“What keeps you up at night?” CISOs get asked that question all the time. And usually, the people asking want to hear about the biggest, baddest malware campaign, ransomware attack, vulnerability or APT. The latest threats are always compelling to talk about and are examples of the security issues that our business partners and colleagues outside of the day-to-day infosec practices can wrap their heads around.
But the real, perhaps less exciting answer to this, is quite literal and operational. CISOs at a significant number of organizations are literally “up at night” because, surprise: attackers don’t respect business hours. In a survey of 300 large enterprises, Deepwatch found that 38% do NOT have 24/7 security operations capabilities. In today’s threat landscape, organizations need eyes on systems around the clock, 365 days a year. Without a fully-staffed security operations center (SOC), security leaders are losing sleep over it.
So what’s the right approach? Build vs. buy right? I think this is the binary decision we’ve heard for years, and frankly I think it’s highly flawed. The SOC is a component of your overall security story and plays a key role in ensuring that you’ve got a mature program that will effectively meet your risk requirements.
Consider the following questions:
- Do you have the proper tools in place to protect your endpoints, detect and contain malicious activity? Investing in a quality EDR platform should be a high priority. Notice I said EDR. More on XDR later, it’s not something you should worry about if this is a gap you’re trying to fill.
- Are you training your employees? While it’s reasonable to assume that attacks come from threat actors infiltrating various sites and services, the reality is that most attacks use real credentials which are harvested through phishing campaigns. We need to ensure we’re training our employees when they come on board, but also throughout their tenure, keeping them up to speed on the latest attack methods. As attackers change techniques, we need to adapt and train our employees to be highly vigilant and observant of new or clever lures.
- Do you have asset coverage? In other words, having a good EDR is great, but ensuring it’s deployed and checking in from all of your assets is an entirely different problem to solve and where I’ve seen many fall short. Work with the IT team to verify coverage, and implement controls in the event that something falls off the radar.
- Are the tools you’ve invested in appropriately configured? Ensure that you’ve got someone always staying on top of squeezing the most value out of the tools you’ve acquired! SaaS tooling continues to evolve, and while one could assume that the hard part is over after the initial implementation, I’d argue that ensuring coverage and good policies within those toolsets is what makes or breaks a good program.
So you’ve got the basics in place, policies that match your risk tolerance are implemented and you’ve worked with IT to ensure that assets are appropriately covered. In the event that something goes wrong, a bit of automation exists to remediate those hosts and bring them back in line, or keep them offline until someone gets hands on bringing it back into compliance.
Here’s where the story gets interesting, what do you do with the amount of telemetry coming out of those investments? These are your options, but beware which path you choose:
- You could have your staff jump between consoles and chase down alerts.
This approach doesn’t scale. There’s no correlation between alerts coming from various systems and your staff will have to deal with an ever-increasing volume of events that will be sure to burn them out. In addition, the value of what they’d be working on would likely be a lot lower compared to other options on this list.
- You could send all of your logs to a SIEM of your choice.
Now you’ve got everything in one place, but you still have the problem of dealing with a high volume of events that needs to be sifted, trimmed down, investigated, etc. It’s a popular option, but it still doesn’t scale.
The biggest issue I’ve seen with this approach is that you need a very large team of analysts to review alerts. In addition, you also need to consider hiring engineers and architects to enrich and correlate the data. Of course, you’ll also need to build dashboards, playbooks and content that will create efficiencies for your SOC and ensure they’re only looking at events that deserve attention from your team, therefore creating efficiencies that’ll scale with your business.
Then, for 24/7 coverage, you’ll need to staff up those overnight shifts to keep an eye on things around the clock.
- The final option is to outsource the SOC, and hand off the SOC program to someone who can do it at scale, has the engineering, architecture and subject matter expertise to get the most value out of your existing investments.
This option enables you to keep your staff focused on creating value for your security program by focusing on whatever matters most for your organization, and associated risk profile. I would categorize the SOC work as one of the most difficult jobs to perform on a security team, and the numbers back this up. It’s why the SOC analyst role has the highest turnover in the security industry with an average tenure of 24 months.
With the ever increasing cyber talent shortage and complexities of essentially running a fully fledged business-within-a-business (because that’s what it takes to run a mature SOC today) is why I will always recommend that you outsource the SOC. Adding more people internally alone won’t enable you to keep up with rising incidents. In addition to taking advantage of the talent shortage, adversaries are building competent programs to scale out their operations. Just like we leverage automation at scale to solve complex business problems, they’ll use the same automation capabilities to steal IP or extort companies for cash. The amount and frequency of cyber incidents is up, especially with ransomware. In fact, cybersecurity insurance rates have increased as a result of this, up to 10x in some cases. Related to Cyber Insurance, but not often discussed, I’ve seen several insurance companies exit the Cyber Insurance arena, further underscoring how big a problem ransomware is.
SOC analysts and incident responders are constantly engaged. Sixty eight percent of incident responders find it common to simultaneously need to respond to two or more cybersecurity incidents, which is fatiguing. The responsibilities of monitoring, triaging and investigating alerts can take up three-quarters of your team/security program. MDR partners that specialize in this can take these responsibilities and run them at scale, delivering more value at a fraction of the cost compared to building it yourself.
Handing over detection and response programs to a partner allows you to free up your team and point them at increasing the maturity of your program, specifically by focusing on problems that matter most to your business, risk appetite and tolerance. Take the rest of your savings and continue to invest in optimizing and completing security coverage across your environments. Your budget will thank you, your staff will be much happier and fulfilled, and you’ll be able to deliver a more mature program by having your people focus on complex problems, not triaging alerts.
How Deepwatch Can Help
Deepwatch partners with its customers to speed detection and response, providing SOC capabilities and 24/7/365 protection. The Deepwatch SecOps platform leverages security telemetry across data sources to detect complex threats and provide complete real-time response – programmatically, customized to the customer’s environment. Deepwatch security experts work in partnership with the customer’s security team to identify and prioritize which response processes to automate, alleviating the short-term burden of automation in order to achieve the long-term benefit.
As a partner and extension of internal security teams, Deepwatch offers peace of mind and assurance that threats are rapidly and holistically addressed, unlocking a new level of security that supports business outcomes.
To learn more, please visit https://www.deepwatch.com/managed-detection-response/.