Information Security Program Primer
The following provides answers to often asked questions regarding information security automation and threat management services.
Why should I care about Security automation?
Organizations face increased pressure to manage operational costs while maintaining uninterrupted service.
Keeping up with rapidly changing, and increasingly severe, security threats is overwhelming IT resources. The risk of business disruption, loss of sensitive information and intellectual property, and the loss of critical infrastructure is increasing. The result is risk to the organization’s financial position, reputation, and customer retention.
Effective information security automation enables you to leverage limited resources cost-effectively while balancing operational risk management, IT security, and threat response.
What is a Threat Management Service?
An effective threat management service, such as that provided by OneStone, begins with 24×7 monitoring and management of internal and external threats to your organization’s network environment.
Collecting log data from various network and application sources, the threat management service aggregates, normalizes the log data, and then using advanced correlation and threat analysis applications is able to detect anomalous behavior patterns, threats and attacks creating data loss, privacy and compliance breaches, service outages, and other business impacts on critical business data, applications, operating systems and network-based devices (e.g. routers, firewalls).
When a threat event is detected, at any time of the day or night, the threat management program needs to enable your organization’s ability to respond to the threat. The validity of the event needs to be confirmed, and key IT, security and management personnel in your organization need to be alerted, whether through the service interface, e-mail, or other means. The event details need to be immediately available to enable your team to take action to remediate and manage the threat. Further, a fully managed threat management service model through a service provider, like Seccuris, will initiate action in collaboration with your team to triage and remediate the event and its impact to your systems and business. Through a managed service model, you have expert resources responding on your behalf and working with you to mitigate the risk as quickly and efficiently as possible.
The Threat Management service should also provide a comprehensive, real-time, security management workflow to enable security incident initiation, tracking, escalation and monitoring from threat event detection through remediation to closure, while providing practitioner-level support tools and and summary reporting for management.
An effective Threat Management service provides extensive and easy to comprehend details and summaries of threat event activity to enable event remediation. Additionally the program should provide comprehensive reporting for management review and to demonstrate effective controls for compliance.
How is using a Threat Monitoring service better than what we are doing in-house today?
An effective threat management service provides the following benefits:
- Simplified event log management & analysis:Many organizations employ too many disparate event logging systems (network, system, business application) which collect information in an uncorrelated manner. When an event (threat or data loss) occurs, it is difficult if not impossible, to determine from event logs generated by these systems the level of overall impact of the event – its business relevance, the degree of the impact and/or the level of response required?
- Workflow & event response prioritization: Lack of an effective coordinated security event management workflow among traditional in house event logging/monitoring systems makes it difficult to prioritize and coordinate a response to issues generated by the threat event that impact the business.
- Advanced Correlation capabilities: One of the greatest challenges of maintaining a security event logging system is quickly and easily determining which events are potentially harmful to your systems and business. An effective Threat Management service uses advanced correlation techniques customized and tuned to filter irrelevant events with the customer’s environment, and identify and alert on threat events and related issues that can impact the business – enabling security analysts and your staff to focus on incidents and not just data.
- Scalable services to augment your capabilities and enterprise: Effective Threat Management services provide program options to enable all sized enterprises based on their operating model and level of sophistication. The Threat Management service should provide a self service option – enabling the organization with a strong security tool set augmented by 7×24 threat monitoring, a service portal and alerting services, with access to remediation support and customization services. It should also provide the option of fully managed services to outsource specialized functions of the organization’s IT/security team – providing enhanced threat event analysis, proactive tailored daily threat intelligence and triage support, as well complete incident handling and forensic services when required.
- Access to skilled 24×7 response capability - on-call or available as part of a managed service. In-house monitoring and incident response is costly to develop and maintain and requires specialized skill sets and training. Maintaining a basic monitoring capability on a 24×7 basis requires a minimum of 5 people in the smallest of organizations.
- Effective handling security incidents, which can critically damage the organization, during and after business hours is a major challenge for most organizations. Few organizations are able to equip their IT and security teams with the required incident response knowledge, tools and ability to provide around the clock coverage. Even when staff is available, few organizations have the skills and experience to triage and remediate threats in an effective and complete manner.
- Detailed and specialized analysis and reporting: the ability to analyze events and incidents to generate detailed, consolidated reporting to demonstrate overall security control and compliance is also lacking in situations using diverse event logging systems.
Who in my company would make use of this? Are we solving an internal client issue?
The information provided by OneStone focuses on incidents actually impacting the business—supporting effective risk based decision making at all levels of the organization—based on accurate real-time information about the organization’s current security posture and exposure to the external environment.
- For executives this means a top-down view of the organization’s information security risk exposure and how it affects their business objectives, and critical information assets.
- For information security managers it provides an operational view of the status of security incidents; the organization’s current security posture; and enables more effective decisions for planning security operations and executing day-to-day activities.
- For information security analysts and IT practitioners it provides an advanced toolset (including state-of-the-art correlation algorithms, security information event management, and workflow applications) for identifying and correlating threat events, prioritizing and responding to incidents, managing vulnerabilities, and supporting daily security operations.
What about all the security “stuff” we already have?
A Threat Management service, such as that provided by OneStone, does not replace the important functionality provided by your current security devices – firewalls, IDS/IPS, applications, and the support of your IT/security staff. Instead it augments their protective functions by monitoring, correlating and analyzing event traffic generated by and through these security devices for anomalies and advanced threat activity. The service enables your IT and security staff by providing them an advanced toolset for responding, prioritizing and remediating threat incidents, and supporting and improving overall management of daily information security operations.
An effective Threat Management service, such as OneStone, also integrates all your different toolsets for detecting incidents, into a single view. Standard third-party devices, such as firewalls, intrusions detection/prevention systems, network flows, and applications, can be easily integrated into the service. In addition, custom applications and systems can also be integrated to optimize analysis and correlation of events across the organization, regardless of the system. OneStone allows you to maximize the benefit of these diverse systems that you have already invested in implementing – there is no need to replace these systems to utilize the service.