Cybersecurity logging and monitoring or Managed Detection and Response is not just a compliance requirement.
Cybersecurity logging and monitoring/Managed Detection & Response is not just a compliance requirement. It’s an essential mechanism to save your business from cyber disasters.
Certification and compliance deliver information that is required to be operationalised - security is a people, process, data and technology problem. The threats are real, and attacks are occurring at an increasingly alarming rate. The only true measure to stop these threat actors is effective operationalisation of controls and processes, and effective detection and response should be your cornerstone.
With increasing compliance obligations, and desire across organisations in Australia and New Zealand to gain certification against security standards such as ISO 27001, requirements for effective logging and monitoring (detection and response) can sometimes be mistaken as a tick in the box exercise. This needs critical evaluation and assessment - it’s great to implement a risk management program to understand and treat your cyber risks, however, these risk management and compliance management programs are multi-year journeys that cannot quickly eliminate your weakness. The reality is you must walk and chew gum, begin your program by all means – but work fast to implement essential controls to protect you during the time gap that exists whilst improving your maturity through risk and compliance management.
With my experience speaking to organisations who have experienced a data breach, ransomware, or similar, the one thing the majority of these organisations failed to have in place and would change if they could go back in time, is having effective and proactive incident prevention and incident response capability. Tooling to detect, people to respond.
This is a foundational and essential capability. If we accept that eliminating threats even in a highly mature organisation is impossible, then in immature organisations this challenge is even greater. Being able to quickly detect and contain a threat in the early stages of an attack can be the difference between a catastrophic, costly breach or simply another security incident that was contained and eradicated before major damage was done.
Cyber threat actors use technology to breach organisations. So without technology underpinning security that is operationalised by security experts who are armed with effective processes to use the technology and respond - you are in a losing battle against cybercrime for your organisation.
Imagine a threat actor targeting your CRM today - you’ve got a policy around the usage of the CRM. How does this stop a threat actor from using technological means to compromise the database? It does not. Imagine you’ve taken it one step further, you’ve got a SIEM, or some other security controls generating high fidelity alarms. How does the alarming stop the attacker? It does not, they are there and now you know about it.
The problem requires technology that is effective and is tailored to the environment and risk at hand, and security analysts, engineers and incident responders to investigate alarms and tune out false positives when they are at a low level, to stop the threat before it materialises. Building such a capability out internally is next to impossible without millions of dollars of annual investment in a SOC. You need to invest in tools, but technology is a means to deliver information and requires tuning and ongoing review to assess effectiveness. The other element is the people - the frontline security operations centre specialists who are analysing exactly what’s going on in your environment and taking action where required.
I understand your journey of certification and the business benefits this can generate, the strategic direction that is required, as security is risk management at the end of the day, but technology has almost become a dirty word - there’s so many vendors, there’s so many solutions. So which path do you go down – certification, or detection and response? Trick question, you need a holistic approach that includes both.
I’m not trying to sell you technology, nor am I trying to push you towards avoiding governance. A holistic approach that uses governance to drive strategic objectives and manage risk at the core, metrics to support, engineering, detection and response to operationalise your security to stop real threats targeting you today and testing to identify the gaps.
Let’s start looking at security as a whole - people, process, data and technology and remove our biases and previous conceptions of security. Let’s keep your data in your hands, and out of those that will use it for malicious gain.
Visit our Managed Detection and Response Service for more information. Speak to our security consultants on how we can protect your organisation 24/7 throughout the year.