The world of cybersecurity has had some fundamental shifts in the past few years that have made the vast majority of companies unprepared for today’s threats. The proliferated use of malware, for example, has dramatically reduced the intrinsic value of traditional security solutions, such as firewalls, IDS/IPS, and anti-virus software. These solutions that used to adequately prevent attacks are now very limited in their risk mitigation value. Most organizations have not updated their cybersecurity technology and solutions to stop today’s threats. It’s like monitoring your front door for a break in while someone comes in through the back window.
Even companies that have taken cybersecurity seriously have not always been led the right way by cybersecurity companies. Five, ten, and even fifteen years ago, organizations that wanted to take the threats seriously were told that they needed 24x7x365 monitoring - paying for really smart cybersecurity professionals to watch the alerts and events as they happen in real-time so that they may be able to respond at a moment’s notice to malicious events. But legacy technologies that used to monitor devices relied mostly on human review, not machine intelligence. A common metric for traditional MSSPs is a single security engineer for every 30 devices under management. In the U.S., the average cybersecurity professional makes $116,000/year. That means that the cost to monitor a single device is $322/month, forcing traditional MSSPs to charge between $500 and $1500/device/month. Of course, at those rates, most companies can only pay for 1 or 2 devices to be monitored - the firewall and IDS/IPS. When asked why they don’t need to monitor more devices, they would talk about a home security system that only has motion detectors near the front door and “choke points” within the home eliminating the need to monitor every room, door, and window: “As long as you are monitoring the choke points, you are safe,” they would say. So, while it is expensive to monitor just a couple of devices, as long as we place those devices in the choke points of the network, you are safe. This was adequate 5+ years ago but this is not enough for today.
Imagine being sold the idea that choke points are enough and then having your daughter kidnapped through a bedroom window. No choke point security system would detect that, allowing the worst case scenario to happen without your security system even tripping. Home security systems relied upon a few choke points in the home because it was very expensive to run wires to every area of the home (especially after it was already built). Today, if you look for a home security system, wireless technology has made it possible to place multiple sensors throughout the house without the use of wires. This makes the cost of securing the entire home from multiple threats much more cost effective than the traditional use of wired systems. Now, if you talk to home security specialists, they will tell you about all of the advantages of a system that can monitor every window, every door, and every room for multiple threats like motion, water, carbon monoxide, and fire - all because the technology finally allows them to do this cost effectively.
The same evolution has happened with cybersecurity. Cost prohibitive cybersecurity professionals with a 30 to 1 cost ratio was always going to require organizations to rely on choke points. Thankfully, technology has evolved, as well. Automated correlation and analytics from a properly deployed, configured, and tuned Security Information and Event Management (SIEM) technology has the ability to increase the ratio of devices per cybersecurity professional exponentially. With the old technology, there was very little normalization, correlation, and threat feed integration to accurately detect malicious behavior. Cybersecurity professionals would need to troll through event after event and alert after alert, looking for a needle in a haystack. Today, SIEM technology can quickly and efficiently find those needles with far less human interaction. This dramatically reduces the number of cybersecurity professionals needed for a traditional Security Operation Center (SOC) which means a lower cost per device for organizations. With a lower cost to monitor each device, we can now monitor more devices. Rather than just monitoring choke points, we can monitor all of the windows, doors, and rooms; which is really what was needed, all along.
When all of the critical devices are being monitored and correlated, you can stitch together bits of information across different systems and areas of the network to give you a much more accurate picture of what is happening. In other words, the more devices that you monitor, the more accurate the monitoring becomes and, therefore, the better economies of scale can be achieved.
So, what should an organization monitor? Certainly it is a good idea to monitor the firewall and IDS, but we need to go beyond that and focus on today’s threats. Routers, servers (especially active directory servers), and wireless access points should all be monitored. With current SIEM technology you can monitor all of these systems for about the same price as you used to be able to monitor just the firewall and IDS/IPS.
Unfortunately, most legacy MSSPs have gotten addicted to charging clients $500 to $1500/device/month and are unable to change their cost models without dramatically hurting their revenue. Therefore, they continue to try to convince organizations that their prices are fair and competitive. Yet, this is quickly crumbling under more and more professionals and organizations realizing that a holistic approach to monitoring is required for true risk mitigation and, therefore, lower prices are the only way to achieve that.
Monitoring choke points and limited devices or smaller areas of a network will not protect your organization from today’s threats. Monitoring is more important than ever, but real risk mitigation comes with a holistic and cost effective approach to monitoring all of the possible security events from every possible device. Stop only monitoring your front door for a break in and assuming that your business is safe… your back window is open. To find out more, visit us at.