Let’s address the elephants in the room.
SIEMs, EDRs, SOCs and MSSPs.
The first problem with these technologies is that they’re listed as effective controls or approaches in most security standards. Rather than spend too much time on this point, let me just say most standards are outdated before they’re published.
The second problem is that they’re very expensive. As a CEO, if all you know is that you have technologies mandated in standards and you’re paying millions for them, you’d assume you’re safe.
But you’d be wrong.
Consider how Apple, with one of the largest and best security teams imaginable, lost 90 GB of data before a breach was detected a year later? Or how an Apple employee harvested 40 gigs of data on the Apple Car, took a server and circuit boards and joined a Chinese competitor. Or how one of the world’s largest retailers, with some of the best SIEM investments money could buy together with monitoring from a Gartner leading MSSP, was so thoroughly breached?
Remember that all the largest breaches – don’t forget Bank of America and J.P Morgan Chase too – all had four things in common:
- They were all spending millions on cyber security
- They were all compliant to one or more security standards
- Their threat detection capabilities were non-existent or rudimentary
- They were breached
How could this be possible?
Due to their price tags, most enterprises have SIEMs and EDR at the centre of their security strategies. Despite this, most of these investments fail to deliver any reasonable outcomes. Most are considered failed projects and complete wastes of company resources. If you don’t believe me, ask your friendly research analyst.
If you still need to be convinced, I urge you to hire a red team. Watch how they send malware into your network, take remote control of your machines, and blast through your WAF. Watch how they move laterally, elevate their privileges and exfiltrate terabytes of data without your SOC or MSSP detecting a single thing.
This exact scenario has been playing out for a few years now within security savvy organisations that have the budgets to test their controls. Can you imagine the look on the CEO, CFO and CIO when they read the red team report? Imagine the board members? I don’t have to. I have seen it many times first-hand.
During these tests the client generally receives dozens if not hundreds of alerts from their SIEM, EDR, MSSP or SOC depending on the volume of logs ingested and the size of the client network. Now here is the sad part. Almost all the incidents received by the client are false positives.
This is the third problem with SIEMs, EDRs, SOCs and MSSPs. They capture far too many false positives. Clients tirelessly waste their time chasing each one and every time they’re let down. After long enough, they simply start ignoring them. A security engineer at a large client recently told me “we close the incidents quickly because our CISO gets upset when we have too many incidents open in the queue from our MSSP”.
This is called “Alert Fatigue”, and it’s the only outcome you’ll receive from an investment in SIEMs, EDRs, SOCs or MSSPs.
My hope with this article is to wake you up to this reality and to have you think differently about cyber defence. To think about a genuine solution that allows you to detect and respond to attacks. To think about a post breach strategy for detecting malware and human adversaries (including red teams). To have breaches validated before notification. To have the evidence post breach using a post breach forensics capability. And to stop drowning in false positives.
If you’re in the channel or an MSP and would like to truly help your clients increase their risk posture and deliver genuine threat detection and response capabilities then consider partnering with us – we sell exclusively through the channel and have global presence. Best of all, we work with you to deliver the end outcome to clients. To learn more, get in touch using [email protected]