A few years ago, a SIEM (security information and event management) was always looked at as being something the ‘big boys’ or those with money could only ever operate. Today however, its increasingly clear that is you have enough IP or collateral that makes you a target, a SIEM is your first line of Threat Intelligence. A variety of flavours are available like ArcSight, Splunk, QRadar etc that allows analysts to watch for known threats looking to take a foothold, but also unknown behaviours that might not be spotted until its too late. In all instances, a good SIEM should be backed up by seasoned security people who know how to use it and who are not afraid to throw new data at it, all your network logs, server logs, workstation logs, even your building HVAC system, in short, anything thats plugged in and consumes electrons.
Threat Intelligence specialist companies
Today, as Cyber Security becomes such a hot topic, many companies are investing in 3rd party intelligence services that are combined from the internet, sources include all sorts of publicly available forums, groups and communications channel but also the hidden ones in the Dark-net that are invite only that take time and sophisticated social engineering to penetrate. Social media monitoring, hacktivist campaigns, user channels, lesser known hacker hangouts, its a real and proper business model built upon cold war spy tactics. Hackers and hacker groups are notorious for proving themselves and fighting amongst themselves. Generally though, the fights that erupt into the public domain are more the script kiddie variety, wannabes who are not state sponsored or purely dedicated to this cause or that.
The exisiting threat intelligence companies have cornered the market, but there are new ones appearing every week or so with a new toolset or a new take on threat intelligence. Generally the larger more established companies have a larger dataset to call upon spanning years of historical data that can aid them in pointing to a specific group or individual or to a specific indicator of the nearest possibly identified group of threat actors. However, the prices that are charged for feeds can be quite high, higher than most companies can afford, fortunately there are a number of open sourced community feeds available and a number of low cost feeds that can suppliment your intelligence thirst.
First however, do you really need all that data? Believe me when i say that threat intelligence collection is a black hole. If you are looking to collect data about your network, your users, their activity and their behaviour, on a semi large network of 1000+ users you can expect to be collecting a LOT of data per month.
- Add in all the data from devices, like switches, routers, printers, IOT devices, HVAC systems, wi-fi AP, Firewalls, Servers etc.. add another 500GB.
- Then add in your communications traffic, access logs, email data, Voip data, door entry data, file access systems and there you can add another 500GB
So your in for about 1TB of data per month, Raw. From here you’ll want to scale this down so the total ingested amount has been cleaned and sanitised of data thats pure chatter and unrelated events.
Pump it into your SIEM and your good to go!
The hard work comes in next when you want to take this internal data and match suspicious activities against public sources to verify that it is fact dangerous and needs to be block/quarantined/side-lined for analysis etc. But why would you want to take an email attachment an submit to VirusTotal when services like Mimecast and Cyren do this for you ? OR if you have an extended network and have a lot of transient users, how do you monitor them and their activities and then analyse their actions as being safe or unsafe? How do you gather and analyse all the data from thousands of IP addresses, correlate this with users, their activities and then spit out something meaningful in less than a second?
Sure you can have your own SIEM as well as your own security teams, but now think about the cost.
A Ciso is going to cost you over £80k, then a Senior security engineer another £60k at least, then a few Analysts at £30-40k and before you know it, your security budget for the Staff bottom line has just peaked over £250k per year. That doesn’t include training, nor does it include application licensing for your SIEM tool-set, then add to this your total and before you know it, your looking at some serious numbers that any Ciso is going to have to squint real hard at.
There are solutions however, a layered defence, mixture of end user training to reduce the vulnerabilities, using 3rd party services like Darktrace with Antigena to help with rapid detection and action, having services like F-secure’s Radar and RDS services will also help. Generally, however, the cost of IT security is high no matter where you place it, in-house or outsourced, the choice that you might of had 10 years ago of IBM, CISCO, BT, BAE now have been diluted by using the new upcoming breeds of Cyber security orientated companies who have some real world experience and have applied this to protect their clients from the bad guys out there.
Organisations like Softwerx have a long history of servicing and protecting their clients, yet they do not shout it from the rooftops, nor do they advertise in mainstream media, but they are just as effective as the big guys when it comes to Cyber Security. Remember, larger organisations lead by sales focused management are looking at numbers, usually on their side of the balance sheet, whereas an engineering led company would be preferable in Cyber Security as they are looking for the solution that works and fits the client best, rather than appeasing their sales pipeline or for-filling their sales quota for the month. We’ve all had experience of using the big guys’ failure to understand the clients needs and reach, it’s like trying to fit a square peg in a round hole…. big guys have big hammers, the rest choose the right shaped hole to begin with!