You have a highly technical alert with some recommendations for further investigation…but you are a team of four System Administrators wearing many hats, one of those is security ownership. The alerts keep coming, your mailbox is now at 200 alerts for the week and its only Wednesday, now what?
SIEM and SOC. Security Information and Event Management and Security Operations Centre are not a new concept, more so streamlined in recent times. Bringing log data into a central platform which is then normalised and correlated is a good move for any organisation. The problem is what do you then do with it and more importantly who is looking at it? With the skillsets and creativity of malicious actors on the vertical rise and the presumption now that it’s not if but when our networks will be compromised, the need for visibility has never been more important. But how have we jumped from running inhouse tools such as a SIEM to full SOC services in such a short time?
A SIEM tool by itself is no silver bullet, and likely useless without clarity of purpose and supporting analysists. This is where SOC has been positioned and depending on who you ask within the industry, SOC’s are facilities that house a multi-tenanted SIEM and set of other integrated tools with the addition of highly trained analysts who will correlate event data and alert on potential incidents. There are varying degrees of SOC abilities starting from basic alerting and correlating all the way though to security orchestration and automation (SOAR).
SOC onboarding has also been streamlined over the last few years, getting logs from your environment into the SOC is a straightforward process which typically takes a few weeks and is conducted by dedicated onboarding teams. However, post this point is where then pain is then felt.
The SOC is getting most of the log data, they are correlating event data, and firing alerts your way which can be very difficult to manage and keep up with, let alone determining how to prioritise and action. The story that having a SOC service will reduce the impact and load on your security team and/or reduce your risk of compromise is a myth.
The SOC concept relies on an adjacent skilled team and a certain level of security maturity within the organisation, watching for those alerts to then investigate and remediate. For a vast majority of Australian organisations this is a distant dream. Most of us are not at that scale or level required which then gives the feeling of drowning in alerts. This generally results in lack of value, which is commonly followed by repudiation of the service, or worse paying for something that delivers limited to no outcome.
Enter “So What?” If you are receiving an alert from a security partner and if you have to ask “So What” post reading the alert, it has missed the mark”.
The rise of Managed SIEM providers is the step between a SIEM and a SOC. A third party service provider undertakes the SOC component – however the core differentiator is the consultative approach from the beginning and improving visibility from day one. The service provider or MSSP learns the organisation well throughout the onboarding process as it’s the same team onboarding that is responding to log data and events – this is where the value is found. Organisations can effectively “extend” their internal security functions or team to local trusted analysists who will weather the alert storm and only fire through actionable intelligence that is tailored to that organisation.
Ask yourself the question next time you receive an alert – does it meet the So What standard?
About RIoT Solutions
At RIoT Solutions, we specialise in the integration of robust and resilient ICT and IoT solutions within Australia. We help organisations capture the Digital opportunity by bringing experience in Operational Technology (OT) and Information Technology (IT) platforms, network and security, and partnering to apply this in a domain-specific context to help solve industry challenges.
With our experience of both ICT and critical network environments, we are well placed to understand the challenges and requirements of building world-class enterprise and smart and connected networks. We are the experts at Securely Connecting Everything™.
Managed Services are a next-level addition to our professional services and security assurance offerings. Via our Security Centre based in Brisbane we can be a point of escalation, resolution or a complete support partner. Leveraging our investment in people, process and technology, you can tailor a support solution to fit your IT or OT business needs. We offer a range of features including a local Service Desk, 24 x 7 on-call support and SLA’s utilising the specialist expertise of our support and professional services teams.
We focus on three main areas that can be combined to provide maximum value:
1. Network & Security Infrastructure (Route, Switch, Wireless, Firewall, VPN, BYOD)
2. Security Information & Event Monitoring (SIEM) & Cyber Threat Intelligence
3. Insider Threat Intelligence (Honeypots) for ICS, BMS and IT environments