Should you do your own cybersecurity monitoring? It’s a fair question. You may already be paying for IT staff and many tools exist to collect logs. There are important considerations when you make this decision.
Let’s start with your staff. If they are like most IT teams, they are already stretched thin with keeping you running day-to-day and handling projects. Are you prepared to add headcount to be able to monitor 24/7/365? You will need to add full-time people to have multiple people per shift, typically 12-16 to adequately staff through time off, sick days, loss of personnel to better job offers, and having enough resources to be able to investigate the alerts that will be generated. These new staff members will need to be trained on to implement your tools, how to investigate and validate what the alerts mean, how to continuously tune the tool to minimize false positives (while not screening out important alerts). They’ll need to learn (and maybe even create) your incident response process, and should be part of regularly running drills on different types of incidents to make sure that the logs that are needed in those situations are being maintained and can be accessed quickly. Once these staff members are fully trained, they become more valuable to other businesses that also need to staff a Security Operations Center, so be prepared to compete with the salary and benefits needed to keep them. Qualified cybersecurity personnel are difficult to come by and retain in a global market where there is a shortage of cybersecurity professionals with millions of positions unable to be filled.
What about Separation of Duties? Even if you have a dedicated staff for watching over your network that is not the same team who is implementing and supporting the technologies, are they truly separate? Are you confident that this team will come to you if they detect a concern that reflects badly on their coworkers? Who will have the authority if the security team and the IT team have a conflict about how something should be implemented or how much risk is acceptable to your organization?
What kind of facility will your Security team require? Do you have enough space to provide them with the separation they need to focus on watching the logs and responding to alerts without interruption? You also don’t want just anyone to be able to have access to such potentially sensitive information, so securing their space is important. How reliable is your power and internet? Is your building always accessible 24/7/365? Security Operation Centers need to address all of these needs, and if your team doesn’t have the right conditions, that’s one more reason they might jump ship and leave you for another SOC position.
Let’s suppose you have the perfect team, and none of the concerns above apply. What tool will they use? Will they choose one that they are familiar with whether it is the best fit for your organization or not? Will the tool be tied to a specific manufacturer and only able to see data from the technologies that manufacturer sells? This can leave you with blind spots, gaps in your compliance requirements if you have protected data, or lock you in to replacing existing technologies just to be able to get all the necessary logs into the same tool. There are Security Information and Event Monitoring (SIEM) tools that are capable of collecting logs from a variety of technologies, so that could be your answer, if you have a big enough budget. These tools are not only costly to acquire and implement properly, they also have ongoing expenses to maintain the licensing and expand it to cover new technologies as your network changes over time. Any tool that has a usage-based fee model can blow the budget out of the water if the actual usage varies from what was predicted during the sales cycle.
There is another way, a way that gives you the power of a fully-trained and experienced cybersecurity team, compliance resources and a tool that can collect the logs from the technologies that are best suited to your particular organization regardless of who manufactured them. We call it ProVision, but our clients have called it their “special sauce”, “flexible and easy to adapt” and able to provide scalable threat intelligence with visibility.