Security Operations: Five Key Points
The ongoing threat of cyberattacks continues to pose major challenges for companies. Many now rely on external providers for security operations (SecOps). But even then, IT security is not a foregone conclusion and requires certain prerequisites. Five core principles that are crucial for success.
The term SecOps - i.e., Security Operations - is used by IT security experts to cover all operational activities in their field. Since the portfolio of tasks is very broad, companies need a Security Operations Center (SOC) to protect their IT infrastructure across the board - a single employee who processes the alerts from EDR (Endpoint Detection and Response) and SIEM (Security Information and Event Management) tools is by no means enough for this, as Ontinue emphasizes. Since very few companies have the financial resources to set up a SOC and the lack of skilled workers prevents it even if the conditions are perfect, many rely on outsourcing. But even working with a service provider must be highly efficient in the face of increasing cyberattacks and an ever-changing threat environment. Ontinue lists the five core principles for successful, effective and efficient SecOps:
Automation: Automation is a key aspect for SecOps teams to avoid getting lost in the flood of alerts. Security experts must therefore use SOAR (Security Orchestration, Automation and Response) tools to define meaningful response actions, i.e. automated reactions to recurring incidents. For example, the software could automatically isolate the affected host in the event of an alert indicating a ransomware attack.
Collaboration: Seamless collaboration between the enterprise and the external SOC of an MXDR provider is the be-all and end-all for efficient protection. Many still use cumbersome and slow ticket systems for this purpose, even in times of elaborate collaboration tools. However, it makes more sense to use platforms such as Microsoft Teams or Slack, which enable more direct and informal communication between all parties involved. This can shorten the mean time to respond (MTTR).
Localization: To ensure the highest level of security, external service providers such as MXDR vendors need a deep understanding of the IT infrastructure of the companies they serve. To do this, they need to have a good understanding of the clients, endpoints and servers on the one hand, but also have an overview of the individual properties and role-based access rights on the other. It is also important that they know exactly what makes up the existing business applications and which of them are essential for the company and its daily operations. Some MXDR vendors, with the permission of the business, are implementing AI bots that automatically monitor the IT infrastructure and notify the external SOCs when unknown hardware or software surfaces.
Specialization: When it comes to security architectures, less is indeed more. Many service providers rely on too large a portfolio of security products. The disadvantage is that their experts have to deal with different technologies. It therefore makes more sense to focus on a holistic ecosystem from one manufacturer, to integrate security operations simply and comprehensively, and thus to deliver the highest quality in this area. It is also easier for internal IT experts to collaborate with external colleagues if the product portfolio used is as consistent as possible.
Prevention: The best alert is the one that doesn't arise in the first place. So enterprises and service providers should work together to address threats proactively, not just reactively. In plain language, this means that both sides should work proactively. On the company side, this means alerting the security partner to changes in the IT infrastructure in good time or even involving him in the evaluation of new hardware or software. On the service provider side, this means spending a lot of time on threat intelligence, i.e., identifying potential future security gaps and threats.
"Putting efficient SecOps into practice is no easy feat - neither for MXDR vendors nor for enterprises," emphasizes Jochen Koehler, VP EMEA Sales at Ontinue. "That's why it's important that all stakeholders pull together and that the collaboration works smoothly. This only works if both sides work on seamless communication and individually do everything in their respective areas of responsibility to ensure the highest security precautions are taken. This is the only way they can really make life difficult for hackers."
