By James Parry, Technical Manager, Auriga
There’s been a fundamental shift in cyber security away from prevention to threat detection. Why? Because the sheer scale of cyber attacks is making a defensive posture unsustainable. A recent survey by Business Reporter found 78 percent of UK companies had experienced an increase in cyber attacks during the past year. The conclusion is that attacks are inevitable and that rather than defending against every eventuality, the organisation should focus and allocate resource through threat intelligence.
It’s now imperative that the business be aware of and monitor threat developments. However, creating and maintaining a comprehensive Security Operations Center (SOC) capable of not only capturing but also of identifying relevant threats is both time and cost intensive. For this reason, next generation SOC services capable of extensive monitoring and data crunching have typically been the tool of either large corporates or enterprises that can afford to outsource this capability, ruling it out as an option for the majority of SMEs.
This creates a real dilemma for the SME who is effectively left exposed and vulnerable, typically receiving no or very little warning of an impending attack other than those alerts generated by its own network defenses. Consequently, the SME is forced into a reactive, defensive position. With the scale and veracity of the attack, its origins and motivation, all are unknowns. Effectively, the SME is fighting blind.
Solutions such as Compass from Auriga, a scalable next generation Security Operations Center (SOC), are designed to meet the security monitoring needs of today’s hyperconnected small and medium sized business combating threats from numerous sources. This type of solution enables the SME to adopt a proactive rather than a reactive stance by providing real-time threat intelligence as identified and assessed by a dedicated team of data security analysts.
Next generation SOC services differ in that they enable metadata to be aggregated from a multiplicity of sources and to be analysed and assessed in real-time. This means vast amounts of data can be gathered and analysed not only from routine traffic traversing the network but also from dynamic data generation sources such as social media and even the darknet.
Take, for instance the recent high profile Distributed Denial of Service (DDoS) attacks have caught some organisations unawares. How many of those organisations impacted by or directly compromised as a result would have liked to know a DDoS attack was imminent? Armed with that foresight the organisation can prepare for such an attack months ahead by following key trends that vary by sector, region, company profile, operational model and technical complexity. Such knowledge can also help shape and inform future business plans, steering the company out of harm’s way.
Utilising a next generation SOC by outsourcing this aspect of cyber security enables the SME to benefit from limited financial exposure and minimal risk while benefiting from state-of-the-art monitoring that can be tailored to their market sector, geographic area and other criteria, effectively giving the SME a finger on the pulse of what is happening. This form of tailored threat intelligence can be further expanded to include Threat Forecasting and Business Intelligence, so that the business is not only aware of but able to anticipate and counter emerging threats.
So what, as a SME, should you be looking for when choosing a next generation SOC service? First and foremost, consider scalability. Look for a service that can grow your business and be tailored to your specific needs. You might elect to start off small, perhaps monitoring traffic from specific locations, and during limited times of day, for instance.
Essential to a SOC is a SIEM or Security Incident and Event Management tools. SIEM aggregate, collect and correlate, and interrogate the ‘events’ or threats detected as well as generating alerts and reports. Ideally you want a SIEM to be able to perform real-time and historical cross correlation, processing at phenomenal speeds, so do ask about speed and processing performance.
The logging of events is also important but don’t confuse this with SIEM. Event log and network flow data consolidation is about raw information and storage, making it very useful for auditing and compliance purposes. Logs are essential for event source identification, for instance. But unlike SIEM, it doesn’t interrogate that data and compare it to different rule sets to look for attack patterns. Look also at how event log data is secured. Is it hashed or encrypted using a standard such as HMAC, for instance?
When it comes to threat detection the idea is to dig deep so do enquire as to the range of sources covered in terms of geography, sector, and network traffic, and the numbers involved. How many threat intelligence feeds are typically analysed? Is the provider able to adapt that analysis to continuously learn from suspect network traffic, threat patterns and risks to your business?
Finally, be aware that it’s intelligence, not incidents, you are paying for. So look at the human face behind the machine. What is the size and experience of the team of analysts interpreting the results from the SOC? Are you being offered a fully managed security service or simply a reporting service? What levels of network, visualisation and application intelligence are on offer? And how will real threats be acted upon in terms of incident management? Unless the SOC can integrate with the way your business functions and convert that intelligence into action, any benefit will not be fully realised.
As our economy becomes more hyperconnected through the use of wearable tech and the Internet of Things, the attack surface of the business, and our susceptibility to attack, will increase. Outsourcing SOC services offers the scale and the flexibility to monitor and stave off multiple threats in real time. For the SME, being able to respond to and mitigate those threats isn’t just about keeping ahead of the competition; its about survival. A SOC’s capability will be a major determining factor in whether a business survives or thrives.
James Parry can be contacted at firstname.lastname@example.org