Archive

When a SIEM is Like an Exercise Machine Stuck Behind the Junk in Your Garage

By Randy Franklin Smith

I’m a big believer in security analytics and detective controls in general.  At least sometimes, bad guys are going to evade your preventive controls, and you need the critical defense-in-depth layers that detective controls provide through monitoring logs and all the other information a modern SIEM consumes. Better yet, going on the offensive with threat hunting approaches the concept of taking the battle to enemy instead of passively waiting.

But a SIEM is like an exercise machine.  If no one’s using it – regularly and intensely – it can be the best exercise machine in the world, but you aren’t going to get stronger or lose weight.

And the exercise machine analogy only gets you so far because doesn’t highlight the need for highly skilled specialists.  Perhaps a better analogy is to compare the myriad sensors, passive and active monitoring systems on an aircraft carrier.  All that technology isn’t much use if there’s no 24/7 team of specialists interpreting the data and funneling the threat situation up to the officer on duty.  It’s just a bunch pretty flashing lights and screens.

Likewise, a SIEM needs a SOC.  But how many small- to medium-sized enterprises really have the team, resources and skills it takes to monitor, analyze and investigate what your SIEM is telling you – when it’s telling you? If you are like me, you may have the skill, but certainly don’t have time to look at a SIEM a few minutes each day, and we aren’t big enough to run a 24/7 SOC either.

So perhaps you settle for turning up the squelch and letting the SIEM only alert you to the most suspicious events and try to take a look at its dashboard every day.  At least you are collecting logs in case something happens – right?

But that approach is unlikely to catch incidents in time to limit the damage.  It’s frustrating because small businesses are just as much at risk to cyber threats as large enterprises, but we can’t leverage the economies of scale to do security right.

Or can we?  The solution for SMBs is the same as large enterprises – leverage economy of scale – but what’s different is the way that scale is achieved.  Large enterprises have the scale in-house.  The organization is large enough to justify funding and running an in-house SOC.

But small businesses can combine to get that economies of scale.  We aren’t talking about some kind of security co-op – although that’s interesting idea.  What we are talking about is security monitoring as a service.  Instead of, or in addition to, implementing an on-prem SIEM, some organizations are working with service providers to get the benefits of a SOC.  It’s almost like a corporate jet fractional ownership plan, but better.  The jet may or may not be available when you need it.

But with SIEM-as-a-Service you still get all the power, flexibility and security of an on-premise SIEM.  You can use and take advantage of the SIEM as much as you have time and resources for – to do your own monitoring and threat-hunting informed by your intimate knowledge of your organization and network.  But in addition to your efforts you are backed up by a 24/7 SOC operation watching your SIEM and providing for its care and feeding.  When you get busy on other projects, incidents and investigation you don’t have to worry that no-ones at the controls.

This is important because security monitoring and your SIEM is only a fraction of everything else small or event 1-person security team needs to be working on.

Event Tracker for example provides this in their SIEM as a Service solution, SIEMphonic. Their offering includes SIEM, intrusion detection, vulnerability scanning, threat intelligence, and HoneyNet deception technology, implemented either on-premises or in the cloud.  Experts at the company’s 24/7 intelligence-driven SOC provide remote administration and analytics.

Essential soft skills for cybersecurity success

IT workers in general, but more so IT Security professionals, pride themselves on their technical skills. Keeping abreast of the latest threats and the newest tactics to demonstrate to management and peers that one is “worthy.” The long alphabet soup in the signature, CISSP, CISA, MCSE, CCNA and so on, is all very necessary and impressive. However, cybersecurity puzzles are not solved by technical skills alone. In fact, the case can be made that soft skills are just as important, especially because everyone in the organization needs to cooperate. Security is everyone’s job.

Collaboration

Security is everyone’s job, so a critical success factor for the cybersecurity leader is what you communicate and how you communicate to various stakeholders to gain support, buy-in and behavior change. The soft skills to partner with various individuals and departments throughout your organization will drive the success of any cybersecurity program.

Communication

Too often, IT security leaders speak in the technical jargon of their area of expertise. Not surprisingly, this makes no impact on business leaders nor on others in the organization whose participation is critical to success. After all, a behavior change is only possible if the employee recognizes risk and internalizes the change. This skill, like many others, can be learned and improved with practice. It’s unusual to see a technically capable person want to learn and hone such a skill, but it’s incredibly valuable, and when encountered, its value is readily recognized.

Culture

Culture in this context includes the perceptions, attitudes and beliefs people in the organization have toward cybersecurity. The process of incorporating emotion is often difficult for technical people to comprehend, but plays a central role in communication and collaboration, and therefore success in changing behavior or adoption of new procedures. Old economy companies, such as financial or government organizations, may have a “professional” culture that requires formality and procedure in communication and content. Technology companies with relatively younger employees may react better to communications with humor or animation, and a more informal style. Learning company culture will make collaboration and communication, and therefore cybersecurity, much more effective.

Ultimately, technical skills are necessary for success, but absent these soft skills, a successful cybersecurity program cannot be achieved. As an industry, we tend to emphasize and value technical skills; the same is needed for soft skills.