Why network data is key to a successful Security Operations Centre
FYI, this story is more than a year old
Article by ExtraHop Asia Pacific vice president Albert Kuo
Every step you take, they’ll be watching you… In the digital computing era, the strength of your cybersecurity posture will increasingly be determined by your team’s ability to analyse and utilise network data in real-time.
Are you over the whole business of organising data within your enterprise?
It’s become a perennial challenge for Australian ICT leaders in 2020, as a myriad of systems and solutions continue to generate mountains of the stuff to sort, store and secure.
It’s a particularly tricky matter for those charged with protecting the networks and company and customer data upon which businesses and organisations are now deeply and inexorably reliant.
Cloud and mobile computing have made the traditional, perimeter-based cybersecurity model, once de rigueur in all enterprises of size, increasingly ineffective.
Solutions designed to throw a cordon around an in-house data centre and on-premises users provide a poor defence against the vastly expanded attack surface these powerful and transformative technologies have created.
That’s why the Security Operations Centre (SOC) now sits at the heart of the high-tech protection framework in a growing number of Australian enterprises.
Its role is to aggregate and analyse Security Information and Event Management (SIEM) logs, agent data from endpoint detection and response solutions, and network data from network detection and response solutions.
With comprehensive visibility into network communications, endpoints and events, a well- ordered SOC is able to deliver can help enterprises identify and neutralise threats before material damage or disruption occurs.
Garbage in, garbage out
The operative words, of course, are well ordered.
At present, many of the SOCs we see are anything but.
Some are awash with data and receive thousands of alerts a day; the overwhelming majority of them false alarms.
Others don’t have automatic and instant access to network data, despite the fact it’s widely viewed as the most stable and reliable source of threat insights.
Instead, long-standing data siloing practices result in network data making its way to the SOC by way of the Network Operations Centre (NOC), very often after a long lag.
The good news is, Network Detection and Response (NDR) software can put paid to the visibility gap this lag creates and fortify defences significantly as a result.
Having a platform which can collect, decrypt and analyse network data in real-time means security professionals can use the insights it contains to inform augmented and automate responses to threats as they emerge, not after the fact.
NDR tools can also be used to extend visibility beyond the traditional enterprise network and into the cloud, providing a single point from which to observe activity across all these environments.
That’s a boon for security teams who would otherwise have yet another silo of data with which to grapple.
Real and rising danger
Why does it matter?
Because, quite simply, cyber-attack and data compromise have become the biggest threat to growth for business Australia, in the 2020s.
Sound like high-tech hyperbole?
In fact, it’s the consensus view of the Australian CEOs polled by PwC for its Global CEO Survey 2018.
Local organisations which have been unlucky enough to experience a cyber incident
firsthand may well have the bill to prove it, and it’s unlikely to be a trifling one.
Norton research suggests mid-sized enterprises are out of pocket by an average $1.9 million post-attack.
Depending on the nature of the incident, the total cost can be significantly more.
Listed valuation company Landmark White was estimated to be as much as $8 million in the red, after two widely publicised cyber-attacks in early 2019 resulted in the breach of some
170,000 data sets.
Better information equals better results
In 2020, data-driven decision making is fast becoming the modus operandi in almost every area of business operation and the network security function is no exception.
Ensuring the SOC is provisioned with the data it needs to facilitate rapid and rigorous responses to threats is likely to become a more urgent imperative for Australian enterprises, as they ramp up their efforts to repel the ever-present threat posed by cyber adversaries.
Against this backdrop, detection technologies which break down unnecessary data silos and enable security teams to attain a more fulsome view of the network are likely to prove a very prudent investment.