Changing companies need security approaches that keep up
For today’s companies, whatever their core business, reliance on IT systems almost certainly means that they have become a technology company. Digital transformation is everywhere – from looking to improve customer experience to businesses seeking performance metrics to manage by.
Many will have remote workforces, use zero trust approaches and elastic computer models – they probably won’t even have networks or even servers. Application functions will appear as are needed, there will be no endpoints for agent installation and potentially no infrastructure or perimeter to monitor.
Cloud-based security solutions for cloud-based businesses
As businesses expand globally, access to customer facing systems or to employee applications could be from anywhere. This wider attack surface means there are new types of systems, access points and traffic flows to defend.
Fundamentally, businesses need monitoring solutions that support and work across all of their cloud-native IT operations and highly variable endpoint estates to detect an increasing range of threats. It’s not an unreasonable ask – it just reflects the architecture of these newer IT systems, how they are organised and so, how they could be attacked.
One challenge is cultural. Just as infrastructure architecture is changing, so too are users; and it’s not all down to the WFH phenomena that has sustained many businesses during the pandemic. “Digital natives” too, tend to assume company laptops/phones become “their laptops” and they get used as such rather than being a corporate machine to be only used for work purposes. This has implications for how systems are secured, monitored and supported.
Building security operations capabilities
Security managers, particularly those responding to how their changed IT architecture continues to operate in the security operating environment, often find that their existing security baselines are quite low. IT platforms, applications and cloud services may have very little security protection in place or enabled, and not in any kind of coordinated way. Or where IT systems have been set up for some time, even if they were initially correct and compliant, have drifted over time to a less tight, less secure configuration. For example, over time more and more people get added to administrative groups, and if they are not removed as people and roles change, eventually this becomes a vulnerability.
Additionally, it is not uncommon to find a plethora of solutions all doing the same thing across different sets of systems or parts of the business – making it difficult to monitor and maintain consistent security settings. For example, having different anti-virus technologies for different groups of systems, offices or business units and hence multiple management consoles to monitor and maintain currency.
Security processes need to match business processes
In particular, security monitoring at its most basic is a process that is often manual at best and informal at worst. Engineers get to it when they get a chance or aren’t busy with other things – they spend a couple of hours, a couple of times a week looking at various logs or consoles for signs of abuse/incidents/misuse/attacks.
This only works – manually spotting issues – if there is time available. Like anything else, with a lack of a formalised process, as soon as the team does get busy, important security work gets neglected. With the lack of systematic procedures, the detection effort can easily be distracted and the promise of swift and reliable detection or resolution gone.
It is also too slow, both in effort required and elapsed time. If something serious happens the problem may not be picked up until some time later, next time someone looks; most likely when it’s too late to make a difference.
Choosing monitoring solutions
When Huntsman Security talks to its customers and prospects, we find that these issues and concerns are often a big part of what the organisation is trying to solve.
Businesses often need support and assistance from a vendor who is willing to work with them and suggest approaches that work and are flexible. A solution provider that will listen to their needs and offer solutions.
This is particularly important when it comes to security solutions for monitoring and threat detection. Flexibility and ability to adapt to fit with their strategy and match technology environment is key.
Speed and ease of use matter; being able to switch from dashboards to investigations and back again, seamlessly, is important. Cosmetic features may be pretty, but if they make it harder to get to the details behind the alert, they can become tiresome. Customers obviously look for security technologies that support their existing solutions and services as well as, where possible, technologies that have the ability to connect to new data sources they might want to adopt in the future.
How do you know when you’ve got it right?
What has emerged as a requirement for customers is to be able to monitor events much more frequently and make operational processes more efficient.
Dashboards and queries that run automatically and quickly are an increasingly common request. Systems that run in the background and alert the user rather than having to be driven by analysts to initiate an outcome are becoming more popular. Access to useful interfaces whether they are out-of-the-box or ones easily created from templates means more time to manage security rather than the technology. The ability to share created queries and dashboards removes duplication of effort, as content views and searches are available to the whole team.
Systematic processes and intuitive workflows, can limit the pressure-cooker environment that prevails in many SOC teams, introduce order and actionable outcomes to ensure that the security and risk teams can operate in the most effective manner.
Security workflows that support SOC processes
Security teams can correlate activity data with other sources such as endpoint security and Active Directory logs to pick up connections to strange web sites or unusual locations etc. Having all this data automatically collated together is a huge benefit. So analysts can query/analyse/report on security threats more easily and, as a result, more quickly enforce policies for specific systems like point-of-sale systems, and improve defences.
As a consequence, security managers can provide an adaptable and responsive service to the business, allow the enterprise to operate the way it needs to in order to be competitive and forward looking, but without compromising the protection of sensitive data or exposing systems to attack.
See our latest Enterprise SIEM case study that highlights a number of these important issues.