Understanding where to make security operations investments in this financially uncertain time will be critical as you seek to provide resilience in 2023 and beyond.
Most organizations begin this process by doing a security assessment to uncover gaps in their existing controls. This typically can be done through automated testing, a hands-on security assessment or a red team exercise.
Once deficits are identified, organizations begin their search for tools to provide coverage or compensating controls. Sometimes, tools are added or replaced in a tech stack to—hopefully—improve operations or to avoid the need to hire additional staff. Regardless of the desired outcome, these are three key questions to ask:
1) Does the proposed technology fill a gap, or does it replicate controls you already have that are not effective?
If the answer is the latter, you should attempt to discover why the existing controls aren’t working as they should. Is improper or incomplete implementation to blame? It is common for organizations to bring in new technology but not allocate the time to properly configure all of the features that come with the controls. An assessment of how the tool is being used may reveal an opportunity to optimize capabilities that have already been purchased.
Optimizing existing controls can also save you the cost of change. These costs can include implementation, training and—possibly—strain to the engineering teams and operations staff to update processes and procedures. If a change or addition to the tech stack is warranted, trial periods are useful to help you determine if the tool addresses the gap and avoids introducing problems than it solves.
There may also be times when ripping and replacing a tool is not realistic. For example, many organizations don’t believe they are extracting full value from their SIEM deployments. Legacy implementations have difficulty ingesting the data needed for effective threat detection and investigation due to cost and scale limitations. They also lack effective response capabilities to alerts they generate.
SIEM replacement, however, can often be a prohibitive undertaking—and all organizations are at different stages of their security operations journey. One option is to "augment" your stack with a cloud-native SIEM, which can help you deliver better security outcomes quickly and affordably.
2) Who is going to consume the outputs and how will they use it to improve security effectiveness?
Security technologies are often touted as able to increase visibility and help teams prioritize their efforts. However, if there is no planning for who is going to consume the alerts or the prioritized lists of threats to be mitigated, then the tool cannot provide the intended outcome.In short, the value of automation will be diminished if your organization lacks the resources to implement and operationalize it.
If the technology sends alerts to the security operations team, do they know what to do with them? Have they received the proper training to handle the alerts? Do analysts have cycles available to investigate the alerts, or will they create overwhelming noise in the SOC, which can lead to alerts being ignored and—worse—burnout among staff?
Technology like security automation, orchestration, and response (SOAR) can complement your detection technology to help group related alerts, automate workflows and allow you to conduct context-rich, collaborative investigations.
In the case of tools and services creating prioritized lists of threats and vulnerabilities to be addressed, it is important to coordinate with IT or support teams and make sure they are prepared to act on the items in the lists. Sometimes these items are funneled into ticketing systems, so processes and procedures must be created for how the receiving teams should handle the information. Creating and updating these processes and procedures is another hidden cost that is often overlooked.
3) How will the impact of the new capabilities be measured?
Organizations often invest in new capabilities, implement them and claim success. But how can you be so sure?
The ability to measure the impact of the technology must be established with a plan for how often measurements should occur and who will monitor the metrics. Additionally, expected actions driven by the metrics should be pre-defined. If the tool provides a score of some type, what actions will be taken based on that information? If the tool only provides volume-based statistics (number of alerts, number of vulnerabilities identified, etc.), will those numbers drive any change or improvements in the business?
Another consideration is how these measurements will be gathered. If the impact requires manual assessment or additional work to roll up the information so it is useful to the business, those efforts should be included in the total cost of ownership. If there is no way to measure the effectiveness of the technology and the business impact in terms of operations optimization or risk mitigation, it may not be a wise investment.
After answering these questions, you may opt to not purchase a new technology but instead allocate the budget to managed service providers, so a third-party can offer your desired capabilities or help optimize your existing controls. Alternatively, your business may best be served by investing in your people, including improving processes and procedures or providing training to fill the capability gaps.
If the security organization cannot currently justify the cost of the technology for the value provided to the business or is not ready to consume outputs from the technology, that is OK. The technology may still be useful to the business. It may just need to be moved down in the list of security capability acquisition priorities.
For more information on how Chronicle can help to transform your security operations, visit chronicle.security.
Dan Kaplan, Content Marketing, Google Cloud Security, contributed to this post.