By: Scott Williamson, VP of Information Services
Monitoring your environment is a basic essential when it comes to developing a mature security program. That’s the case whether your objective is to comply with regulatory and other requirements, or simply to improve your overall security posture – and whether you’re starting from scratch or adding to your existing security tools. MDR, SIEM, and XDR are each viable solutions for specific contexts, but selecting what is right for your environment can be overwhelming – and mistakes can be very costly.
As soon as you begin to consider environmental monitoring, though, a host of questions arise. Is my environment ready for security monitoring? How can I best combine human expertise and automation? What key factors should I consider as I compare potential solutions?
The best starting point is to clearly define your goals and build as comprehensive a picture as possible of your existing risks and internal assets. This will enable you to identify the best services for your needs, budget, and desired timescales.
Let’s look at two key issues – your organization’s Risk Threshold, and staffing issues relating to implementation – to help you find the best options for your security ecosystem.
Your Risk Threshold
There are three principal inputs to consider – the assets you need to protect, the costs which would arise should a breach occur, and the costs associated with “dwell time”.
1. What Assets do you Need to Protect?
It is essential to evaluate your risks in line with a recognized standard such as the NIST Cyber Security Framework. A formal risk assessment like this will assess specific contextual risks in your environment, relating to areas such as your infrastructure, critical and non-critical assets, technologies, vendors and human resources. This will help build a picture of how each of these areas relates to the others – and how well they relate to your overall risk profile.
Such a risk assessment will provide a benchmark quantifying your current situation, and where you need to get to. This is key to subsequent planning and deployment, and will save significant time and money as your project moves forwards.
2. What Would a Breach Actually Cost?
It is important to decide how much financial risk is too much for your business. Drawing that line enables you to determine the length of time you can allow for incident detection and remediation, based on the cost of such a delay.
Such costs can be hefty, in the US averaging $4.24 million per breach, according to the 2021 Ponemon Cost of a Data Breach report. Looking at ransomware in isolation, the figure increases to $4.62 million and where remote working is involved, costs rise by a further $1.07 million.
Mega breaches, meanwhile, involving 1 to 65 million compromised records generate still greater costs, and in some sectors breach penalties, compliance requirements, and notification and remediation costs can drive them even higher. In healthcare, for example, the average figure is a jaw-dropping $9.23 million.
In the light of such figures, it’s perhaps not surprising that the United States has every year for the for the past 11 been the most expensive nation in the world in which to suffer a breach.
One reason for the enormous cost of breaches is that effective security monitoring is not as common as we might hope. Gartner’s analysts say that many of the organizations they talk to are either unhappy with their existing SOC services or haven’t yet got them up and running, from which we take away the fact that poor monitoring is widespread.
To calculate your potential costs, a precise, comprehensive Risk Assessment, considering all the factors of your context, is key. This information is essential as you work with your CFO to decide what levels of risk are acceptable to your organization.
3. What does Dwell Time Actually Cost?
The longer attackers remain covertly in your systems after securing their initial foothold, the more opportunity they have to corrupt and steal data, penetrate your infrastructure more deeply, and generally act with impunity.
Unsurprisingly, longer dwell times generally mean greater resulting costs. According to the 2021 Ponemon Cost of a Data Breach report, data breaches which took more than 200 days to identify and contain cost, on average, $4.87 million, while those clocking in at under 200 days averaged $3.61 million. (The overall average time to identify and contain came out at 287 days.)
It’s worth noting as an aside that a key benefit of cybersecurity monitoring, detection, and response solutions is that by stopping attacks and denying cyberattackers access to your estate, they directly mitigate the financial risks associated with breaches.
Setting your risk threshold against your key assets that need to be protected, which will have been evaluated during your risk assessment, will help you determine the length of time you are willing to wait before an analyst is available to look at your logs. Does it need to be real-time, 24/7/365, handled as soon as possible? Or are you okay with not knowing about activity that may happen outside of the normal work week–like on a Friday at 6pm, after your team has gone home for the weekend? If you don’t want to leave yourself open to the risk of coming back to a network you can’t access on Monday due to a cyber-attack, you are looking at an around-the-clock detection and response solution.
Human Resource Issues
It’s all too easy to focus on the technology side of cybersecurity, but talent is the hidden essential ingredient. Without the right expertise on hand, in sufficient quantities, you’ll be heading for a poor or even failed implementation, and weaker security.
Don’t risk underestimating the resources you’ll need for effective solution monitoring, tuning and management – assess your human resource needs with care and attention to detail.
Build out an inventory of your existing security human resources, for comparison with the resources that will be necessary to manage your solution. Begin with a list of all your employees, their areas of expertise and how much time each can devote to the new program.
Having identified the time your team can devote to the program, consider their training. It’s critical that every team member knows, in detail, every correlation, tool, process and protocol they’ll be working with, and what responses should look like.
You may want to outsource your monitoring and response services, in whole or in part. If so, you should carefully assess the training and response processes of every individual who will work with your systems.
How will they ensure you remain fully informed, but without causing alert fatigue? What should they do when an incident or event occurs? Who would be your point of contact when you need to speak to them, or they get in touch in connection with a response?
When our customers need to speak to an analyst in our SOC, perhaps because they have an issue needing escalation or because they’ve come up against a difficulty on site, they can always speak to an analyst who is fully familiar with their environment. That’s a significant benefit, when compared to some SOCs, which are really SOCs in name only – and in reality are little more than call centers, or may even be sourced overseas.
That ability to speak with an analyst who has the knowledge, skills, expertise and understanding of your environment is key when you fear your systems may have been compromised, both for peace of mind, and for a swift and effective response.
If you decide to staff your monitoring internally, you’ll want to know what the costs will be. To calculate your expected costs, correlate the number of hours you expect to need each week for monitoring, with the number of full-time employees you would need to deliver those hours. Remember to allow for sick days, holidays and other absences.
Typically, such calculations come out at around two to three full-time equivalents (FTEs) for 8am to 5pm monitoring, Monday to Friday, and seven to ten FTEs for around the clock monitoring every day of the year. Those are conservative figures, though – some estimates would put the latter number nearer to 12 FTEs. Once you have your FTE number, simply multiply it by the cost to your business of each analyst.
Having assessed your Risk Threshold and staffing costs, you should be in a stronger position to make decisions as to how you want to manage your SOC services – in-house, entirely outsourced, or part and part. This should help inform your decisions relating to security components such as SIEM, Managed SIEM and MDR.
Be sure to evaluate and compare on the basis of management and response service levels – this will mean digging deep into what each potential provider is offering, as different providers will characterize their offerings differently to one another.
Multiple Providers – Hidden Costs
Time and again we’ve heard from our customers that when they’ve used multiple providers for GRC support, assessments, SOC services and IT needs, they’ve suffered delays, misunderstandings and additional costs as the different teams have struggled to work together and communicate effectively.
Project timelines were extended and they found it difficult to streamline or consolidate them, and they missed out on the benefits that would have been realized had different projects effectively informed one another.
Appointing a single provider for these various services can save time and money, and improve results. Different teams can collaborate easily, sharing information and building a clear and efficient roadmap for the execution of multiple projects – for example when the need for system engineering works arises during remediation.
What’s Best for You?
Security is about far more than just tools. You also need expertise and understanding to make those tools work effectively for you.
Working with Cerberus, you get the full benefit of our unique cybersecurity expertise. We work with you to help you evaluate the tools you need, making recommendations according to your environment, the risks your business faces, and the budget you have available.
We help you understand and compare SIEM and Managed SIEM, MDR, XDR (Extended Detection and Response) and SOCaaS, to identify which approach will be most effective and cost effective for you.