Are You Just Monitoring the Front Door While Your House Gets Raided?

The world of cybersecurity has had some fundamental shifts in the past few years that have made most companies unprepared for today’s threats. For example, the increased use of malware, has dramatically reduced the basic value of traditional security solutions, such as firewalls, IDS/IPS, and anti-virus software. These solutions once adequately prevented attacks are now very limited in their risk mitigation value. Most organizations have not updated their cybersecurity technology and solutions to stop today’s threats. It’s like monitoring your front door for a break in while someone crawls in through the back window.

Even companies that have taken cybersecurity seriously have not always been led the right way by cybersecurity companies. Five, ten, and even fifteen years ago, a serious threat protection package for an organization might have entailed 24x7x365 monitoring - paying for smart cybersecurity professionals to watch the alerts and events as they happen in real-time so that they may be able to respond at a moment’s notice to malicious events. But legacy technologies that used to monitor devices relied mostly on human review, not machine intelligence. A common metric for traditional MSSPs is a single security engineer for every 30 devices under management. In the U.S., the average cybersecurity professional makes $116,000/year. That means that the cost to monitor a single device is $322/month, forcing traditional MSSPs to charge between $500 and $1500/device/month. Of course, at those rates, most companies can only afford 1 or 2 devices to be monitored - the firewall and IDS/IPS. When asked why they don’t need to monitor more devices, they would talk about a home security system that only has motion detectors near the front door and “choke points” within the home eliminating the need to monitor every room, door, and window: “As long as you are monitoring the choke points, you are safe,” they would say. So, while it is expensive to monitor just a couple of devices, if we place those devices in the choke points of the network, you are safe. This was adequate 5+ years ago but this is not enough for today.

Imagine being sold the idea that choke points are enough and then having your child kidnapped through their bedroom window. No choke point security system could detect that, allowing the worst-case scenario to happen without your security system even tripping. Home security systems relied upon a few choke points in the home because it was very expensive to run wires to every area of the home (particularly after it was already built). When seeking out a home security system nowadays, wireless technology has made it possible to place multiple sensors throughout the house without the use of any wires. This makes the cost of securing the entire home from multiple threats much more cost effective and efficient than traditional, wired systems. And today, if you talk to home security specialists, they will tell you about all the advantages of a system that can monitor every window, every door, and every room for multiple threats like motion, water, carbon monoxide, and fire - all because the technology finally allows them to do this cost effectively.

The same evolution has happened with cybersecurity. Cost prohibitive cybersecurity professionals with a 30 to 1 cost ratio was always going to require organizations to rely on choke points. Thankfully, technology has evolved, as well. Automated correlation and analytics from a properly deployed, configured, and tuned Security Information and Event Management (SIEM) technology can increase the ratio of devices per cybersecurity professional exponentially. With the old technology, there was very little normalization, correlation, and threat feed integration to accurately detect malicious behavior. Cybersecurity professionals would need to troll through event after event and alert after alert, looking for a needle in a haystack. Today, SIEM technology can quickly and efficiently find those needles with far less human interaction. This dramatically reduces the number of cybersecurity professionals needed for a traditional Security Operation Center (SOC) which means a lower cost per device for organizations. With a lower cost to monitor each device, we can now monitor more devices. Rather than just monitoring choke points, we can monitor all the windows, doors, and rooms, which is really what was needed all along.

When all the critical devices are being monitored and correlated, you can stitch together bits of information across different systems and areas of the network to give you a far more accurate picture of what is happening. In other words, the more devices that you monitor, the more accurate the monitoring becomes and, therefore, the better economies of scale can be achieved.

So, what should an organization monitor? Certainly, it is a good idea to monitor the firewall and IDS, but we need to go beyond that and focus on today’s threats. Routers, servers (especially active directory servers), and wireless access points should all be monitored. With current SIEM technology you can monitor all these systems for about the same price as you used to be able to monitor just the firewall and IDS/IPS.

Unfortunately, most legacy MSSPs have not been able to break the pattern of charging clients $500 to $1500/device/month and cannot change their cost models without dramatically hurting their revenue. Therefore, they continually taught that their prices are fair and competitive. Yet, this is quickly crumbling under more and more professionals and organizations realizing that a holistic approach to monitoring is required for true risk mitigation and, therefore, lower prices are the only way to achieve that.

Only monitoring choke points and limited devices or smaller areas of a network is simply not enough to protect your organization from today’s threats. Monitoring is more important than ever, but real risk mitigation comes with a holistic and cost-effective approach to monitoring all the possible security events from every possible device. Stop only monitoring your front door for a break-in and assuming that your business is safe… your back window is wide open.