Keeping up with change to survive
SIEM should be the basic standard for all companies, but many are lagging behind
“When we talk about security integration, the old-fashioned way of looking at it is getting all the systems to talk to each other and put their data in one place,” said Michael Cowley, cybersecurity consultant with Integrity360.
“SIEM [Security Incident and Event Management], which focuses predominantly on the correlation of different events happening around the network, answers the ‘what’, ‘when’ and ‘where’ kind of questions. But actually the trend at the moment is answering the ‘so what’ and ‘what do we do next’ steps. And how do we actually improve the situation as quickly as possible?”
The practices defined as good security can feel like they change quickly, with trends from two or three years ago feeling out of date now. In this case, the real trend is how SIEM should be the basic foundation across all companies and it’s now accepted norm with companies.
What businesses should be looking to invest in now, said Cowley, is a SOAR-type (Security Orchestration, Automation and Response) model or solution, which he feels is the next evolution of security integration.
The evidence does back up this viewpoint. Cowley references a report from Gartner which says that, by 2022, 50 per cent of all SOCs (Security Operations Centres) will transform into modern SOCs with integrated incident response, threat intelligence and threat-hunting capabilities. This is a jump up from less than 10 per cent in 2015.
“If you think about it, that’s a massive jump in capabilities and just a seven-year gap,” said Cowley. “Which is all focused around this kind of SOAR framework that we’re leading people towards.”
While the motives to properly embrace the integrated approach is there, Cowley does warn against jumping in head first. There is no shortage of cybersecurity vendors out there, offering a full-stack approach to security.
They may offer tools for all the different types of security concerns you may have, but you should consider what their strengths and weaknesses are first.
“What they’re trying to target is where the consumer has only one or two technologies in-house,” he said. “They want that single pane of glass to provide visibility over everything, be it a network, perimeters, endpoints or mobile, and they’re trying to provide that one-stop-shop for the consumers, but with a view that it will make their system management a bit easier.
“As much as the companies offer tight integration, they typically acquire different feature sets through acquisition . . . and then launched into the actual system.
“They work but the integration is quite loose, it’s not native. And then where they built out things, they’ve done it on a common platform approach, so actually, what the customer ends up getting is rarely best of breed.”
The other element that can be a challenge is getting the right kind of expertise needed to properly manage these systems. Considering the breadth and depth of the modern security landscape, it’s too great for one or two people to manage alone.
Even if they are, then it’s unlikely that they’re getting the most out of the systems they’re using.
“A jack of all trades can use all the platforms and get value out of them but if you want to get the real value, and if you want to actually stitch them together so that there’s some automation behind the scenes,” Cowley said.
“You’re able to start implementing what was being kind of termed orchestration and automation in response, you then need to actually have subject matter experts who really understand how the systems are built.
“You need to understand how they’re built, in order to stitch them together appropriately.”
It’s the reason why managed service providers like Integrity360 are so in vogue. Since finding security talent, let alone retaining it, is so difficult, availing of specialist companies to fill the gap is now a necessity.
“MSP like ourselves, we’re focused around customer outcome,” Cowley said. “Customer outcome normally boils down to risk reduction, which is what our primary goal is. If customers just want the tools and the features, they’re typically very small organisations: just a couple of guys doing in-house IT and that’s as big as they’re going to get.
“But if they’re looking to expand that, if they’ve got decent IT investment in the business and risk-focused business, then what they care about most isn’t the toolsets or specific technology, it’s the outcomes. That’s where MSPs like ourselves engage with them to provide that customer-focused outcome for them.”
Having someone responsible behind the scenes can help, as a major challenge is to get these different systems integrated together. The average company has numerous systems in play and while it’s entirely possible for them to do it themselves, the problem is usually availability of expertise within an organisation.
“We look to alleviate that challenge of the security platform integrations by providing that expertise in their best to breed product sets,” Cowley said. “You might ask that why can’t customers do that themselves. Most organisations will have somewhere between five to 15 different technology sets in play and most organisations will struggle to attain two or three experts.”