There are two types of Small to Midsize Businesses (SMB) in today’s world: those who know they have been breached, and those who do not. The difference between these types of SMBs is related to how soon the SMB can detect a breach and how effectively they can respond. 

Most SMBs need an effective Security Operation Center (SOC) to provide the information necessary for SMBs to rapidly detect threats before they become widespread breaches. While eliminating the threats that SMBs face is an impossible goal, reducing the time it takes to respond and contain a breach is achievable by focusing on the detection, response, and containment for a breach. However, historically, most SMB’s have thought of a SOC as a large investment.. a room full of highly trained (expensive) cybersecurity experts. This is due to the fact that many SMB looked to the most secured and advanced organizations (large financial institutions, large telecommunications operators, and military organizations) as role models for establishing their security posture. While these large organizations are a great place to pull best practices from, it is impossible for most SMBs to build to that level of protection and defense. However, when considering just the foundational capabilities, they are quite basic. Securing an SMB’s IT ecosystem consists of answering a few basic questions around operational security controls: Do I have the correct staff mix?

• What assets do I have to protect? 
• Which of my assets are vulnerable to attack? 
• How are people attacking my assets? 
• How will I know if a breach has occurred? 
• What actions are going to have the most impact on my security posture?

1: Do I have the correct staff mix? Many SMBs choose to build their SOCs with in-house resources, bringing together existing security functions and providing formal training programs. Others opt for a hybrid mix of in-house and external resources. The best option for you, depends on the available in-house resources, your budget, and the urgency of the threats you face. 

• Is anyone from IT ready to step up to the plate as a security-only player? 
• How many security folks will be a part of the SOC?
• What is the hiring plan and budget?
• What is the total annual security budget? 
• Can we pull budget from IT or other departments to support implementing the SOC?
• Do you have an MSSP (managed security service provider)? 
• Might you need the expertise of a security contractor for support?

2: What Assets Do I Have to Protect? Having a complete picture of your assets and the services that operate in your IT ecosystem is critical to prioritizing the efforts to respond to attacks and contain breaches.

• What systems are critical to the ongoing function of your company? 
• Which systems are critical to the day-to-day tasks? 
• What other systems do those critical systems rely on? 
• Which systems manage and store sensitive information?

3: Which of My Assets Are Vulnerable to Attack? It is important to understand where your weaknesses are. When responding to an attack or breach, understanding how your organization may be exploited is a critical factor in prioritization. 

• How are the services that I have running, configured? 
• How can they be accessed? 
• Do any of them have known vulnerabilities that an attacker may be able to exploit?

4: How are people attacking my assets? Due to the wild west nature of the Internet, there is not a single one of us who is not being attacked. Attackers are constantly scanning the Internet blindly attacking any and all systems they can find. Every single one of us is constantly being attacked; understanding the nature, target, and sophistication of those attacks is critical when prioritizing our security efforts. 

• Is anyone attacking my IT ecosystem? 

• What techniques are hackers employing when trying to compromise my IT ecosystem? 
• Where are those attacks coming from?

5: How will I know if a breach has occurred? Not all breaches are avoidable. Our efforts to make an impenetrable IT ecosystem will never be enough to close all attack vectors. Attackers know this and will always use this to their advantage. To ensure that the advantage they gain from this is as minimal as possible, it is important for us to detect a breach as quickly as possible. Understanding the behavior of our systems and monitoring that behavior for indications that a breach may have occurred, is essential to an efficient response. 

• If I do not detect the attack how will I know an asset is compromised? 
• If an asset is compromised how can I address it before the breach expands?

6: What actions are going to have the most impact on my security posture? When deployed at scale, the essential operational security controls described to provide asset discovery, vulnerability assessment, threat detection, and behavioral monitoring, produce a vast amount of data. The comprehension and prioritization of that data needs to be automated in order for decisions to be made within a reasonable time frame. In addition, it is important for the data that is produced to be evaluated in conjunction with the data from the other security controls. Evaluation of each stream of data independently will lead to poor prioritization of efforts. Without having an understanding of what services that host provides or what attacks the host is being targeted with, it is hard to say whether it is more important to patch the vulnerability or to remove the malware just found on another server. 

• What do I do first? 
• What data should I analyze today? 
• Should I stop a recently observed attack or try and contain a newly discovered breach?

Deployment of the Essential Capabilities Security organizations are faced with a difficult challenge—if a major breach occurs it will be their fault regardless of the support the organization has provided the security team before that date. The capabilities described above are essential for a security team to prevent breaches from occurring or containing breaches before they become a major problem. However, security teams are often given little political or logistical support within an organization. Business concerns such as budget, and resource allocation often take priority over proactive security. Given this limitation, security teams must be as efficient as possible while establishing a Security Operations Center. In order to get a complete picture and comprehensive prioritization, the People, Processes and Technology will need to work together to achieve the essential capabilities to detect and respond to a breach before it spreads throughout your IT ecosystem. 

The questions discussed in this blog are the essential enablers for an SMB to figure out effectively and efficiently how to respond to threats and contain breaches. Without having visibility into the actual threats facing your IT ecosystem, money will be inefficiently spent on compensating controls that might not have any impact. It is important for organizations to realistically evaluate how money is being spent and critically ask whether there is data from their own environment that substantiates the spend on these projects. Establishing a security operation center, whether it is developed in house, outsourced through a MSSP or a hybrid model, establishing the People, Processes and Technology used to detect breaches and coordinate the appropriate response, is the first step to long term, cost-effective, management of risk.

Contact Us

For a free Security Operations readiness review

Source: AlienVault