Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Our CEO, Peter Woollacott, recently attended the 2019 RSA Conference in San Francisco. As the primary cyber security trade show in America, RSA is an enormous cyber security showcase, comprising product wares from a multitude of cyber technology vendors. A key theme throughout the conference was that of cyber trust and organisational trustworthiness.
In our workplace, who can we trust? How can we possibly trust the democratic processes (e-voting), given the revelations of nation state rigging going on all over the world? Can organisations trust their supply chain, and how can anyone trust cloud services and technologies, given they have little to no control over the underlying systems or people who have access to your data?
Back in Australia, this got us thinking about Huntsman Security’s products and the underpinning reason for a SIEM’s existence, which is to assure security and trust within your organisation. Of course, trust isn’t just about trusting your staff, customers or suppliers, but also demonstrating trustworthiness in your own company to those same staff members, customers, suppliers and regulators.
Auditing has traditionally been a retrospective trust model, since it allows organisations to look back at what happened over a period and determine whether things are on track. Just like financial auditing, when forensic accountants trawl through tax returns and sales ledgers checking everything matches what was reported, auditing in the digital world allows security professionals or regulators to retrospectively look at what’s been happening over a period of time.
The auditor might look at how certain security controls are implemented, such as your facility’s alarms and door entry systems, or they might check the changes applied to your technology systems, such as how well they are patched against the latest vulnerabilities. Auditing also helps organisations ensure processes are being followed accurately, for example, your access policy – if that isn’t followed strictly, the wrong people may have access to systems and information they are not permitted to see, which can easily lead to a security breach.
Auditing therefore helps security teams correct the course if things are veering off mission, and the auditing function will likely remain an important tool in the arsenal of business assurance managers for years to come. Yet in our highly connected world, where attackers move fast and steal information in real-time, retrospective auditing rarely works. After an organisation has been hacked and data is stolen, audit records help forensic investigators piece together what happened – so this is still needed to review what happened after the incident and determine how things could be improved to prevent this in the future.
A more proactive solution is required, one that works within the same decision cycles as the attackers, so that security teams can stops hackers in their tracks before they do any damage. This is where the SIEM comes in.
A well-designed SOC service will look to deliver both audit modes: retrospective and proactive. As a long term storage and search system, the SIEM can store months (or years) of data so that an auditor can follow the trail of a breach or incident and see which users accessed which systems and touched which aspects of company property. However, the nature of a SIEM permits the security team to also profile event log data as it comes into the system and raise alerts when certain patterns of behaviour or correlations occur.
Building an organisational trust model is vitally important for all businesses, since customers will only buy products or services from vendors they believe in. If trust is betrayed, then customers will likely walk away and seek alternative suppliers.
The power of this operational risk monitoring approach is its relevance to the organisation’s risk context. Huntsman Security’s Essential 8 Scorecard takes indicators from log sources across the business, such as logs from Active Directory servers, backup systems and vulnerability management systems, then aggregates it into a business intelligence dashboard and reports on compliance to each control.
Essential 8 Scorecard dashboard
Furthermore, the design of the Essential 8 Scorecard matches the compliance framework the organisation must abide by so it’s a quick dashboard to shows where operational teams should focus. For example, if your need to demonstrate compliance with ACSC’s Essential Eight, the scorecard can show exactly how you are tracking with your patching programme, how your backups are performing and how your MS Office policies are configured. And all of this works in real-time, so you don’t need to wait until the next audit to find out you are not compliant.
When you build your SOC, think of it as the centre of your digital trust model, so that the activities your security team perform are aligned with protecting your organisation’s trustworthiness. This puts the value proposition for your team back into the real world, rather than being all about complex technology outcomes, which also helps the SOC team report meaningfully to your executives.
Since attacks originate from any number of sources (both external and internal) and the underlying motivation for a breach isn’t always theft, it’s as likely a breach is caused by a member of staff accidentally clicking on a phishing attachment or leaving a portable hard drive on the train. If your architecture accounts for all these use cases, where breaches of your most important data are reversed engineered into patterns of behaviour, you’ll have a better chance of detecting them as they happen.
By understanding the chain of events leading up to a breach, you can monitor each system or user in that chain and watch potential breaches develop in real-time. This is what a SIEM helps you do. However, you need to do some of the hard yards of tuning it to your business context, which is what many organisations struggle with. There are five stages of maturing your SIEM installation that ensure you are getting the best value from your investment while continually maturing your security team’s organisational oversight:
Trust is one of the most important things an organisation develops with its customers and supply chain, but when lost it’s one of the hardest to restore. By focusing security efforts on protecting your organisation’s trustworthiness, you’ll make the work the SOC does more meaningful to a wider range of stakeholders.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.