With the increasing digitization of society – wearable technology, cloud computing, internet of things, big data and more – it is human nature to look at your existing IT environment and wonder if you have the right portfolio in place to not only drive your business forward but also keep your data secure.
Last week, we started a series of blog posts that dig deeper into the real fears we hear constantly from CIOs and CISOs alike when it comes to the human aspect of cybersecurity.
This week, we’ll examine the fear: Do I have the right cybersecurity technology in place?
In short, this is the wrong question to ask – the right question to ask is: “Do I have the right mix of infrastructure, tools, personnel, and process in place to be cybersecure?”
Let’s use SIEM and SOC as examples. Recent studies find nearly half of companies already employ Security Information Events Monitoring/Management and Security Operations Center as part of their cybersecurity portfolio. Security intelligence systems save companies nearly $2 million with a 23 percent return on investment. Consequently, many organizations deploying these tools expect that they will resolve their IT service problems and stop cyberattacks.
However, nothing can be further from reality. The driver for SIEM and SOC is to reduce risk and provide real-time alerts of cyberattacks. Important? Yes. You need to know what’s attacking you. Action, however, is missing here. The SOC is supposed to create all the analysis, monitoring rules, processes, and procedures to resolve suspicious events and incidents the SIEM flags.
It fails to take into account a few realities of these solutions in action, though:
- Too many cooks in the kitchen. The SOC provider monitoring IT environments managed by another service provider. This creates a problem with privileges, permissions, and who’s accountable when things go wrong.
- Scope is limited. Where the SOC has permission to make changes, it doesn’t extend beyond perimeter devices such as firewalls and web gateways. Internal systems and applications are often not permitted.
- Business and IT silos collide. Where incidents occur as a result of a business process, it is often difficult for the SOC to make a change. This is because the SIEM and SOC are often run as IT security solutions and they don’t integrate very well with business processes.
If your process or business environment is hostile to changes because it is unstable or you have suffered a high volume of service outages, it is likely the effectiveness of your incident resolution will be diminished. It doesn’t matter how fine-tuned your SIEM and SOC deployments are: If you don’t transform your business environment first, these tools will not provide the value you expect.
So what can you do? When it comes to SIEM and SOC, there are five steps you should take before you deploy:
- Request the SIEM project to fix the high-severity security issues flagged within the first six months of the solution going live.
- Bring in expert resources for additional system investigation, where deep rooted system and application misconfiguration typically exists.
- Involve business units and business owners in defining use cases and alerts. Educate them of the alert they may get as a result and the actions they would be required to take.
- Avoid a high volume of incident escalation that calls out the crisis team, particularly if they are not confirmed.
- Engage a professional services firm to carry out the planning and architectural design before engaging a service provider to deploy your SIEM or run your SOC.
Worried that you may have pockets of cybersecurity technologies but not enough people and process in place to get the maximum benefit out of it? For most companies, do-it-yourself cybersecurity does not make good business sense. Your time and money can be better spent elsewhere.
Unburden your team with 24/7 managed security combining the best infrastructure, tools, personnel, and processes to meet your secure cloud computing and storage needs. Request a quote today.