As we near the end of the year, it comes time to talk about why planning out Security is important. So we will use some terms to explain the various ways failure can be planned for.
Business Continuity Planning (BCP) vs Disaster Recover Planning (DRP)
BCP is integral to any security policy. You need to have a plan in place on how to maintain your core business and quickly eradicate and remediate smaller problems, before they grow into larger ones. A failure of BCP is when a small malware event gets past your security software, infects a system, and nothing is done to prevent that outbreak from spreading and creating a full blown outage. There is no such thing as a "minor" security event these days, there are security events that tell us something, and security events that tell us nothing. Both are important to review, but one is an indicator of a problem, whereas the other is an indicator of normal activity.
Telling the difference between these kinds of events is full time job on its own for businesses of all sizes. Security engineers are needed to review security events and verify whether or not they are indicating potential risks to the business, or if they are normal business activity.
It is impossible to ignore all valid traffic so you ONLY alert on bad traffic. Most of what causes an outage or malware infection that spreads across a network looks anomalous. Effective malware authors seek to make their code look like normal windows activity, and take advantage of exclusions that many security vendors have in order to allow the operating system to function. It is the timing / related aspects of some anomalous events that turns or triggers an indicator of potential compromise - which should spring into a lockdown of an impacted system and a security incident to be investigated.
But, many organizations don't have the resources to track all of those events, so they outsource the resources to an XDR, SIEM, or SIEM as a Service solution. London Security offers this solution ourselves, so I am not criticizing the business model - but I am indicating that not all of those services are equivalent. Many MDR / XDR solutions do not actually take actions in the case of very anomalous windows events even when they occur in the middle of the night and show an origin from Russia or Europe. Instead, they take the safe approach and flag the event and add it to a queue to be handled during normal hours, or even worse, don't see the event at all because they've excluded Windows processes.
This growing trend of trying to "cut the noise" and "only show the important security threats" has lead to numerous failures of Security organizations. And this has been known by Security professionals for over a decade. Having technologies or solutions such as a SIEM to track security events, but doing nothing about them, is a recipe for disaster - but is still a common business practice in the industry. Spending money to "feel" secure but not gaining actual security from it is a ban strategy, and one that leads to disaster.
DRP is the other side of the coin. At some point, your organization will be hit with a massive malware or hacking attempt and you need to have a quick response. Not all attacks are equal, and some can be caught pre-exfiltration of valuable IP or privileged information. There is a vast difference between having a malware outbreak and having your entire organization's customer base and all of your valuable IP appear on the dark web. Having plans in place to lockdown networks, to set up a remediation strategy that is quick and hardened against most attacks (which are going after back-ups and other ways to prevent quick restoration and low downtime), and most importantly is layered. Do not plan on one solution to handle the entire load, that is a recipe for failure as well. Attackers can learn the ins and outs of security technology and often do. For more sophisticated attacks, expect that they may be familiar with your organization's security technologies and what the normal endpoint security is. If a system is infected, they can look at what is deployed on a system in order to create a larger strategy to take advantage of your weaknesses. And they will.
But how is London Security any different?
When London Security was founded over a decade ago, we were founded knowing most customers, even ones with the most sophisticated security software available, might need helping setting up and configuring that into a larger successful security architecture. We have been one of the most long-term Managed Services Provider who specified in one thing: Security. We would let you own all the technologies, and work as an extension of your IT team and provide the day to day actions to prevent large-scale security failures from happening, and aid in remediate when smaller infections occur, because that is how you run a successful Security Team.
We also offer a 24/7/365 Managed Detection & Response business, where we can be an extension of your security team for the off hours and notice risks and lockdown systems before they spread an infection across your entire network. We have knowledge, expertise, and experience handling these problems and providing strategies for success for your business.
In Security, it comes down to one thing: Are you going to spend money to get a security solution that will allow your business to survive? Or will you spend money on a security solution that covers every checkbox but fails in the time of a crisis?
Reach out today and find out how London Security Solutions can assist your business, and what we have been doing to protect our customers.