Focus on the Basics
I was meeting with a company the other day, and security was naturally brought up. In their opinion, they felt that they had a good handle on security and their overall network — they perform security awareness training, they have a SIEM solution, they have AD monitoring and firewall monitoring, and a plethora of other items that would keep their business safe. Digging in deeper I started asking about what types of incidents they got notified for, and how do they get notified? That was when I realized that they were trying to do everything correctly, but they didn’t actually have the manpower to do everything they wanted.
I tend to see two types of companies in terms of security preparedness. They either have very little security readiness; and believe a hacker would not go after a company their size. Or they have a lot, but they don’t have the manpower to actually sift through the data. In both cases, you are going to have issues.
The good news is that with a company that has a lot of infrastructure, it is easier to step back, focus on a few things and get really good at them. They are able to ignore some items and really focus on what they want to get alerts on. Starting small, security awareness training for example, can pay big dividends; work with your end users and train them. Then, focus on the SIEM. Make sure it is getting the logs from your devices and then reduce the alerting to only the critical items that you are worried about. Focus on account lockouts, IPS/IDS alerts over a specific threshold. As you tune your SIEM, you will understand it better and be able to utilize it more efficiently. Many companies have an outsourced SIEM solution, so they will do all the tuning for you, thus freeing you up to be more proactive.
Thrive can help out in some or all of these areas! Bring us in, and we can help you find the right-size the solution for what you are trying to accomplish.