Buying less, doing more: How the security operations centre model can help to control cybersecurity
Article by ExtraHop VP global security programs Mike Campfield.
‘Security solutions good, more security solutions better’ is the mentality behind high tech protection procurement in many Australian and New Zealand organisations but a new security model looks set to turn this traditional way of thinking on its head.
Does the quest to prevent hacking or cyber-compromise result in your enterprise spending increasing sums on a burgeoning array of cybersecurity products?
Globally, organisations were expected to invest a staggering $US106.6 billion on cybersecurity in 2019. In the Asia Pacific region, investments in security hardware, software and services were projected to reach $US16.4 billion; representing a 20% increase on 2018’s spend, according to high tech research house IDC.
But is all that outlay actually making organisations safer? Or is it merely creating overlaid and disjointed lines of defence which are complex and costly to maintain – and increasingly ineffective in a cloud-powered, digital business landscape?
Some of those innovators in the cybersecurity sphere think so. They’ve latterly turned their attention to developing a protection model which better fulfils the requirements of the modern enterprise and reduces the need to have specialist personnel on the ground, racing to respond to an unrelenting influx of threats.
Under siege: the cybersecurity challenge Australian and New Zealand businesses are facing – and failing
Evidence suggests such a model is sorely needed – and that implementing more effective protection is an ongoing priority for organisations and businesses.
More than 500,000 Australian small businesses became cybercrime victims in 2017 and one in four of those endured 25 or more hours of resultant downtime, according to research by Norton. The average cost of a cyber attack was calculated at $1.9 million for a mid-sized enterprise.
While cybersecurity has historically been regarded as an ICT issue, the existential danger an incident can now pose is not lost on those at the top. Australian CEOs rank cyber disruption as the number one threat to their organisations’ business growth, according to PwC’s Global CEO Survey 2018. For the enterprises they oversee, the question has become not ‘if’, but rather ‘when’, their turn will come.
Using data to protect the enterprise more effectively
Gartner’s Security Operations Centre (SOC) Visibility Triad model is focused on the use of something today’s organisations already have in plentiful supply – data.
The Gartner SOC Visibility Triad talks to the power of harnessing the intelligence collected by network traffic analysis, security incident and event management software, and endpoint detection and response solutions, the SOC model enables a major shift in focus.
While the perimeter is still needed to keep low level intruders out, organisations need to move inside to look at what is taking place inside the east-west corridor. With the right intelligence and a rapid response centre, teams will be able to detect and neutralise threats taking place inside the network, before critical assets are damaged.
Complete visibility into all network communications is the ultimate aim. Endpoint agents, events or log data alone will not create a full picture of what is taking place. Log data can be turned off
Agents can be tampered with. Wire data - the data that provides insight into the communications on the network -provides visibility so that, rules, signature and behavioural detection tools powered by machine learning, coupled with automated investigation and response systems, can be used to shut down emerging attacks quickly.
All said, rapid detection, response and remediation using wire data represents the most pragmatic and workable way forward.
Smarter security for the 2020s and beyond
Cybersecurity incidents are not decreasing and the fall-out has become ever more serious. Enterprises which don’t have measures in place to detect and mitigate threats to their critical systems and the sensitive company and personal data in their keeping must look to wire data to uncover suspicious activity before it causes damage.
A robust, coordinated cybersecurity strategy which addresses the vulnerabilities and challenges thrown up by the digital era is essential to mitigate risk. Before adding a new tool to your environment, ask if you are analysing all the data that traverses your network. You might be surprised by the results.