At F-Secure we firmly believe in a holistic approach to cyber security. We call it Live Security: a combination of technology and human expertise. Because you can’t improve your cyber security operations without the smartest cyber security talent. And you can’t scale that cyber security know-how without smart software.
Of all the challenges that organizations face while building up their breach detection and response capabilities, nothing really compares to the difficulties of trying to hire and retain cyber security experts. It is estimated that, right now, there are at least two open cyber security jobs for every one person working in the field. And this problem is expected to become even more acute in the future.
Meanwhile, the only way you’re going to get valid or actionable data from an in-house solution such as an SIEM (security information and event management) system is by having experts on staff. Let’s illustrate it with a recent real-world example from one of our Rapid Detection Service customers. In a 1300-node customer installation, our sensors collected around 2 billion events over a period of one month. Raw data analysis in our back end systems filtered that number down to 900,000 suspicious events. Our detection mechanisms and data analytics then narrowed that number to 25 detections. Finally, those 25 events were further analyzed and confirmed by our threat analysts as anomalies. They contacted our customer and 15 out of the 25 were verified and confirmed by the customer to be real threats. In comparison, if our customer would have chosen to go with an in-house SIEM solution, their own staff or outsourced resources would have had to comb through those 900,000 suspicious events in order to screen out the noise and false positives to finally discover the real threats. Laborious jobs like that can cause fatigue in even the most diligent of analysts, not to mention the need for the 24×7 availability of such a team.
From the example above, the following presentation elaborates on one of the biggest reasons why your organization should consider a managed security service instead of an in-house SIEM deployment for breach detection and response: cost, cost, cost!
Building in-house breach detection and response capabilities is difficult. When chosen right, your managed detection and response service provider actually become your cyber security partner: its capabilities become an extension of your own. That’s why we recommend that you consider a managed service over the DIY approach. Even more importantly, both approaches are not necessarily mutually exclusive. For many organizations that have invested in an SIEM solution (for various reasons), a managed detection and response service like ours provides an additional layer of security that easily integrates with (via processes and APIs) and augments the existing security infrastructure so that SIEM systems can be used for log management, and managed service for breach detection and response. The key message here is, if you are looking to build detection and response capabilities with an SIEM or on top of your existing SIEM, you might want to consider a managed detection and response service as a better alternative.