By Randy Franklin Smith
I’m a big believer in security analytics and detective controls in general. At least sometimes, bad guys are going to evade your preventive controls, and you need the critical defense-in-depth layers that detective controls provide through monitoring logs and all the other information a modern SIEM consumes. Better yet, going on the offensive with threat hunting approaches the concept of taking the battle to enemy instead of passively waiting.
But a SIEM is like an exercise machine. If no one’s using it – regularly and intensely – it can be the best exercise machine in the world, but you aren’t going to get stronger or lose weight.
And the exercise machine analogy only gets you so far because doesn’t highlight the need for highly skilled specialists. Perhaps a better analogy is to compare the myriad sensors, passive and active monitoring systems on an aircraft carrier. All that technology isn’t much use if there’s no 24/7 team of specialists interpreting the data and funneling the threat situation up to the officer on duty. It’s just a bunch pretty flashing lights and screens.
Likewise, a SIEM needs a SOC. But how many small- to medium-sized enterprises really have the team, resources and skills it takes to monitor, analyze and investigate what your SIEM is telling you – when it’s telling you? If you are like me, you may have the skill, but certainly don’t have time to look at a SIEM a few minutes each day, and we aren’t big enough to run a 24/7 SOC either.
So perhaps you settle for turning up the squelch and letting the SIEM only alert you to the most suspicious events and try to take a look at its dashboard every day. At least you are collecting logs in case something happens – right?
But that approach is unlikely to catch incidents in time to limit the damage. It’s frustrating because small businesses are just as much at risk to cyber threats as large enterprises, but we can’t leverage the economies of scale to do security right.
Or can we? The solution for SMBs is the same as large enterprises – leverage economy of scale – but what’s different is the way that scale is achieved. Large enterprises have the scale in-house. The organization is large enough to justify funding and running an in-house SOC.
But small businesses can combine to get that economies of scale. We aren’t talking about some kind of security co-op – although that’s interesting idea. What we are talking about is security monitoring as a service. Instead of, or in addition to, implementing an on-prem SIEM, some organizations are working with service providers to get the benefits of a SOC. It’s almost like a corporate jet fractional ownership plan, but better. The jet may or may not be available when you need it.
But with SIEM-as-a-Service you still get all the power, flexibility and security of an on-premise SIEM. You can use and take advantage of the SIEM as much as you have time and resources for – to do your own monitoring and threat-hunting informed by your intimate knowledge of your organization and network. But in addition to your efforts you are backed up by a 24/7 SOC operation watching your SIEM and providing for its care and feeding. When you get busy on other projects, incidents and investigation you don’t have to worry that no-ones at the controls.
This is important because security monitoring and your SIEM is only a fraction of everything else small or event 1-person security team needs to be working on.
Event Tracker for example provides this in their SIEM as a Service solution, SIEMphonic. Their offering includes SIEM, intrusion detection, vulnerability scanning, threat intelligence, and HoneyNet deception technology, implemented either on-premises or in the cloud. Experts at the company’s 24/7 intelligence-driven SOC provide remote administration and analytics.