Faced by a growing number of cyberattacks, an ever-evolving technology landscape and fast-paced digital transformation, enterprises are beginning to understand the multiple risks and consequences of falling victim to cybercrime.
To ensure they are fully protected, organisations that handle critical client data or payment details – or those that are undergoing digital transformation – should modernise their security operations centre (SOC) by moving to more resilient and cost-effective cloud-native security operations.
However, moving critical IT infrastructure from on-premises or local data centres to the public cloud is not always simple for large, regulated enterprises. This type of modernisation and transition requires organisations to carefully rethink their entire security portfolio, starting with security solutions and methods for detection, response and recovery. In many cases, they must show parity between their old and new infrastructures.
A future-proof solution
When an enterprise shifts fundamental IT architecture – such as servers, hardware or firewalls – from a data centre into the public cloud, they should redesign their security architecture to ensure it is cloud-native. This is because most of the current solutions used in the SOC were designed for on-premises or local data centres and therefore fall short when it comes to addressing the issues facing modern digital organisations.
For example, applications – especially those that are custom built or configured – are moving to the cloud, making them a growing target for hackers. This makes end point security or zero-trust models increasingly important.
End points themselves are also becoming more complicated. It’s no longer just computers and telephones – end points are now expanding to include connected internet of things (IoT) and operational technology devices, such as smart meters, elevators and even self-driving cars. Industrial control systems and processes (and other specialised applications) are also becoming more standardised and, therefore, easier to attack.
In addition, end points generally connect to applications that run in a public cloud, so businesses need to move to zero-trust models that require reliable identity verification and controlled access.
Cloud-native solutions overcome all these issues. Many of the security products that enterprises have been buying in recent years are already natively available in the cloud and include artificial intelligence tools or algorithms. Microsoft, for example, deploys advanced algorithmic capabilities within Defender and other suites. Organisations can leverage solutions that feature AI models to proactively address security risks to expedite their detection and response capabilities.
Like other public cloud providers, Microsoft also has cost-effective, cloud-native solutions for handling larger data volumes and security incident and event management (SIEM) platforms.
The security industry has coined a new term: extended detection and response (XDR). It describes a platform that can aggregate security information from multiple sources, including the end point, cloud and identify management systems, to help teams isolate and respond to threats faster. A managed detection and response (MDR) service leveraging the Microsoft XDR platform, for example, helps companies to identify attacks via email, end points, identities and applications, enabling a timely response to reduce the impact of the attack.
Deploying cloud-native XDR solutions also facilitates the automation of many labour-intensive tier one and two processes. This could include tasks such as patching and testing enterprise systems, deploying infrastructure improvements, addressing support tickets from employees and generating reports for senior management about the organisation’s security posture.
Until recently, these tasks have prevented SOC teams from maintaining the ‘big picture’ vision that is crucial for fully protecting the enterprise against cyberattacks. However, by automating as many of these tasks as possible, enterprises enable their teams to invest more time in analysing potential threats.
Automation also provides the SOC team with better data insights, allowing analysts to react more quickly when an incident occurs. This speed and agility is crucial because the magnitude of the loss is directly related to the time it takes to detect and respond to an attack. By defining the response window – the minimum period of time after which the impact of an attack becomes exponentially greater – enterprises can lessen the associated risks.
Strengthening the enterprise security posture
When developing a modern and efficient SOC, organisations must implement a cloud-native SIEM. Unlike traditional SIEMs that are expensive to deploy, own and operate, cloud-native SIEMs have no upfront costs and can collect data at scale across all users, devices, applications and infrastructure, both on-premises and in multiple clouds. A SIEM like Microsoft Sentinel, for example, leverages algorithms to connect and master data streams, and to ingest and verify alerts. By acting as a single security analytics platform that covers multiple cloud environments, the SIEM reports to security analysts with actionable, timely information to help prevent attacks.
Another pivotal part of a modern SOC is end point detection and response (EDR). This combines real-time continuous monitoring and collection of end point data with rule-based, automated analysis and response. Integrating EDR with the SOC supports a zero-trust approach, providing a centralised platform for monitoring end points and responding to incidents, often automatically.
A data lake is also essential. It offers a centralised repository for storing, processing and securing unlimited quantities of structured, semi-structured and unstructured data from multiple sources.
Once these cloud-native components are in place in the SOC, an MDR provider like CyberProof can offer multiple services, including orchestration and automation. This involves leveraging solutions to enable a full overview of the enterprise, making it easy to streamline threat and vulnerability management, incident response and security operations automation. Doing this alleviates the stresses of increasingly sophisticated attacks, growing volumes of alerts and long resolution time frames.
MDR providers can also offer strategic, operational and tactical threat intelligence services, delivering evidence-based knowledge about existing or emerging threats to enable enterprises to make data-driven decisions. To support this, MDR providers can employ threat hunters to evaluate an enterprise’s network and develop security baselines, proactively pinpointing any policy violations within the network. This strengthens the cybersecurity ecosystem by incorporating a more proactive approach, while reducing the attack surface.
Once an organisation has a modern, cloud-native SOC and the support of an MDR provider, it is well-equipped to effectively protect its critical assets against ever-evolving cybercrime.
Tony Velleca is CEO of CyberProof, a UST company
This article was originally published in the Winter 2022 issue of Technology Record. To get future issues delivered directly to your inbox, sign up for a free subscription.