This is a guest post contributed by Aoife Mc Monagle, Director, Marketing & Communications at Scalar Decisions
As Canada’s #1 IT security company, Scalar spends a lot of time advising clients on how to manage cybersecurity risk. We also spend time researching the market to better understand the needs of Canadian clients and how they are dealing with cybersecurity today. In February 2016, we published our second annual security study: The Cyber Security Readiness of Canadian Organizations.
Our objective was to examine changes in the cyber threat landscape, and what strategies, tactics, and technologies respondents were finding most useful in combatting these threats.
The findings showed that the landscape was generally getting worse year-over-year: more attacks, more breaches, more data losses, and higher costs associated with remediation. However, it wasn’t all bad news. We identified a subset of the sample who reported a stronger cybersecurity posture and a greater confidence in their ability to withstand attacks. We referred to these as “high performing” organizations, and they made up just over half of the 600+ security professionals who responded. When compared with the remaining group, deemed the “low performers”, we discovered that high-performing organizations were almost 20% less likely than low performers to have experienced an attack in the last twelve months that led to the loss or exposure of sensitive information. This last stat alone was enough to pique our interest.
So what do the high performers do differently, and what can we learn from them? In general, they dedicate more of their budget to IT security, and are much more likely to align their cybersecurity strategy with the overall business objectives and mission. They also measure the ROI of their investments, and interestingly, differed from low performers in their opinions on which technologies provided the best ROI.
High performers believe one of the technologies that delivers the highest ROI is SIEM. High performing organizations actually report experiencing more attacks than their low-performing counterparts, however, it’s very likely that this is because many attacks in low performing organizations simply go unnoticed. Leveraging SIEM tools allows high performers to baseline their current environment to understand what “normal” looks like, and quickly spot behaviour that doesn’t fall into that category.
The fact that high performing organizations detect more attacks mean they are far more likely to be able to contain a breach before it causes damage or data loss – as evidenced by their 20% reduction in incidents involving loss of sensitive information. Investing in visibility and monitoring tools is essential if you are to be able to respond rapidly to threats that target your most critical assets and data.
SIEM is a rapidly evolving technology and it’s now about much more than just logs. The most advanced SIEM vendors layer on advanced analytical capabilities that can take that ingested information and generate meaningful and actionable insight for analysts. Many breaches occur because analysts simply didn’t spot the critical alert amongst an avalanche of less impactful ones.
This is one of the reasons we chose Splunk as one of our core security technology partners. Splunk Enterprise Security (ES) is a premium security solution that provides insight into machine data generated from security data sources such as network, endpoint, access, malware, vulnerability, identity, and threat intelligence. It enables security teams to quickly detect and respond to internal and external attacks to simplify threat management while minimizing risk and safeguarding your business.
Splunk ES also allows you to operationalize global threat intelligence, something that 75% of respondents in our survey said was critical to attaining a strong security posture. You can use the Threat Intelligence Framework in Splunk ES to aggregate multiple threat intelligence sources, de-duplicate, and assign weights so a wide range of indicators of compromise (IOCs) can be used for monitoring, alerting, reporting and investigation. Splunk has a great whitepaper covering this in further detail available for download.
If you’d like to learn more about how Scalar can help you leverage Splunk to provide analytics-driven security in your organization, please reach out to us. You can also download a complete copy of our study.
Aoife Mc Monagle
Director, Marketing & Communications