4 STEPS TO MATURING SECURITY OPERATIONS: PART 1
Note: This is the first of a two-part blog series
A lot is happening in the world of cyber security- we hear about data breaches, ransomware, data leakages and how its impact is now no longer limited to the ‘e-world’. We have seen direct financial, reputation, and business losses; but now we are even discussing how information leakage may have impacted the outcome of the recent election in world’s largest economy.
While the risk appetite for each organization differs based on risk exposure, nature of business and other factors, not having enough security measures and not maturing them to meet the latest threat landscape is not a choice anymore. It is no longer a case of “if” a breach could happen. It’s now about how can I make it difficult for the hacker, and “when” it happens, how ready am I to detect & respond.
Traditionally, having the latest preventive security controls (firewalls, IPS, end point solution etc.) was thought to be enough. However, now, these can only be considered to be a good start, and additional measures are required to boost the overall security strategy.
In this write-up, I will cover how organizations should work towards maturing their security operations to stay ahead of the game. This involves 4 steps and I recommend that each is addressed in the same order. Furthermore, it is important to note that each requires regular review to ensure it is fit for purpose for “today”.
Step 1: Implement Preventive Security Controls
When an organization wants to set up IT security measures, Security Preventive Controls is a starting point. It’s a very effective control to block less motivated attackers who are trying to hack for fun. This control will require organizations to implement technologies like – next generation firewalls, encryption, anti-malware solution, endpoint security controls, PAM solutions etc.
The type of technologies to be implemented will depend on the nature of business & level of exposure each organization has. For example, if you host a website on the internet, you certainly need a web application firewall too.
Fortunately, from an awareness perspective, this is the most adopted measure, although organizations tend to implement only basic security technologies but miss out on implementing relevant additional technologies. Hence, this does require through review to understand what is important for the organization & ensure those measures are implemented & maintained properly.
Step 2. Implement Monitoring Controls
Once you have implemented and are maintaining preventive controls well, it’s time to monitor the environment to detect things which are sneaking in by bypassing these controls. One of the important elements for monitoring controls is the Security Incident & Event Management (SIEM) solution which collects logs across the estate, correlates the data & alerts when an anomaly is found, thereby indicating something suspicious.
As this control require vigilant eyes (humans) watching the alerts generated all the time, it’s a bit manpower intensive. Depending on the nature of business & risk factor, you could either run it during working hours alone, although its recommended to have 24/7 monitoring in place.
This also requires feeding the SIEM solution with right level of logs, maintaining it, regular use-case development, and ingesting threat feeds into the solution. Due to the demanding nature of these tasks & the investment required, several organization tend to outsource it to managed security services providers (MSSPs).
While following these two steps is essential and will greatly improve your security posture, hackers today are extremely motivated and the complexity of their attacks requires further steps to be taken. I will outline these in the second part of this blog series.
MSS Architect at Help AG