Threats are growing more hostile. Budgets are tight. Skills are at a premium. And business imperatives like mobility, social media, web applications and big data can pose risks as well as inefficiencies if they’re not properly managed.
Our distinctive managed service is built around a fundamentally different approach that is redefining what managed security services are. Our approach is unique in the industry, one that centers around a product agnostic methodology that weaves our SOC into the fabric of our clients IT security organization by managing and monitoring our clients existing network and endpoint security controls rather than requiring an overhaul of existing infrastructure
If you wouldn’t choose a plumber based on the wrench she uses, than why would you choose an MSSP based on their SIEM technology? We believe in creating a better way for our clients. That better way has redefined the managed services model at Brier & Thorn. Through our managed services, our clients are able to integrate our SOC into their IT organization, allowing our engineers to take over the management and monitoring of already deployed network and endpoint security controls — from UTM devices on the edge and core to anti-malware agents running on every endpoint. To this end, our team also believes that managed security services shouldn’t stop at monitoring, but should also include a robust vulnerability management program that includes quarterly vulnerability scanning and annual penetration testing.
We believe that the existing technology already deployed on our clients networks is already effective at treating our client’s risk, but that they simply are not being given the appropriate level of care and feeding needed to ensure events are being analyzed and responded to effectively. Where senior security engineers are in short supply and come at a premium, leveraging our SOC analysts to augment internal resources provides full 24x7x365 monitoring and response coverage. By leveraging our SOC capabilities, our clients achieve a new level of IT risk management centered around the management and monitoring of existing controls that don’t have to be replaced by proprietary technology from the MSSP. As an extension of our clients internal staff, our SOC will take over management and control of vulnerability management tools, configuration of devices for central log monitoring, and work with internal teams in the remediation of vulnerabilities identified in penetration tests and vulnerability scans.
Where there is no monitoring solution in place, whether that’s a lack of a central log management server or Security Information and Event Management (SIEM) solution, our team will review the requirements our clients have for such a solution, identify what log event types are in place currently, and make the appropriate recommendation to our clients for a SIEM solution that meets their requirements.
In this paper, we explore the deficiencies in what we refer to as the traditional managed services model where companies bring their own SIEM solution to monitor their customer’s networks while also turning a blind eye to the other security controls
With an endless emergence of new threats and company resources under constant pressure, it can be difficult to balance all of the strategic and operational tasks required for an effective ISMS. Network Intrusion Detection System and Intrusion Prevention System (IDS/IPS) devices can provide a highly effective layer of security designed to protect critical assets from cyber threats. But we don’t believe network security monitoring should stop at IDS/IPS. Other logs and security events provide additional visibility in the enterprise that have historically gone ignored.
As information security becomes more important and more complex for enterprises of every size, business model and industry, IT organizations are confronting strategic decisions on how best to secure their companies’ most vital assets. Whether its customer records, confidential employee information, intellectual property or ensuring the ability to pass the next compliance audit, IT decision makers are grappling with how best to resource this vital set of functions.
Although working with managed service providers and outsourcing firms has become a standard practice for IT organizations for many years, IT decision-makers only recently have started to more aggressively work with specialized service providers for information security. These days, its common practice for companies to evaluate the benefits of hiring these firms as opposed to managing security tasks internally.
As with most devices on the network, whether intrusion detection, firewalls, or other security controls, their detection capabilities must be continuously tuned and improved over time as new threats are identified. Our managed services offering provides clients coverage of two tactical areas of their operational security program:
Additional services can be requested, including annual risk assessments, internal audits, and ISMS program development.
Ask any network administrator how security technologies help, and she’ll discuss avoiding the threats. This is the traditional paradigm of computer security, born out of a computer science mentality: figure out what the threats are, and build technologies to avoid them. The conceit is that technologies can somehow “solve” computer security, and the end result is a security program that becomes an expense and a barrier to business.
Security is a not a technology problem, it’s a people problem. There is no computer security product that acts as magical security dust, imbuing a network with the property of “secure.” It’s not the way business works.
Businesses manage risks; network security is just one. More security isn’t always better. You could improve the security of a bank by strip-searching everyone who walks through the front door. But if you did this, you would have no business. What all of these businesses are looking for is adequate security at a reasonable cost. It’s the same for the Internet – security that allows a company to offer new services, to expand into new markets, and to attract and retain new customers. And the particular computer security solutions they choose depends on who they are and what they are doing.
Network security is an arms race, and the attackers have all the advantages. First, the defender has to defend against every possible attack, while the attacker only has to find one weakness. Second, the immense complexity of modern networks makes them impossible to properly secure. And third, skilled attackers can encapsulate their attacks in software, allowing people with no skill to use them. It’s no wonder CIOs can’t keep up with the threat.
What’s amazing is that no one else can either. Computer security is a 40-year-old discipline; every year there’s new research, new technologies, new products, even new laws. And every year things get worse. If there’s anything computer security professionals have learned about the Internet, it’s that security is relative. What’s secure today may be insecure tomorrow. Even companies like Microsoft can get hacked, badly. The way forward is not more products, but better processes and human analytic rigor. We have to stop looking for the magic preventive technology that will avoid the threats, and embrace processes that will help us manage the risks.
Real-world security includes prevention, detection, and response. If the prevention mechanisms were perfect, you wouldn’t need detection and response. But no prevention mechanism is perfect. This is especially true for computer networks. All software products have security bugs, most network devices are misconfigured, and users make all sorts of mistakes. Without detection and response, the prevention mechanisms only have limited value. Detection and response are not only more cost effective but also more effective than piling on more prevention. On the Internet, this translates to monitoring.
Network security monitoring is real security. It doesn’t matter how the attacker gets in, or what she is doing. If there are enough motion sensors, electric eyes, and pressure plates in your house, you’ll catch the burglar regardless of how she got in. If you are monitoring your network carefully enough, you’ll catch a hacker regardless of what vulnerability she exploited to gain access. And if you can respond quickly and effectively, you can repel the attacker before she does any damage. Good detection and response can make up for imperfect prevention – No bank ever says: “Our safe is so good, we don’t need an alarm system.” Detection and response are how we get security in the real world, and they’re the only way we can possibly get security on the Internet. CIOs must invest in network monitoring services if they are to properly manage the risks associated with their network infrastructure.
Network monitoring implies a series of sensors in and around the network. Every firewall produces a continuous stream of audit messages. So does every router and server. IDSs send messages when they notice something. Every other security product generates alarms in some way. But these sensors by themselves do not offer security. You have to assume that the attacker is in full possession of the specifications for these sensors, is well aware of their deficiencies, and has tailored her attack accordingly. She may even have passwords that let her masquerade as a legitimate user. Only another human has a chance of detecting some anomalous behavior that gives her away.
The first step is intelligent alert. Network attacks can be subtle, and much depends on context. Software can filter the tens of terabytes of audit information a medium-sized network can generate in a day, but software is too easy for an attacker to fool.
Intelligent alert requires people to:
By itself, an alert is only marginally useful. More important is to know how to respond. This is the second step of good network monitoring. Software can only provide generic information; real understanding requires experts. Finally, the response must be integrated with organizational business needs.
Our clients network devices produce terabytes, even petabytes of audit information daily. Automatic search tools sift through that data looking for telltale signs of attacks. Our SOC analysts examine those telltales, understand what they mean in broader context and determine how to respond. To make network monitoring work, people are needed every step of the way. Software doesn’t think, doesn’t question, doesn’t adapt. Without people, computer security software is just a static defense. Marry software with experts, and you have a whole different level of security. You have Brier & Thorn. The key to a successful detection and response system is vigilance: attacks can happen at any time of the day and any day of the year. While it is possible for companies to build detection and response services for their own networks, it’s rarely cost-effective. Staffing for security expertise 2 hours a day and 65 days a year requires five fulltime employees; more, if you include supervisors and backup personnel with more specialized skills. Even if an organization could find the budget for all of these people, it would be very difficult to hire them in today’s job market. Retaining them would be even harder: Attacks against a single organization don’t happen often enough to keep a team of this caliber engaged and interested.
Monitoring should be the first step in any network security plan. It’s something that a network administrator can do today to provide immediate value. Policy analysis and vulnerability assessments take time, and don’t actually improve a network’s security until they’re acted upon. Installing security products improves security, but only if they are installed correctly and in the right places. Monitoring ensures that security products are providing the type of security they were intended to provide. Monitoring’s best value is when a network is in flux – as all large networks always are – due to internal and external factors. Monitoring provides our clients immediate security in a way that neither doing a vulnerability assessment nor dropping a firewall into a network never can provide. Monitoring provides our clients dynamic security in a way that yet another security product can never provide. And as security products are added into a network – firewalls, IDSs, specialized security devices – monitoring and thus visibility, only gets better.
Our SOCs give our clients a window into their security. Monitoring is the feedback loop that makes all the other network security activities more effective. It’s how we partner with our clients to determine where to install security controls, and whether or not they’re effective. It’s how our clients know if their security devices are configured correctly. It’s how our clients ensure that their security doesn’t degrade over time. The downside of being in a highly connected network is that we are all connected with the best and worst of society. Security products will not “solve” the problems of internet security, any more than they “solve” the security problems in the real world. The best we can do is to manage the risks: employ technological and procedural mitigation while at the same time allowing businesses to thrive.
Computer security equals vigilance — a day-to-day process. It’s been thousands of years, and the world still isn’t a safe place. And no matter how fast technology advances, alarms and security services are still state-of-the-art. The key to effective security is human intervention and analytic rigor. Automatic security is necessarily flawed. Smart attackers bypass the security, and new attacks fool products. People are needed to recognize, and respond to, new attacks and new threats. It’s a simple matter of regaining a balance of power: human minds are the attackers, so human minds need to be the defenders as well. Network security monitoring combines people, processes, and products to create a security environment for the chaos of modern business networks. The reality of today’s internet makes network security monitoring the most cost-effective way to provide resilient security.
In the real world, this kind of expertise is always outsourced. It’s the only cost-effective way to satisfy the requirements. Aside from the aggregation of expertise, a network security monitoring service has other economies of scale. It can more easily hire and train its personnel, simply because it needs more of them. And it can build an infrastructure to support them. Vigilant monitoring means keeping up to date on new vulnerabilities, new hacker tools, new security products, and new software releases.
We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.
Brier & Thorn has been retained by Badger Meter for 24x7x365 Network Security Monitoring services of its BEACON SaaS platform and global enterprise.
Connecture has retained Brier & Thorn for multiyear agreement to monitor and mange its network and endpoint security controls to protect its healthcare exchange marketplaces across US.