Inside the Briefcase

Augmented Reality Analytics: Transforming Data Visualization

Augmented Reality Analytics: Transforming Data Visualization

Tweet Augmented reality is transforming how data is visualized...

ITBriefcase.net Membership!

ITBriefcase.net Membership!

Tweet Register as an ITBriefcase.net member to unlock exclusive...

Women in Tech Boston

Women in Tech Boston

Hear from an industry analyst and a Fortinet customer...

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

In this interview, JumpCloud’s Antoine Jebara, co-founder and GM...

Tips And Tricks On Getting The Most Out of VPN Services

Tips And Tricks On Getting The Most Out of VPN Services

In the wake of restrictions in access to certain...

Is there anybody out there? Don’t Let Your Security Vendor Forget You!

May 19, 2016 No Comments

Featured blog by Mark McArdle, Chief Technology Officer at eSentire

I recently spoke at a conference for IT leaders in investment companies.  These organizations are the top brands in their industry and are firmly in the small to mid-sized enterprise space from a headcount perspective.  They are very visible businesses with very visible investors.  The conference was a great opportunity to hear directly from this group about the cybersecurity issues that keep them up at night.

Many of their challenges are common for organizations operating in the small to mid-sized enterprise space.  They face an ever-growing IT infrastructure workload with limited resources.  Many are embracing the cloud services model, certainly for services like Exchange, and all are faced with the acute challenge of not having enough in-house expertise when it comes to cybersecurity.

As with many other responsibilities, cybersecurity is increasingly being handled through partnering.  There is a diverse perspective on what partnering for cybersecurity means.  It can range from VAR-like deployment and management of endpoint malware solutions and firewall management to SIEM-like log management and to full-blown continuous monitoring and hunting.

During one of the dinner sessions, a discussion started among some of the attendees at my table about their (well-known) cybersecurity partner.  “I never hear from their SOC (Security Operations Center),” was the first comment.  Others agreed: “Yeah, me neither.  I’d like to feel good about that, but I don’t think my network is that clean.”

“I never hear from their SOC,” was the first comment.  Others agreed: “Yeah, me neither. I’d like to feel good about that, but I don’t think my network is that clean.”

The discussion continued, centering on how most were sending their logs to the vendor and in return, got pretty reports, but no real-time alerting or urgent communications from the SOC.  This should definitely be setting off alarm bells – what, exactly did they pay for?

There are many challenges hunting for threats when all you have access to is log data.  Certainly there are useful things in the data, like password grinding, privileged account creation etc.  But those events do not represent the whole picture.  Frankly, it’s a tiny sliver of the threats seen in a SOC every day.

Further, the economics of hunting do not lend themselves to the pricing models deployed.  When a vendor is proud to state that “99% of events are automatically processed without human intervention”, the bias is clearly to not have SOC analysts investigate anomalies.  That can be margin-destroying for companies who don’t have the right tools, and don’t have access to the important data (like full packet capture archives).

So, it should come as no surprise that even when a vendor receives thousands of events from your next gen firewall about the attacks it’s blocked, it still won’t result in a call from their SOC.  But if it did, what would that call sound like? Maybe, “Hi, your PAN Firewall blocked a ZeuS botnet download.  Just thought you should know. Bye!”

That kind of call isn’t terribly useful, and certainly not something you’d pay for.  So it’s probably best to not call at all.  And that is why it’s common to hear nothing from those type of SOCs.

Users need to get a few alerts a day from their SOC with very clear alerts about what they saw, what they did, and what follow-up actions are required.  When it’s a serious issue, they should be required to acknowledge the alert, and if I don’t respond quickly enough, the vendors should take action.

IT leaders will certainly have some questions about the type of alerts to get, and what to do with them.  Each alert should be automatically integrated with a ticketing system, so if a device requires remediation, it’s immediately actioned.

Beyond alerts, your security provider should know you and your business.  Vendors that don’t go out of their way to make those connections leave open too many insecure doors.

Mike M

Mark McArdle – Chief Technology Officer @ eSentire

Leave a Reply

(required)

(required)


ADVERTISEMENT

Gartner

WomeninTech