Four Levels of IT Security Maturity
As an IT security provider, we have the opportunity to work with all kinds of companies—from small start-ups to global enterprises, and from financial institutions to hospitals to companies in many other industries. In the course of these conversations, we notice a wide variation in security maturity even across companies of the same size in the same market.
The security maturity of companies tends to fall into these four levels, with varying degrees of paranoia:
Level 1: The Bare Minimum: Relying on off-the-shelf security products, these companies deploy the basics, such as a firewall at the network perimeter, AV software on employee devices, and SSL encryption for network communications. These companies do not use Security Incident and Event Monitoring (SIEM) for collecting and analyzing security event data. No IT manager or security analyst is hunting for threats. These companies assume their basic security investments will protect them from attacks.
Level 2: SIEM Monitoring without Threat Hunting: In addition to deploying the basics, these companies invest in a SIEM solution to collect data about security events, but they have no dedicated security personnel for configuring alerts, monitoring SIEM activity, and investigating alerts or suspicious incidents when they occur. No one is proactively hunting for threats. Security activity is purely reactive.
Level 3: SIEM Monitoring with Security Analysts: These companies are taking better advantage of their SIEM investment. In addition to deploying all the products deployed by level 2 companies, these companies collect data, get alerts, correlate data to investigate suspicious activity, and do a limited amount of proactive hunting for threats.
Level 4: SIEM Monitoring and Threat Hunting with Security Analysts: These companies invest the most in IT security. They not only have well established SOCs, and well defined alert triage playbooks, in addition, they also have a formal threat-hunting team whose job is to proactively search for threats and mitigate them.
Security Readiness and Security Confidence: An Inverse Relationship
If you were asked which level of company was most confident about its security readiness, what would you say?
Theoretically, companies operating at level 4 should have the most confidence, since they made the largest investment in security products and personnel.
Shockingly, the answer is companies operating at level 1. Companies making only minimal investments in IT security are the most confident about their invulnerability to attacks.
Why this misplaced confidence? Because these companies are not actively monitoring their networks and devices and never receive alerts about security incidents, they assume no security incidents are taking place.
Unfortunately, they couldn’t be more mistaken. It’s only when companies begin to actively monitor and hunt in their environment that they realize how many threats are active—threats that were missed by point solutions.
Conversely, companies operating at levels 3 and 4 of security maturity understand just how frequent and stealthy security attacks really are. Faced with ample evidence of threats in the form of SIEM alerts and suspicious network activity, these companies know they need to be vigilant 24/7. Rather than assume that they are safe, they are more likely to assume that they have already been breached, and thus only through diligence and active threat-hunting will they be able to detect and contain attacks.
Obstacles to Security Readiness
If companies at levels 3 and 4 invested in security defenses and adopted a vigilant mindset, what’s stopping companies at level 1 from doing the same?
We find level 1 companies often cite three reasons for scrimping on security:
- Budget: Collecting and storing security data costs money and IT budgets are tight. These companies simply cannot afford to make a larger investment in IT security.
- Resources and Expertise: Even if a company could afford to invest in SIEM and collect detailed security data, they would not know what to do with it. The company lacks the staff and requisite expertise to spend hours every day analyzing security alerts.
- False Sense of Security: Absence of evidence is evidence of absence. Since they do not have sufficient monitoring in place, they are lulled into a false sense of security.
Often, but not always, companies falling into the level 1 bucket are mid-sized organizations. Not surprisingly (although it is often a big surprise to many of these businesses), small and mid-sized companies are the targets of 62% of all cyber attacks, according to IBM. And when these companies suffer a major attack, only 60% of them will survive past six months. Even for small companies, the costs of cleaning up after an attack can reach upwards of $700,000.
IT security solutions might seem expensive, but their costs pale compared to those of cleaning up security attacks, paying exorbitant funds to restore data encrypted by ransomware, or repairing a reputation damaged by a breach of confidential customer data.
Level 1 companies are certainly being attacked and breached. They simply don’t realize it.
They need to take action now before the cost of attacks spirals out of control and jeopardizes the existence of their organizations.
Leveling Up to Improve Security
What should these companies do to improve their security readiness?
Build a Business Case: Build a business case to persuade management or the board of directors to invest more in security. If you’re looking for hard numbers about the real costs of data breaches, take advantage of the annual security survey work done by the Ponemon Institute and the Verizon Enterprise Security team.
Leverage the Cloud: Look for newer, more affordable solutions for log collection and aggregation, such as those based in the cloud. Just as it reduced the cost of raw compute power and data storage, so is the cloud making the cost of deploying real-time security analysis and threat detection a lot more affordable.
Automate Wherever Possible: Consider implementing a security automation solution to continuously monitor and detect threats. This avoids having to hire an army of security analysts, keeps costs low, and improves security dramatically.
When it comes to information security in the digital age, only the paranoid survive. If a company is too confident about the state of its security posture, chances are good that the company was already breached.
Cloud technology and security automation can help significantly reduce costs of deploying robust security defenses. All companies should take advantage of cloud-based security automation. No matter how big or small a company is, or what industry it’s part of, one thing is certain: attackers are active and every company needs to be prepared.
Kumar Saurabh, CEO and Co-founder, LogicHub
Image Credit: Wright Studio / Shutterstock