SecOps optimisation: breaking down insurmountable roadblocks into a manageable, strategic approach

When it comes to cyber security, most organisations are facing the same challenges regardless of the specific industry or their position within it. Ongoing shortages in cyber skills mean that populating internal IT teams has become increasingly difficult or – with the significant salary gap between the public and private sectors – prohibitively expensive. The proliferation of licenses and solutions from multiple vendors has led to a veritable Frankenstein’s monster of security controls across estates that many organisations have little visibility into. All the while, the increasingly diverse ways in which people are working continue to increase the potential attack surfaces that businesses must wrestle with, and therefore the risks present.

Faced with all this, it can be easy to feel despondent or, worse, be tempted to look the other way and simply hope for the best. However, by breaking down the challenges in front of you into simple, manageable tasks, it’s possible to begin to make changes that come with immediate results, while also moving forward on your journey towards cyber security best practice. It’s true that none of us will ever have enough money or staff to create the ‘dream’ security architecture – cyber security is an area of compromises and doing the best with the resources available to you. The first step is to accept this as fact, and build it into your long-term planning.

With this in mind, visibility is an ideal place to start. Even with all the resources in the world, without good visibility into exactly who, what, where, when, and how users and devices are connecting to the network, organisations can’t hope to protect their networks, data centres, and cloud estates. It is surprisingly common for even major companies to be unable to identify and monitor exactly what is connecting to their networks. Without this visibility, networks can’t be effectively protected, and are left open to crypto-mining attacks, APTs, monitoring tools, and low-level exploitation and exfiltration of data. Tools such as Microsoft’s Entra ID, Cisco ISE and/or Secure Workload, among other third-party options, will allow you to identify these connections – including those more commonly overlooked, like Internet of Things devices –  and begin to build a picture of what normal workflows look like. Once you have this, you can more easily identify Indications of Compromise that fall outside of behavioural norms, and respond to them.

Once you’re able to reliably detect a threat to your organisation, the next step is to ensure that you have the tools and ability to respond effectively; this will be the difference between a close call and a major crisis for your organisation. Knowing this is one thing, of course, but without the people or money to monitor every security control, how can an organisation achieve an effective response? This is the time to take a step back and really consider your existing architecture, and how it has evolved over time. You need to follow the thread of each security control, from identity to endpoint, to web proxy, firewalls, User and Entity Behaviour Analysis (UEBA) , etc. Take the time to understand exactly how well the controls integrate, share threat intelligence, and contribute towards a coordinated response to threats. Consider the integrations that exist between enforcement and information controls, and how they interact with a unified policy control or decision point. If the conclusion you come to is that – simply – they don’t, then it’s time to look at how you can begin to automate some amount of noise mitigation on the alerts you receive, so that your team can focus its efforts on more serious concerns.

When you have tools that work together, a picture of what ‘normal’ looks like on your network, and the visibility to monitor it, you still need to actually respond to threats. Naturally, developing an in-house SOC is beyond the reach of the vast majority of organisations. However, the fact remains that access to up-to-date threat intelligence and the skills to respond to a breach are essential. As a result, many organisations choose to opt for third-party MDR services that can benefit from the architecture they already have in place. These are services that will go beyond simply monitoring your network and notifying you when you are under attack, instead having complete visibility of your estate and the power provided by predetermined policies to act on your behalf. With the right approach, such services can allow your organisation to respond to threats and thwart bad actors before any significant damage occurs. Having said that, selecting the correct partner is essential to ensure the success of these services. It’s important to find one that you are able to trust, and that is able and willing to spend the time required to get to know your organisation, network, and critical assets, so that they’re able to work as an extension of your team when the time comes.

Cyber security is always a balance between the cost of security and the value of the assets you’re protecting, but in order to even begin that balancing act, you first have to have a clear understanding of the capabilities of your existing investments. Failure to do so can lead to unnecessary investments into solutions with capabilities that overlap with those currently lying unused within your existing estate. Microsoft offers a wealth of features to help you to understand what’s in your network and apply controls to protect them, while Cisco is driving the push for greater visibility capabilities, not only in terms of on-premises with ISE, but also in the cloud and even across third-party networks and SaaS providers.

Working with a partner to sort through your existing licenses can be an excellent first step in identifying potential value that has been left unrealised, whether due to lack of time, knowledge, expertise, or a combination thereof. Once you know you’re using your existing investments to their full potential, a gap analysis and revisiting a security maturity assessment can identify where your security is still falling short, allowing you to make investments in the confidence that you’re only spending money where it will make a difference. What’s more, once you’ve broken down the security challenges into these identifiable blocks, you can more easily translate them into an understandable, digestible long-term security strategy that can be presented to your leadership team, to clearly get across your goals and the tangible differences these investments will make.

So, how can ITGL help? Our experts are well-versed in carrying out scoping exercises within organisations to review the maturity of their security operations, providing them with a maturity score and identifiable areas of development and improvement. Download our guide to get more information on our Security Maturity Assessment, or get in touch with our team at security@itgl.com to arrange an initial meeting where we can get to know your needs and circumstances.