How to gain and maintain cyber security efficiency

The argument for outsourcing security to a Managed Security Services Provider  

Companies cannot afford to ignore cyber security. It is no longer a question of whether a company network will be compromised by cyber criminals, but when. 

If a compromise is activated by the criminals and the victim company has no or inadequate security, it is likely to have a significant impact. Firstly, there are the costs of the breach itself. Secondly, getting breached with no or inadequate security will invite the additional cost of regulatory fines for non-compliance with data protection laws such as GDPR. In fact, defence against GDPR fines doesn’t simply require some security, it requires ‘adequate’ security.

It was reported in August 2020 that GDPR has already resulted in fines totalling €175,944,866 (£158,630,131) [1], with the largest fines going to the worst offenders with inefficient security.

Adequate alert triaging is almost impossible

The result of the combined breach and compliance pressure is that companies often purchase additional point product security in an uncoordinated manner. Many of these new products will now include the machine learning detection (a form of basic artificial intelligence) of anomalies on the network. 

While machine learning systems are excellent at detecting anomalies, they are not very good at differentiating between acceptable anomalies and unacceptable indications of malicious activity. This decision needs to be supported by human intervention, but the volume of anomaly alerts raised by machine learning is daunting.

This is exacerbated by the number of alerts coming from different security products – from anti-malware products and firewalls, users reporting possible phishing attempts, endpoint telemetry, SIEMs if installed and from routers around the network.

This causes two problems. Firstly, a vast number of alerts is generated from disparate systems. Most of these turn out to be false positives and are harmless, but each one needs to be examined by a human expert to determine its importance – a process known as triaging. Secondly, it requires expert and expensive engineers able to perform triaging on a large number of alerts in a short period of time. 

The salary alone for a good analyst will likely exceed £40,000 per annum, and it will require more than one analyst to effectively triage the number of alerts being generated by modern security products. 

A basic team of analysts will likely cost more than £155,000 per annum. This assumes that good analysts can be found in the well-documented global cyber security skills gap and retained in a market where poaching experienced staff is a recognised and standard procedure. Replacing and training staff is just an additional cost.

Even where companies can afford a team of analysts, that team is still usually unable to handle the volume, and alerts go missed and ignored. “Many teams find they can only analyse a fraction of the thousands of alerts that come in each day, leaving threats that often go unnoticed for months,” warns Anton Chuvakin [2], former research vice president and distinguished analyst at Gartner, and now head of security solution strategy at Google’s Chronicle.

The problem of effectively and accurately triaging security – which is the only way to maximise security efficiency – goes beyond the employment of one or two expert analysts. Without specialist and costly additional arrangements, this would normally cover only five-sevenths of a week, and possibly not at all overnight.

Security products are improving, but our ability to use them is not

While it is true that some of the major cybercriminal gangs observe weekends and holidays for their own staff, the majority do not. Indeed, many attackers time the detonation of embedded malware or the launch of a cyber-attack specifically for a time when security staff are likely to be away from their desks. Given that many attacks come from Russia and China, the global time differences make this easy.
The result is that while security analysts wade through vast amounts of alerts – most of which are false positives – during their working day, the serious attacks are more likely to come after they have left their desks.

The simple reality is that while security products are getting better at detecting potential problems, they are not good at separating serious issues from simple changes in operational behaviour – and companies do not have the time or resources to do this manually. Because of this, simply buying more security products is likely to make the problem worse rather than better.

The result is a conundrum. Security products are getting better, but our ability to use them efficiently is not. Throwing money at the problem by buying new products without an overall strategy and understanding can simply make things worse and be very costly. 

The MSSP solution 

There is a potential solution for companies that recognise this scenario -- outsourcing security to a specialist managed security service provider (MSSP), ideally one that offers a Managed SIEM (security information and event management).

There are several arguments for taking this approach. They primarily distil into three major benefits: improved security, reduced costs, and the freedom to concentrate on running a business rather than worrying about security and compliance.

Improved security is provided by a team of full-time professional cyber experts who understand the issues and the security market, with access to extensive UK and global threat intelligence. Using sandboxing technologies, they are able to analyse and isolate applications from potentially harmful threats. They have a good understanding of the best products for different threats, they understand how to integrate different products with neither waste nor gaps -- and importantly, they know how to use the products to best effect. And they can ensure 24/7 protection rather than 9 to 5, Monday to Friday security.

In security planning terms, use of an MSSP provides a seamless move from reactive and inefficient tactical security to proactive and more efficient strategic security.

Cost savings come in several ways. There are no staff recruitment and training costs (MSSPs already employ the best that are available). There is no overspend on unnecessary or inefficient security products. And you can switch from unpredictable capital costs to predictable ongoing operational costs.

Just as importantly, however, outsourcing security to third party experts lets businesses focus on what they do best -- business.

To discuss your cyber security provision contact one of our Cyber Security Consultants by emailing [email protected].

Sources:
[1] https://finconf.news/2020/08/31/5-biggest-gdpr-fines-2020/

[2] https://www.darkreading.com/threat-intelligence/the-uphill-battle-of-triaging-alerts-/a/d-id/133623