By: Jeff Starke - MegaplanIT Principal Security Engineer
Let's be honest, 2020 was a pretty rough year. Beyond all of the violence, political unrest, and the COVID-19 pandemic, 2020 also saw over 80 high-profile data breaches across all industry verticals. It should be clear now that we need to focus on building resilient systems while prioritizing our cybersecurity operations. But what exactly does that mean, and what should we focus on as we begin to plan for 2021?
Managed Endpoint Protection
Gone are the days of being able to install legacy AV, downloading a list of virus signatures, and having some level of confidence that your workstations and servers are protected from file-based attacks. As attacks become more complex and memory-based, it's vital to ensure that you have next-generation EDR solutions deployed to combat these new types of exploitation. Next-generation EDR is a lot more advanced and isn't as simple as entering a product key and setting up a scan schedule. You need to be adeptly familiar with detection policies, building whitelists and exceptions, and deploying and troubleshooting agents.
Many organizations make the mistake of purchasing these tools and putting the responsibility on their existing IT teams under the assumption that EDR is just as easily managed as legacy antivirus. The reality is that this leads to overstretched IT teams and underutilized EDR solutions. The ideal solution for providing the highest ROI and least hindrance on your IT staff is outsourcing your management to a managed security service.
In the past several years, almost all EDR security solution providers have decided to offer their own managed services to support their platforms. While this was a logical step on their part, there is some common criticism of these platforms. The most common concern is that if the solution is already detecting and blocking malicious activity, what help is a managed service that's just reviewing these detections? Most vendors managed services include some policy review on an intermittent basis. However, they don't typically offer assistance in group and policy management and aren't available to help you assist with planning or deployment activities. These vendor-managed services are also specific to just their product, and they don't touch other solutions under management. This is where MegaplanIT's Managed Security Services come in to help your organization.
MegaplanIT's Managed Security Service team can help you with EDR deployment, group and policy planning and configuration, and ongoing solution tuning and configuration validation. Additionally, our singular Managed Security Service is also capable of taking over managing other tools in your security stack and incorporating all of your security events into a single platform. This will allow MegaplanIT to have a unified view of all security-related activity across your enterprise no matter what tool detects it.
Managed SIEM Platform
The 2019 Verizon Data Breach Report, contributed to by MegaplanIT, highlighted what PCI DSS requirements were not sufficiently in place during the time a breach occurred. Of all data breaches in 2019, over 74% of the impacted organizations did not have a sufficient means for providing log aggregation, auditing, and review. Traditionally, the best way to implement log aggregation is by deploying a security information and event management (SIEM) solution as it will handle all log aggregation in addition to event correlation, alert notifications and sometimes even case management. Most SIEM solutions come paired with their proprietary collection agents for gathering event logs from host systems along with the capability to receive Syslog from network devices. Overseeing and validating the deployment of collection agents and Syslog sources can quickly become a daunting task, especially as the size and complexity of your infrastructure scale. These same SIEM solutions must also be kept up-to-date and actively managed and reviewed to ensure they provide necessary logging for on-going security operations.
MegaplanIT's Managed Security Service team can help manage the deployment and, with frequent update meetings, maintain full deployment while new hosts are introduced or decommissioned within your infrastructure over time. MegaplanIT can help validate that you're collecting the logs you need to meet your compliance objectives while also focusing on the events that will contribute the most to making better security detections in your environment.
Managed Network Detection
Network-level visibility is a vital supplement to the host-level visibility you receive from a SIEM solution. While often overlooked because it is not a compliance requirement, network intrusion detection systems are a valuable asset to have deployed. These solutions can help you identify malicious traffic on your internal networks. By having visibility over internal traffic, you can identify things like port enumeration, exploitation attempts, lateral movement, data exfiltration, and unencrypted applications. Unfortunately, network intrusion detection isn't a plug-and-play solution. You're required to have network hardware that will support spanning network traffic for network analysis and the physical resources to deploy an on-premise sensor. Once you have it deployed, you also need to be familiar with analyzing network traffic or have a method for ingesting network intrusion alerts into your security operations.
MegaplanIT's Managed Security Services
Our Managed Security Service team can provide you with a pre-built network intrusion detection sensor for simplicity of deployment. MegaplanIT can oversee the initial configuration and ongoing maintenance of your sensor. While also configuring and managing to alert. Network-level visibility provides additional indicators to help identify where to look for suspicious activity on specific endpoints and can serve as the only method for detecting covert types of system compromise.
As we look ahead to 2021, we need to be mindful of what the actual threats are. We need to have full visibility over our environments from a host and network-level, and we need to ensure we aggregate this information for further analysis. We need to make sure we have experienced analysts reviewing our aggregated security information daily, and we're validating against our data sources just as frequently. MegaplanIT can help you get a 'day 1' handle on all of this and help you navigate your security operations from a strategic and tactical perspective for years to come. We don't just look for clients. We look for partners because our work goes hand-in-hand.
Talk with a MegaplanIT expert today.