In his presentation, he explained how QIC uses Proficio’s managed security services and Splunk’s Cloud technology in what he coined as a “Goldilocks Architecture”.
The underlying aspects of all strong cyber defense programs are the people, process and technology:
- People – Security teams must have the skills to manage your devices and monitor security alerts, but also to build the appropriate content to quickly and accurately detect threats within your environment
- Process – Having good processes in place keeps the team running smoothly and ensures that security events are documented and handled consistently
- Technology – Selecting the right technology mix to put in your environment is essential for having a strong cybersecurity posture
Allocating resources to each of these elements and defining how they work together can be a challenge – one that can take several iterations before getting it right. More and more organizations are moving towards hybrid SOC models where security operations are shared by in-house staff and an outsourced partner.
To determine the right model for your team, consider the following:
For some enterprises, purchasing and maintaining a SIEM is the ideal option. It gives you full ownership of both the technology and content and allows you to build a security infrastructure that meets your needs.
But purchasing a SIEM is expensive and comes with its own set of challenges.
When looking at this option, one must consider things like:
- Who is going to install the SIEM? Where will it be deployed?
- Who will monitor security events?
- Who will create the searches and analytics you use to discover threats? Will they be regularly updated and tuned for your environment?
- How do you integrate and curate threat intelligence into your analytics?
- How much time will your team spend managing the system?
- How do you increase capacity as your organization grows?
- Do you need a redundant architecture?
Staffing is often the biggest challenge as many organizations struggle to recruit and retain qualified individuals to manage and monitor their SIEM. You will need to ensure you have 24/7 coverage, including staff committed to working the graveyard shift to avoid coverage gaps, and building a Security Operations Center (SOC), that will need multiple skill sets including SIEM Content Developers, Security Engineers, and Incident Responders. Organizations that do not have the ability to support specialization often look into outsourcing some or all of their security operations.
Fully Managed Model
If owning the SIEM is not a viable option for your organization, you may consider fully outsourcing your security operations. Under this approach, a managed security service provider (MSSP) sends security events from multiple clients to a centrally hosted SIEM. The MSSP takes responsibility for detecting indicators of attack or compromise and alerting their clients accordingly.
Using a fully managed service is attractive to some organizations because it does not require users to buy complex software or staff a SOC. Moreover, MSSP clients benefit from an OPEX model, reduced cost of ownership, and a service that can scale to meet the needs of a growing business. But there are also trade-offs of this approach, including reduced opportunity for customization and lessor control of data and technology. In addition, some MSSPs use proprietary SIEM technology and are challenged to keep their software competitive with industry leaders, causing the accuracy and quality of security alerts to decline over time.
QIC tried managing an on-premise SIEM but found it difficult and complex. Then they tried using a fully managed SIEM but realized that they needed more control over their technology stack and data. Their last approach, the Goldilocks architecture, left them most satisfied; this co-managed service pairs Splunk Cloud with Proficio managed security and monitoring services.
“It was just the right balance between having a technology stack that we had ownership on, where we understood what the data was doing (and) where it was transitioning into security events… but we also had that global scale coverage, 24×7 cover, processes and people. For me, it was that Goldilocks architecture that enabled us to be successful.”
Grant Slender, CISO & Head of Security, Cloud and Support, QIC
Partnering with an MSSP to create a hybrid model allows you to own the technology components but outsource the 24/7 monitoring and management, reducing staffing challenges and lowering your OPEX. A good MSSP will create a personalized runbook, set up business context modeling to understand your high-value assets, and provide you with metrics, so that you can present your security posture to the board. They should also be experts who can help you properly configure your SIEM – from data ingestion to use cases – and be available to tune it over time to keep it running optimally.
Selecting the right MSSP is critical, as they are an extension of your team. Since most organizations cannot staff a 24/7 SOC, their in-house team should not feel threatened by the possibility of job loss; rather, they should embrace the opportunity to focus on more varied and challenging tasks.
The threat landscape continues to evolve. Attackers will only get smarter, faster and more creative, so organizations need to stay ahead of tomorrow’s cyberthreats. Whatever approach you choose, make sure you’ve got a partner with experience and a vision for the future.
Proficio is an industry leading Managed Detection and Response service provider, utilizing next-generation technology and methods to detect advanced threats and automate responses. Contact Proficio to learn about our customized security options and see how we can help your company stay protected.
IT security teams have a very difficult job, with an ever-changing threat landscape and the fact that a cyberattack only has to succeed once for an organization to be negatively affected. At the same time, most organizations are strapped for resources, especially when it comes to training and keeping experienced in-house security staff. A recent study conducted by Cybersecurity Ventures on the cybersecurity skills shortage found that the staffing shortage will grow to 3.5 million open positions by 2021.
Now, more than ever, organizations need to think about whether it makes sense to fully manage their own security operations in-house, share their cybersecurity responsibilities with a managed security services provider (MSSP), or outsource their cybersecurity operations completely.
To Build Or Not To Build
Many organizations that currently operate an in-house security operations center (SOC), started on this path at a time when there were fewer acceptable alternatives. Large organizations with the scale to build SOCs see the benefits in terms of control of operations and data and the ability to customize processes to their specific needs. CIOs making the build vs. buy decision today would likely weigh the pros and cons differently from their predecessors
For starters, the cost of hiring, training and retaining staff will only increase as the cybersecurity skills shortage continues to grow. While the upfront costs to invest in security products and operational systems is significant, the real challenges are the time it takes to operationalize these investments and the high risk of building a security operations center that does not effectively prevent security breaches. In-house SOCs also risk becoming insular and are seldom the first to identify and respond to new threats.
To build a SOC from scratch can take 18 months. Time and resources are consumed with hiring staff, acquiring and optimizing technology, building security use cases, fine tuning threat intelligence and analytics, defining and documenting procedures and more. Tweet This Fact! Like any significant project, the risk is that it will take longer and cost more than originally planned.
The Co-Managed/Hybrid Model
In a hybrid model, the duties of managing the SOC are shared between the organization and an MSSP. Through co-management, enterprises can build on the existing investments they have made in people and technology. By picking and choosing the services they need most, leveraging advanced use cases and content and extending their security monitoring to 24×7 coverage, enables IT security teams to become more effective and responsive.
In a Co-Managed security model, the cost savings can be significant, compared to keeping everything completely in-house. Based on a three-year total cost of ownership, the cost of a co-managed SOC model is typically half the cost of an in-house model.
A third option for enterprises is to outsource the SOC completely and leverage a managed security services provider’s expertise and resources. This will greatly improve overall scalability and can save on costs associated with having to build your own cybersecurity program from scratch, or share SOC management duties.
Just like the other two options, there are pros and cons to the fully outsourced model as well.
Cons: Outsourcing security operations to a managed security service provider creates a dependency on a third party and requires coordination between the internal and external teams. Depending on the MSSP’s ability to customize their services, organizations may have to compromise on the method of service delivery. Where an MSSP can align the way it detects threats, escalates alerts, and responds to security events to a customer’s unique environment, the efficacy of their service is considerably increased. Therefore it is important to choose an MSSP that is responsive and can be a true extension of your IT team.
Pros: At its heart, the job of a SOC is to accurately detect indicators, attack or compromise and quickly contain them. To do this effectively requires a significant investment in people, processes, and technology. Many organizations simply do not have the budget, expertise or scale to do this function completely in-house. To staff this function requires a range of talent that includes SIEM content development, security engineering, threat research and tiers of SOC Analysts. Hiring and retaining this talent is less challenging for MSSPs who have the opportunity to provide a career path for employees. Experienced MSSPs are better able to operate a 24×7 security monitoring service or distribute the function on an around-the-clock basis.
The decision to use an MSSP is not just a question of cost and logistics – it is also an efficacy issue. After all, nobody is thanked for “failing cheaply”. By choosing the right MSSP, an organization should benefit from a world-class security detection and response service which can be quickly implemented, tailored to the client’s needs and is scalable. Effective MSSPs use both advanced analytics and expert investigations to detect and prioritize relevant threats and discover suspicious behavior. New threats often move across industries and geographies and MSSPs can use their visibility into their diverse customer base to minimize the risk of a security breach.
Next-generation firewalls and endpoint security products are an important part of a modern cyber defense strategy. However, not all organizations have the expertise to deploy and manage these technologies. MSSPs can offer services to off-load management tasks like configuration management, tuning, patch management, and managed response, as well maximize the effectiveness of these investments.
Choosing What’s Right For You
When business decision-makers are trying to choose the right solution, whether it’s building an in-house SOC, Co-Managing or Fully Outsourcing, there are a number of questions they should ask themselves, including:
- What is your existing approach to security operations and how is it working?
- Do you have the budget and ability to recruit and grow an in-house team?
- What is your organization’s risk profile as it relates to cyber threats?
- How dynamic is your environment – is your organization growing, acquiring companies, introducing new services or products?
It’s important to assess the needs of your organization, thoroughly evaluate potential providers, crunch the numbers, and consider your timeline before choosing the deployment or an MSSP that’s right for you.
If you find yourself needing an MSSP solution, check out our customizable services here.
Should Your MSSP be SOC 2 Compliant?
SOC stands for Service Organization Controls and falls under the Statement on Standards for Attestation Engagements (SSAE) No. 16. SSAE 16 was issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in 2010. SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations like MSSPs.
SOC 1, SOC 2, and SOC 3 Audits
There are 3 categories of reports on control at service organizations:
SOC 1: Audit report that focuses on examining internal controls relevant to financial reporting to help ensure compliance with laws and regulations such as the Sarbanes-Oxley.
SOC 2: Audit report that focuses on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy. SOC 2 Type 1 reports cover the management’s description of internal controls; SOC 2 Type 2 independently examine the effectiveness of these controls.
SOC 3: Similar to SOC 2, SOC 3 focuses on controls related to security, processing integrity, confidentiality, or privacy of the data center’s system and information. SOC 3 reports are designed to be made public for audiences that do not need to understand the details of the tests performed by the service auditor and results of those tests.
Do Audits Matter?
Customers count on their security service providers to identify threats and protect their infrastructure, applications and confidential information from cyber attacks. Delivering such a service requires powerful technology, security experts, and effective processes. It also requires the internal processes to ensure that customer data is secure and a provider’s service platform is protected from attacks. An independent audit of internal controls is important to give customers confidence that policies and controls are in place and are operating effectively.
So yes… Audits do matter.
Audits Also Save Time and Money
Security teams and Compliance Officers can spend weeks creating and evaluating vendor surveys that review the internal controls of potential vendors. Independent audits save time and money plus provide a higher level of confidence than available through vendor responses.
Proficio is SOC 2 Type 2 Compliant
Proficio undergoes annual SOC 2 auditing against the trust principles of Security, Availability, and Confidentiality. These audits review our controls against the AICPA’s “Common Criteria” and test those controls. Our auditor’s reports, available upon request, show that our controls are in full compliance with the standards, and when tested, passed without exception.
SIEM systems were first created for large enterprises and government agencies that were frequent targets of advanced cyber attacks. Back then, smaller and lower-profile organizations were able to get by with basic security tools as they were seldom the target of hackers. The world has changed and today cyber attacks have become so widespread and complex that small and medium-sized organizations need the same next-generation SIEM tools as large enterprises.
Next-generation SIEM technology uses advanced correlation techniques encompassing applications, transactions, pattern and behavior discovery, statistical and moving average anomalies, business process management, risk management, and global threat intelligence feeds.
Many organizations are caught between a rock and a hard place. They need industrial strength security, but do not have the people or the budget to run a security operations center (SOC) and administer a SIEM system. SIEM systems are typically complex to administer and require teams of people for monitoring events, experts for authoring use case content, and a lot of care and feeding.
We recommend resource-strapped organizations look at cloud-based offerings from new companies providing a SOC-as-a-Service. This new breed of Managed Security Service Providers (MSSPs) uses a cloud-based shared services model. There is no upfront investment in hardware and software and no requirement to hire a team of security and SIEM experts – instead customers pay subscription fees for a turnkey service.
What should you look for in a Next-Generation MSSP?
- Support for large diversity of log collection sources with a large variable selection of device types, vendors, applications, and users
- Support for non-log data Intelligence and ability to actually correlate information
- Support for user monitoring, identity and actor profiling or behavior analysis
- Asset and business process modeling
- Advanced methods of correlation from multiple devices and vectors
- Advanced Use Case applicable to your business
- Active Lists for correlation with items like former employees, contractors, trusted partners, or suspicious addresses
- Escalation of threats to higher level alert priorities as suspicious activity persists
- Prioritization of threats based on Asset Criticality, Model Confidence, Relevance, and Event Severity
- Automated remediation response to specific Very High Level Alerts
- Compliance content packages and simple reports for compliance including HIPAA, PCI, SOX, FFIEC, etc.
- Threat Intelligence and Reputation Active List correlation with globally known abusive attackers, command and control servers, and malicious IP addresses
- Correlation of vulnerability scan data and specific vendor IDS threat definitions to determine if an exploit is targeting an existing vulnerability, indicating a high probability of success
- Easy-to-Use Web Portals with graphical dashboards
- Case management and Workflow
- 24×7 Expert support
In today’s heightened threat environment, IT leaders must find creative ways to leverage their resources and better defend against advanced cyber attacks.
Balancing the cost of IT security operations vs. the risk of a security breach is one of the toughest challenges facing IT leadership. CIOs and CISOs are seldom thanked when nothing bad happens and, despite making their best efforts within a limited budget, usually blamed when a security incident does occur.
Modern enterprises can generate hundreds of millions of security events every day and these events must be collected and analyzed around- the-clock to detect actual or pending attacks. Conventionally, organizations have staffed Security Operations Centers (SOCs) and deployed SIEM technology as the corner stone of their security event monitoring programs.
However, today many forward thinking enterprises are adopting hybrid models where some or all of these functions are outsourced to service providers.
The Challenges of Building and Operating a SOC
Why Outsource Security Event Monitoring
1. Challenges in Hiring and Retaining Security Experts
With an unprecedented shortage of qualified cybersecurity professionals, IT organizations face the most challenging job market in history. Cisco estimated the global shortage of cybersecurity professionals to be one million in 2014 and now analysts are projecting 3.5 million unfilled positions by 2021. Many organizations find it difficult to attract and retain qualified security experts causing gaps in the efficacy of their security operations. Experts in SIEM technology are particularly expensive to hire and retain. SIEM consultants can backfill gaps in hiring, but they command a very high hourly rate.
Cybersecurity experts find Managed Security Service Providers (MSSPs) to be attractive employers because they offer competitive salaries, opportunities for skill enhancement, and security focused career paths. Service providers can also locate their SOCs close to concentrations of cybersecurity workers – an accommodation that is more difficult for other organizations to make.
2. Threat Visibility
Cyberattacks are constantly morphing as hackers exploit new vulnerabilities and create new variations of malware. CryptoLocker, CryptoWall, and other variants of ransomware are prime examples of this. Service providers are often the first to see new attack vectors and techniques as their customer base encompasses organizations in many different industries and locations. Compared to individual enterprises, users of a managed security service may also benefit from more sources of third party threat intelligence feeds and advanced correlation analysis between threat intelligence data and other suspicious behavior. Overall, improved threat visibility increases the chance of detecting and preventing a cyber breach.
3. 24×7 Vigilance
Advanced cyber attacks frequently originate from Eastern Europe, China and other countries that function outside normal business hours. Just blocking traffic to or from a country like Russia does not address this issue because hackers have anticipated this countermeasure and now launch their attacks from IP addresses in countries perceived to be lower risk.
Effective security requires around-the-clock monitoring to detect and respond to targeted attacks before they result in loss of data and damage to an organization’s brand. Often staffing and managing a 24×7 SOC is beyond the resources of an organization, but service providers can provide this capability to their customers at a reasonable cost.
4. Lack of SIEM Content
The underlying effectiveness of a SIEM system is driven by the rules and use cases that detect indicators of attack, indicators of compromise, or policy violations. Depending on the size and complexity of an organization’s infrastructure, a fully functioning SIEM may have hundreds of use cases. Default use cases provided by SIEM vendors are often outdated, ineffective and not mapped to the specific technologies and applications used by a SIEM user.
Building SIEM content is time consuming and requires an in-depth understanding of the threat landscape and the logic by which security events are mapped to different attack vectors and vulnerabilities. Well-tuned rules and content help increase the productivity of Security Analysts’ investigations ensuring their time is spent on the most critical events and not chasing false positives. Service providers can leverage the cost of developing SIEM content across many customers and dedicate resources to continuously develop new and customized rules and use cases.
5. More Effective SOC Analyst Investigations
No SIEM can provide 100% accurate alerts. Security experts are needed to investigate suspicious alerts to determine the criticality of a threat. In a high performance SOC with a well- tuned SIEM, you can expect the following:
- Half of all high priority actionable alerts are the result of Security Analyst investigations
- Of all the system alerts requiring analyst action, after investigation, about half turn out to be false positives
These data points underscore the importance of having sufficient human security experts available 24×7.
Service providers augment the existing team of Security Analysts and can often more effectively filter and correlate security events to present Security Analysts with better data. Outsourcing monitoring tasks also improves the morale of existing employees and allows them to focus on other priorities.
6. Rapid Response
Responding rapidly to security incidents is as important as the ability to detect and prioritize security threats. Critical events require response by senior security analysts and, if needed, remediation actions like wiping a laptop, blocking an IP address, or quarantining a file.
Effective incident response requires security experts to be available on a 24×7 basis, which is not always possible for even large organizations with dedicated CSIRT teams.
Next-generation SOCs are increasingly automating responses to critical security threats. For example, automating blocking an IP address on a firewall after detecting network reconnaissance from a known malicious IP address targeting a high value asset. Temporarily blacklisting an IP address provides IT teams time to investigate the threat and remediate it if necessary. At companies where operations teams are not available outside standard business hours, this approach is particularly useful. Building automated response actions requires fine-tuned use cases along with integration and testing resources.
7. Operational Excellence
It is a truism that maintaining effective security operations requires combining the use of people, process, and technology. Managing these elements is non-trivial. The Target stores data breach exemplifies this point as their SOCs in Bangalore and Minneapolis reportedly received priority malware alerts, but failed to act on them.
Maybe their Security Analysts were swamped with other alerts. Perhaps their runbook, which should have described detailed processes and escalation procedures, was not clear or updated. Service providers that have sophisticated support systems, trained personnel, and fine-tuned procedures and workflow can help their customers achieve operational excellence.
8. Time and Money
The decision to outsource security event monitoring is heavily influenced by the risk of operating at a diminished level of security effectiveness. Building a SOC and tuning a SIEM takes from months, sometimes years, with a long list of dependencies including hiring, training, and system integration efforts. Service providers reduce their customers’ exposure to security breaches during periods where security operations are not operating at full speed.
Service providers also have greater potential to leverage economies of scale than single business entities. This is particularly true in a 24×7 operation where of the 1095 eight-hour shifts in a year, only 260 are during normal business hours.
About Proficio and ProSOC
Proficio is a cloud-based cyber security service provider. We combine state-of-the-art analytics with around-the-clock security monitoring to provide advanced threat detection and breach prevention solutions to enterprises, healthcare providers, and government. Our services include:
- Security Event Monitoring and Alerting: High-touch SOC services including 24×7 real-time security monitoring, investigations, actionable alerts, escalations, and runbook management
- SIEM-as-a-Service: Log collection, retention, analysis, alerting, advanced correlation analysis, business context modeling, and behavioral analytics
- Visibility: Provides full visibility to event logs with easy-to-use ProView web portal, powerful reporting, dashboards, and drill down analytics
- Threat Intelligence: ProSOC integrates external threat intelligence data and nefarious traffic identified within our customers’ networks into our threat intelligence database
- SIEM Administration: SIEM administration, operations management, patching, tuning, health and performance monitoring, and trouble-shooting
- SIEM Content Development: Development and maintenance of advanced security use cases, rules, dashboards, and reports
- Incident Response: 24×7 investigations, advice, remediation, forensic analysis, and automated response to contain high priority threats
- Compliance Reporting, Dashboards, and Workflow: PCI, HIPAA, SOX, GLBA, FFIEC, NERC CIP, FISMA, and others
- Managed Security: Full security device management services including configuring, tuning and patching firewalls, NGFWs, IDS/ IPS, and WAFs
- Vulnerability Management: ProSCAN (powered by QualysGuard) includes Vulnerability Scanning, Asset Discovery, and Web Application Scanning
- Security Assessment: Risk Assessments, Penetration Testing, Social Engineering, and Compliance Assessments