The world of cybersecurity has had some fundamental shifts in the past several years that have made the vast majority of companies unprepared for today's threats. The extensive use of malware, for example, has dramatically reduced the value of traditional security solutions, such as firewalls, IDS/IPS, and anti-virus software. These solutions that used to adequately prevent attacks are now very limited in their risk mitigation value. Many organizations have not updated their cybersecurity technology and solutions to stop today's threats. It's like monitoring your front door for a break in while someone comes in through the back window.
Even companies that have taken cybersecurity seriously have not always been led the right way by cybersecurity vendors. In the past, an organization who was serious about cybersecurity was told that they needed 24x7x365 monitoring - paying for really smart cybersecurity professionals to watch the alerts and events as they happen in real-time so they could respond at a moment's notice to malicious events.
But legacy technologies have relied mostly on human review, not machine intelligence. A common metric for a traditional Managed Security Service Providers (MSSP's) is to have a security engineer for every 30 devices under management. In the U.S., the average cybersecurity professional makes $116,000/year. This means the cost to monitor a single device is $322/month, forcing traditional MSSP's to charge between $500 and $1500/device/month to be profitable. Does this sound like your MSSP?
At those rates most customers can only afford for a few devices to be monitored; usually the firewall, IDS/IPS, and possibly a Windows domain controller. When asked why they don't need to monitor more devices, these MSSP's would state "As long as you are monitoring the choke points, you are safe."
Using the home security system analogy, imagine being told that monitoring the front and back doors are enough and then having your child kidnapped through a bedroom window. No choke point only security system would detect that, allowing the worst-case scenario to happen without your system even tripping. Home security systems relied upon a few choke points because it was very expensive to run wires to the whole home (especially after it was already built). However today many home security systems use wireless technology which has made it possible to place multiple sensors throughout the house without the use of wires. This makes the cost of securing the entire home from multiple threats much less expensive.
Thankfully, IT cybersecurity has evolved as well. Automated correlation and analytics from a properly deployed, configured, and tuned Security Information and Event Management (SIEM) solution has the ability to increase the ratio of devices per cybersecurity professional exponentially. Today, SIEM technology can quickly and efficiently find the "needle in a haystack" with far less human interaction. This dramatically reduces the number of cybersecurity professionals needed for a traditional Security Operation Center (SOC) which means a lower cost per device for customers. With a lower cost to monitor each device, we can now monitor more devices. Rather than just monitoring choke points, we can monitor all of the windows, doors, and rooms; which is really what was needed from the beginning.
When all of the critical devices are being monitored and correlated, you can now stitch together pieces of information across different systems and areas of the network to give you a much more accurate picture of what is happening. In other words, the more devices that you monitor, the more accurate the monitoring becomes and, therefore, the better economies of scale can be achieved.
So, what should a customer monitor? It's still a good idea to monitor the firewall and IDS, but we need to go beyond that and focus on today's threats. Routers, servers (especially Active Directory servers), wireless access points, and endpoint security solutions should all be monitored. With current SIEM technology, you can monitor all of these systems for about the same price as you used to be able to monitor just the firewall and IDS/IPS.
Monitoring only choke points and smaller areas of a network will not protect your organization from today's threats. Cybersecurity monitoring is more important than ever, but real risk mitigation comes with a holistic approach to monitoring all of the possible security events from every possible device. Stop only monitoring your front door for a break-in and assuming that your business is safe... because your back window is open.
Contact Technology Sales at 806-698-9600 or email firstname.lastname@example.org if you want to improve your Cybersecurity Monitoring and Response solution AND lower the annual cost.