What’s the Ideal Approach to Security Event Monitoring?
What is an ideal approach to security event monitoring when staff and budget constraints are uncomfortable realities for many midsize enterprises (MSEs)? The widespread skills shortage in cybersecurity means that many organizations can no longer compete for top-notch talent and thus are unable to sufficiently staff-up even as security threats multiply and become more sophisticated. Tight budgets likewise limit their abilities to keep up with critical hardware and software upgrade cycles.
For example, implementing an on-premises security information and event management (SIEM) solution is out of reach for many companies, both in terms of cost and the logistics of its day-to-day operation. What’s more, In combating today’s growing threat landscape, in-house security teams may frequently take on too much responsibility, leading to overworked personnel.
As a result, many organizations have sought external help through contracted solutions from managed security services providers. Unfortunately, the relationships between MSEs and their security partners are often unproductive, with an overemphasis on parsing alerts that are collected and then tossed back over the wall to the customer for further action.
The Problem with Alerts in Security Event Monitoring
To get a sense of the specific alert problem this creates, picture this: You’re having problems with your home Wi-Fi network, so you call your cable company for help. All you get in response, however, is an endless stream of email attachments containing the event logs for your modem.
It would be a headache for anyone without preexisting technical knowledge to know what to do, and that’s more or less the situation many MSEs find themselves in concerning their network defenses in general and security event monitoring (SEM) in particular:
- Alert fatigue is ubiquitous. A 2017 study from Enterprise Management Associates, “A Day in the Life of a Cyber Security Pro,” found that over three-quarters of security team respondents felt overwhelmed by the volume of alerts
- Similarly, over half of these alerts were not properly prioritized and had to be manually reworked, while 79 percent of patching processes were also manual. Each day, 64 percent of alerts were not even acted upon
- What’s behind these struggles? Consider the findings of an October 2017 Gartner report, which found MSEs faced high barriers to entry in configuring SIEMs. These technologies ideally streamline threat identification and triage for security operations centers (SOCs), which establish context to develop and manage appropriate responses
How each organization ultimately approaches SEM depends on its size, the level of security resources it requires and its overall risk tolerance. Smaller companies can no longer count on larger enterprises to bear the brunt of cyberattacks, since perpetrators now realize – and seek to capitalize on – the unique vulnerabilities of shorthanded and under-protected MSEs.
Various Approaches to SEM
In response, the security teams at these firms need strategies supported by tools that go well beyond purely preventive options such as firewalls and endpoint protection agents. But can they afford and support such modern detection capabilities? There are several options, each with its own unique advantages and disadvantages:
Centralized log management
This solution makes sense for budget-conscious and undermanned firms with high risk tolerance who have generally simple use cases. The associated tools are more economical than a SIEM, but are also less capable and in constant need of maintenance.
This setup is more advanced than centralized log management alone, allowing the customer to own or lease a full SIEM outfitted with remote management capabilities for a managed services provider. It offers greater flexibility in how the SIEM is operated and updated, while having the key drawback of still requiring extensive maintenance oversight (e.g., patching) by internal teams.
A SIEM plus a SOC
Noted earlier, a SIEM is most valuable in combination with a SOC because a SIEM by itself is simply context-free technology. The SOC adds the extra engineering expertise and general management necessary for effective response amid the noise and false positives of all network alerts. While many MSEs shy away from implementing a SOC due to its considerable expense, a cloud-based SOC-as-a-service solution eliminates the need to purchase, install and maintain a SOC and SIEM on your own, providing MSEs with a comprehensive yet affordable option for cyber protection.