The True Cost of Continuous Monitoring & Incident Response
Perhaps you’re evaluating Security Information and Event Management (SIEM) solutions and Security Operations Center (SOC) services. These are required under a framework of cybersecurity best practices – for example, any of the following:
- Center for Internet Security (CIS) Critical Security Controls Version 8,
- U.S. National Institute of Standards and Technology Cybersecurity Framework for Critical Infrastructure Protection (NIST CSF), or
- International Organization for Standardization and the International Electrotechnical Commission Information Security Management Systems standard (ISO/IEC 27001).
There are some big-name providers out there that have huge sales and marketing budgets and offer very attractive solution pricing. The only thing is … these are not very effective solutions, and they will end up costing you much more in the long run. Allow me to explain.
SIEM technology aggregates audit log sources from your enterprise I.T. components (e.g., firewalls, network infrastructure, servers, endpoints, cloud, Web, SaaS, etc.) and runs correlation rules (or applies A.I. methods) to spot indicators of compromise (IOCs) for response and remediation. SIEMs include such providers as Splunk, IBM QRadar, AT&T Cybersecurity USM Anywhere, LogRhythm, Sumo Logic, Exabeam, Microsoft Azure Sentinel, and others. There are also eXtensible Detection and Response (XDR) solutions – which are similar to SIEMs – but we will leave those for another blog post.
Utilizing one of these platforms to provide continuous monitoring is half of the picture. The other half is having an expert team to deploy, configure, optimize, manage, maintain, and monitor the solution. How well you do all of these activities really tells how effective the overall solution will be.
Note that some companies such as <DELETED> and <REDACTED> utilize their own proprietary technology – for example, based on Elasticsearch, Logstash, Kibana (ELK) stack – to collect and process log data. These solutions may or may not be highly rated overall by a source such as Gartner or Forrester. I encourage you to do your own research on these.
In addition to utilizing their own SIEM technology, these providers claim to offer “concierge” level SOC monitoring. However, the reality is that they often do not perform much triaging and analysis at all, but rather just forward all of the alarms generated by the SIEM platform. This is a one-size-fits-all approach. There is no real tailoring of the playbook for the customer’s business mission and function. This can also lead to “alert fatigue.”
Contrast this with Abacode’s approach:
- Operating a world-class SOC with ISO 9001-validated processes for onboarding, baselining, and customizing an incident response escalation protocol for clients.
- Hiring mature, experienced staff who are more data scientists than analysts. Our typical SOC analysts have a master’s degree in cybersecurity and several years of I.T. and I.T. security work under their belt.
- Enriching and enhancing the alarms coming from the SIEM/XDR platform with our own analysis and open-source intelligence (OSINT) tools to provide superior remediation advice.
- Providing only relevant, actionable information – rather than superfluous, redundant, or false-positive information.
- Engaging with the client throughout the incident lifecycle to ensure that there is root-cause and security architecture analysis to get to the heart of the problem and correct it.
- Incorporating SIEM/SOC monitoring into a comprehensive program of continuous cybersecurity & compliance that includes formal governance, policies, risk analysis, training, vulnerability management, etc.
From working with large-scale enterprise I.T. services providers, we find that they love Abacode as a partner because we take this approach instead of “just throwing everything over the wall and letting them sort it out.”
An example: our managed services partner was fielding 600+ escalated alarms per month for a credit card processing company, and the end customer was incurring a huge bill for help desk and remediation services. Not only that, but the MSP was seeing tickets pile up without remediation in a timely manner. Once they engaged with Abacode, that stream went from 600 per month down to about 60 per month – an order of magnitude decrease – and arguably, the security margin went way up, because now the incident response was focused only on the important things.
During our client Executive Business Reviews (EBRs), among other things, Abacode provides statistics and analysis of the number of alarms generated and those escalated for response and remediation. I took a sampling of 20 of our SIEM/SOC clients across multiple industries and organization sizes – ranging from 250 users up to 25,000 – and found that Abacode escalates an average of 1.6 alarms of every 100 alarms generated by the SIEM (thanks to the reduction of false positives and known non-threats achieved by our analysts).
What are the implications of this from an I.T. operations standpoint?
Let’s say that an escalation takes approximately two hours to manage by the I.T. staff. This estimate may be conservative, but in general must include all of the following:
- Create help desk ticket,
- Troubleshoot the issue,
- Apply the remediation (account reset, security patch, configuration, etc.),
- Regression test, and
- Close the ticket.
If you are looking at a solution such as <DELETED> or <REDACTED> which tend to escalate everything coming out of the SIEM, that is two hours x 100 escalations = 200 hours to remediate. At a labor rate of $30/hour (also a conservative estimate), that is a total of $6,000.
Contrast this with two hours x 1.6 escalations = 3.2 hours x $30/hour = $96, a savings of $5,904 per 100 alarms. Given that many of Abacode’s enterprise clients generate 100 or more alarms per day, $5,904 equates to an annual savings in the millions of dollars.
The reality is that organizations are not able to keep up with that volume of alarms. In Aesop’s Fable of the Boy Who Cried Wolf, the lad who kept calling for help ultimately got none when he needed it because the townsfolk were inured to his pleas. Similarly, the I.T. team (either in-house or outsourced) who must respond to escalations will quickly become jaded if they’re always drinking from a firehose of superfluousness.
The result is that when an actual incident occurs, no one is really there to respond in a timely manner. That’s when we see bad things happen – ransomware, data theft, and financial loss potentially in the millions of dollars.
Given that March 2023 was a record month for ransomware, with an increase of 91% from the previous month and 62% compared to March 2022, here’s something you might want to ask your potential provider: How many of your clients have experienced a successful ransomware attack resulting in financial loss under your watch in the past year?
If that provider is honest (or even keeps such statistics), you may be shocked to learn that this number could be quite high for some of the “big box” providers. We know this, because Abacode has been called multiple times to do forensic investigation and cleanup for companies under the watch of these other providers.
So, now when you get a “great deal” on a SIEM/SOC solution with the promise of “concierge” level services, please be aware what you are really getting. Do the math in your head: what does that $3,000/month service buy me?
- Is it just allowing you to “check a box,” or is it really addressing I.T. security risk?
- Does it really solve your problem? Is it effective?
- Are you just pushing more of a burden onto the I.T. team?
Now that you are equipped with the knowledge to make a more informed decision on SIEM/SOC, I encourage you to shop around, and when you’re ready for best value and world-class support, please reach out to firstname.lastname@example.org.