In this article, we are going to guide you on how to steer the complex world of cybersecurity. We will take you through the process of deciding whether you should do it yourself or hire an MSSP to handle it for you. We know this is daunting, but we’re here to help you navigate through this.
People, Process, Technology
Like all, you have at some point probably thought about the eternal question that confounds every SME or Enterprise business – to build a Security Operations Center or buy—engage a Managed Security Services Provider (MSSP) to help bring all the right pieces together.
Let’s face it, those who have gone through the churn know that a SOC is its own business, and like any business, it depends on three things: people, processes, and technology, the linchpin that holds the security architecture together.
Let us look at each of these separately.
According to a study by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), the most significant factors behind data breaches are the lack of proper training of non-technical employees and the lack of highly skilled cybersecurity professionals.
The skills shortage has a direct impact on security operations, that includes, an ever-increasing workload on the existing cybersecurity staff, lesser-experienced professionals being asked to deliver on advanced security requirements, team and business dependency on technology-based solutions without the expertise to manage well, and, last but not the least, their inability to learn or utilize security technologies to their full potential.
We are also seeing an interesting trend, where SMEs and Enterprises are trying to build their own Security Analytics solutions, and one of the most cited reasons for this adventure is, they have had little or no success with products or solutions they have purchased.
A year into this adventure, and almost all realise that the annual cost and resources required to maintain DIY cybersecurity are almost always more than what companies expect, and because there’s a scarcity of security professionals, there aren’t enough qualified people to operate it.
Which brings back the focus to the most fundamental question, at what cost? Are you going to pay more than the value of the asset to protect?
Essentially, cybersecurity is the function that provides checks and balances for the protection of data and systems. It is much more than hardware and software. Organisations need to realise that there is no magic pill in cybersecurity and without an effective policy framework, that includes employee training and risk management processes, they are always at great risk of breach.
Now, if it’s DIY, your team has to be monitoring the environment on-prem and in the cloud 24/7/365. They need to be constantly scanning for vulnerabilities, conducting penetration tests, logging, notifying and escalating incidents, creating compliance reports, handling new technologies, the list goes on.
On the contrary, a cybersecurity vendor has many processes automated and capitalises on AI, ML, other related technologies, and advanced analytics to handle threats and incidents that could take hours or days to do manually. Additionally, They are also continually tweaking the rules to ensure up-to-date protection.
To be effective, a SOC needs a Security Information and Event Management (SIEM) or similar platform to collect, aggregate, normalize, detect and analyze suspicious incidents. Other tools are also needed to discover vulnerabilities in hardware, software, applications, and services running on-premises or in cloud environments.
When assessing SIEM solutions, it is important to consider the kind of stack the vendor tool is built on top of. Some SIEM solutions are analytics platforms that are retrofitted on top of a legacy data platform like native files or Relational Databases (RDMS). What you need is one that is built natively on an analytics and machine learning stack that comes without limitation in storage or performance. This has a bearing on the scale as modern analytics platforms can support the streaming of large volumes of SIEM data with ease.
If you have compliance requirements, you’ll need tools to pull those reports. Customising them can take a long time, but some vendors offer compliance reports tailored to the standards for each organisation (PCI DSS, HIPAA/HITRUST, and GDPR).
Organisations that deal with HyperScale SIEM data usually need both UEBA and SOAR (security, orchestration, automation, and response) solutions. UEBA involves monitoring user behavior for suspicious activity such as sudden surges in data transfer or access from an unusual location.
SOAR is required when the SIEM tool takes automated actions to respond to a threat. Playbooks are central to implementing SOAR. These playbooks are a step-by-step response to a particular threat that follows exactly what a Security Analyst would do in that situation.
Options for hyper scale SIEM
Elasticsearch as a DIY option is great for a quick start, but it is known to run into challenges of scale. In addition, their recent licensing changes make Elasticsearch even riskier to bet on.
IBM QRadar is an older SIEM solution that is widely adopted by many enterprises. It leverages correlation and other tactics to deal with large-scale data but is one of the solutions retrofitted to an aging data platform.
Splunk is a great option as a modern SIEM solution that includes UEBA and SOAR capabilities natively. It does well at scale and excels at machine learning capabilities. The downside is that costs can quickly spiral out of control when data reaches hyperscale levels.
A new entrant in the segment is DNIF HyperScale SIEM. DNIF is a composite solution that combines UEBA and SOAR into a single application. The pricing is per device rather than by data volume. This frees you to ingest all your data and not compromise on data resolution. DNIF has recently released a community edition of their SIEM solution that organisations can use without limits or restrictions. If you’re in the market for a hyperscale SIEM solution, DNIF might be a strong contender.
LogRhythm comes with many out-of-the-box integrations and is capable of threat hunting. However, users have reported a drop in performance when the dataset is large, and that configuring and setting up LogRhythm can be a hassle.
In conclusion, SMEs and Enterprises will inevitably run into challenges of scale as they grow. Most of these organisations are better off avoiding the trap of DIY tooling and opting for a purpose-built SIEM as duct-taping different solutions make it operationally unviable. Organisations must realise that they need to focus on building their business rather than building a security solution which is not their core competency.
Even when choosing one, be sure to look under the hood to tell the differences between them. Make sure the solution you choose can overcome both obstacles to hyperscale SIEM: technology and cost.