How to run a top-level security operation without breaking the bank

How to run a top-level security operation without breaking the bank

With over 20 years’ experience defining strategies for security products and technologies and helping organisations recover and learn from cyberattacks, Sam Humphries, Security Strategist at Exabeam, knows what it takes to build a security battle squad. In this interview, she debunks the assumption that increased capabilities has to equate to increased cost, offering advice on how to make use of automation, techniques to select the right tool for the task and why you need to focus on people and processes.

Natasha: In the wake of Covid-19, security teams are facing an increasing number of challenges to battle but feeling the budget pinch. How do you think they can approach the task of building a top-level security battle squad around those limitations?

Sam: You really need that combination of people, processes and technology to make it work. If you miss one piece of the triangle, then it all falls apart.

Your threat model should underpin everything and it’s going to be different for each organisation. You also need to know what data you’ve got, what people you have and how interesting you look as a target.

Start with that. Look at what you have today: the people on your operations team, the technology available and your current processes.

It’s always a good idea to take a look at where you are losing the most time. Time is never on the side of a security operations team, so this is a good place to try and tighten up.

It’s also an area where your current stack may be able to help. It’s common for an organisation to buy a piece of technology but not always use it to the best of its capabilities. It might be because it hasn’t been set up right or there are new features that nobody has bothered to look at.

Before you go spend any more money, have a look at what is available to you and how that aligns back to your threat model.

Natasha: It’s definitely a common theme we see with a lot of security leaders, to have a wealth of tools in the stack but to rarely be using the full capabilities of each.

Sam: It’s so common. And shelf-ware is even worse. If you buy stuff and don’t use it at all, you’re literally throwing money at the wall.

Before you go after new technology, you need to look at what you have in-house first.

A lot of the things in your current stack will also talk to each other. That’s another thing that gets missed out quite a lot. Integrations can really help with value. The sum of the parts really is greater than the whole.

If you have a channel partner, they can also be super powerful at helping you understand what you have available, what you can plug in to which bit and where you can gain efficiencies.

Natasha: Is that what we need to do to pave the wave for future investment: show value in the tools already in the stack?

Sam: It depends on what you’ve got. I’m definitely not saying to go out and buy everything because that can cause so much pain.

Some organisations will have a SIEM in place. SIEMs were necessary to bring together disparate data across the network. But in many cases, all they did was centralise the information. That doesn’t necessarily solve a problem. You might have all of the data, but it takes a lot of time to go through it.

At Exabeam, we really add value by sitting on top of that data to help people make sense of it all. We go through the data, automate a lot of the analysis and bring up the most important things. Taking an educated guess about what is going to be important doesn’t always give you the focus you need and you can end up chasing your tail.

If you’re on a budget, then time ultimately equals money. And in security, lost time equals risk.

That’s the real challenge: how do you bring down risk without spending money on every single security product in existence and only setting up 10% of the abilities.

Natasha: When the market for security tools is so diverse, it definitely seems like a difficult task to make a choice about what to use.

Sam: If you’re a security operations leader looking to solve the next problem on your list, half of the challenge is figuring out where to start with everything available. Everyone is going to tell you they have the nirvana to your problem. But if you keep going back to that threat model, this can guide every decision that you make.

Technology has moved on a lot over time and what we are working with now is very different to what was available five to ten years ago. That said, if you can’t use that information in conjunction with other tools and information around the network, it’s really hard to work out what is happening.

Even now, we see dwell times of weeks and weeks for many organisations. And that’s if you find it. If someone else finds it for you, then it’s been happening a lot longer.

You need to be able to spot things early and focus on the right things based on the riskiest activities for your own environment. That’s hard to do if you’re combing log files.

Natasha: So, where do you think security operations leaders need to focus their efforts?

Sam: Look at what Mick Jenkins has done with his team at Brunel University. They had a clear focus and strategy to understand what technology they needed and how they wanted to wrap their process around this.

Where I see things go wrong are when people say they want to change something, so they get a new piece of technology and they just try to cram it into exactly what they were doing before and expect something different to happen.

The guys over at Brunel are a really good example of deciding what your problem is, understanding who you need help from to fix it and then building the whole programme around that.

It means that your people have interesting work, they’re not wasting time chasing down things which aren’t important and they’re focusing efforts on the riskiest activities.

From a security point of view, that has to be what you do. You need to focus time on the things which are going to impact your business the most.

Join Sam and Mick for an exclusive webinar to deep dive into how Brunel improved their security capabilities and system without breaking the bank. Find out how this team were able to punch above their weight with automation, smart investments and a process overhaul. Sign up now to watch the session on-demand.