So, you have decided that you are not comfortable with the level of security visibility and threat detection that you have on your network and servers. Maybe you had a ransomware attack, or you are becoming more concerned with the huge number of attacks going on around the world. You know that without a threat detection solution, most activity on your servers and network is happening under the radar and no one is watching. Dormant malware could be sitting in your environment already, quietly waiting to launch an attack. There are many solutions out there, so how do you pick the best and most cost-effective solution for your environment?
Traditionally, the response would be that you need a SIEM (Security Incident and Event Monitoring) solution. A SIEM is a set of systems that receives system logs and data flows from your servers, endpoints, network gear and applications. It sifts through this mountain of data, correlates events across different data sources, and looks for signs of an attack.
Of course, putting in a SIEM is not a full solution on its own, you need to have a team that is monitoring it (usually 24/7), triaging alerts, and continually tuning out false positives and noise. This team is usually referred to as a SOC (Security Operations Center) and their job is to watch for alerts in real time, validate the alert, and then provide remediation and threat intelligence information on the alert. Now that the SOC has a suspicious event, it needs to be investigated by a security incident response team who will determine what is happening, why it is happening, and whether a security response is required or this is considered normal or expected activity. Unless you are a large company, it is probably more cost-effective to outsource the tool and effort than to run a SIEM and SOC internally. We will come back to the incident response team later.
As you can probably guess, this is an expensive solution and perhaps difficult to justify for most businesses. There are also a few downsides to a SIEM solution. This setup needs careful management by your IT team. If you are not collecting the correct logs or you miss setting up the log forwarding on a system, you may end up with gaps in your security visibility. Also, depending on the SIEM and how it is implemented, you may not be able to automate some responses to events. That said, if you have significant regulatory requirements, are a government entity, or store sensitive data, you probably will have a SIEM.
In the last few years, you’ve probably been hearing more about Detection and Response solutions like MDR (Managed Detection and Response), XDR (Extended Detection and Response), NDR (Network Detection and Response), or EDR (endpoint detection and response). For simplicity, I will refer to these as XDR. These solutions put an agent on the servers and endpoints that filter through the events on the system and send the relevant information to a central system to correlate said events. Some solutions will include an inline or out-of-band network NDR solution that will watch for suspicious events in your network traffic. In many cases, you can integrate your cloud services, email, and firewalls into this monitoring correlation as well.
One of the nice things with XDR-type solutions is there are often simple methods to respond to security incidents and even automate some responses without needing a separate SOAR (Security Orchestration, Automation and Response) system. XDR solutions can also offer additional features like vulnerability reporting that can act as a partial vulnerability management solution. You can get email filtering for malware and spam and URL filtering and monitoring as well. Staff can often get up to speed quickly with XDR solutions and, in a matter of hours, be doing forensic investigations and threat hunting.
It will not always be an either-or discussion with SIEM and XDR. You may decide that both are appropriate to properly protect your business. XDR solutions can also feed data into the SIEM in that case.
So, what factors should you consider when selecting a solution?
1) Do you need to have a SIEM/SOC solution or will an XDR solution be sufficient? Do you need both? What compliance requirements do you need to satisfy? What budget is available?
2) Do you have staff with the appropriate skills and expertise to select the right system, design and implement as well as set up the processes to respond to alerts and conduct investigations into those alerts?
3) If you put in a SIEM/SOC solution or an XDR solution, you need an incident response team whose sole job is to perform that function. There will be events that regularly need investigation and the majority of the time, these will not be attacks, but they still need to be investigated. Does your IT team have the time and the skills to do this? Should you set up an independent team for this work?
4) What tools do you already have in place? Is there an ability to upgrade the tools you already have or add components that will get you to an XDR solution? This can be a quick way to get there with the smallest requirement for new security dollars.
5) Can the solution replace other technologies such as a single agent for vulnerability detection, antimalware, file integrity monitoring and virtual patching as well as threat detection and reporting? Does it make sense to look at all of this together when looking at your cybersecurity detection strategy? Is there an opportunity for technology consolidation?
6) What coverage will you get from the solution? Will you have visibility into all your devices including endpoints, servers, firewalls, routers, and appliance-type systems? What about application-level intrusions?
7) What is your cloud strategy and how will a solution mesh with IaaS and SaaS implementations and plans?
8) Will the solution be offsite or SaaS? Getting hit with ransomware is bad enough but having your forensic systems encrypted as well can add a lot of time to your recovery.
9) How long do you need to be able to go back for an investigation? Is 90 days enough or do you need to keep records for years? Make sure you will have the data to cover compliance and investigation requirements.
10) Can the team you have effectively manage the solution or is it better to outsource part or all of the effort?
These questions will not always be easy to answer. There are a lot of different products and services with varying features that also make them hard to compare. Where there is an expertise shortage within your organization, you can look to IT security specialists like Compugen to help select and implement a suitable protection strategy for your business. If you need help you navigating network security for your infrastructure, you can reach out to us and we’ll be happy to discuss your requirements.