COVID-19 has already had a huge global impact on the way we work, educate and interact. Not just temporarily, but for the medium and possibly long term. This has huge implications for how we keep our corporations and institutions operating securely.

Many of us have embraced working or learning from the comfort of our homes for the foreseeable future. As an IT security lead however, you’re now suddenly faced with a myriad of challenges to ensure the continuity and safety of your network and assets.

Your traditional network perimeter is no more. You have endpoints here, there and everywhere, and with that comes increased risk. People from your organisation still need to access the same sensitive data, make and communicate the same important business decisions, and interact online with the same fearless abandon.

Yet, in a recent study, OpenVPN reported that 90 percent of IT professionals thought remote workers were not secure. At the same time, over 70 percent thought remote staff posed a greater risk than onsite employees.

Hackers also likely view the increased numbers of people working from home as a prime opportunity to compromise organisations and their network. As employees (and their devices) head into the wild, there are likely to be a catalogue of worries racing in your mind as you battle to keep people secure:

When you’re monitoring the vast majority of your working population on premises, understanding what’s ‘normal’ is pretty straightforward. With so many people now working off site, understanding what ‘bad’ or abnormal activity is a considerable challenge. This could lead to lapses in effective monitoring, or the flipside, overzealousness restricting the ability of people to perform their jobs properly.

While you’ve factored in for a percentage of your working population to be set up for remote working, you’re now faced with most, if not all of them working offsite. You now have to consider a new approach to your technology infrastructure and security posture. Items such as ensuring your critical systems are up-to-date and patched, endpoint detection, intrusion detection systems, web content filters, VPN clients, and MFA/2FA token generators all need due thought and planning.

While previously, people would be using corporate assets to go about their work; more and more, a raft of different devices now access your network from offsite. Additionally, because they’re ‘unknown’ endpoints, you’re not always aware of who’s using these either. You need visibility of all endpoints, and the ability to link users to those unknown endpoints which are not organisational assets.

Many SIEM technologies require a remote device to be either on the network or connected via VPN to upload their logs to a SIEM. With the huge increase in remote workers overwhelming the provisioned capacity for VPN connections, some organisations are asking their employees to only use Software as a Service (SaaS), such as Office365, Workday, Salesforce and so on, rather than connecting to the organisational network via VPN. In those cases, the security team will have no telemetry from those remote devices at the exact time that it is most important to receive it.

With numerous things to put in place, a new approach is required to drive the organisation's security posture and keep critical systems safe, and the SIEM industry has to evolve to support that new approach.

While for a number of years the IT discussion has centred on innovation and transformation, the COVID19 pandemic is likely to see cost-control and business continuity dominate the IT agenda. The next six months is about maintaining what you’ve got and keeping your head above water. Once again, the operational components of IT come to the fore to maintain the survival of core businesses.

As far as security is concerned, simply deploying preventative controls to avoid attacks is not enough. A broader approach is required, one that allows for user and attacker activity to be observed across the entire environment in aggregate in order to assist in identifying and responding to signs of attack or compromise in real time. Enter SIEM.

SIEM aggregates and analyses activity from many different resources across your entire IT infrastructure. It collects security data from your network devices, servers and domain controllers, then stores, normalises, aggregates, and applies analytics to that data. The outcomes of that process are the discovery of trends, threat detection, and the ability to investigate any alerts.

The trouble is, SIEM is expensive and on-premises SIEM breaks down when remote devices can’t connect to the network to upload their logs. Only those who can truly afford it, and have provisioned VPN capacity in advance, can sample the luxury of a full SIEM solution. Yet, its high cost is also part of its downfall. Only just over 20% of those who use a SIEM solution say they derive value from it. While there’s the promise of visibility across your entire network, that visibility comes at premium. It also varies based on the number of security events your organisation would send to the platform. In short, the more events you have, the greater the cost. Once again, only truly cash-rich organisations can afford to write a blank cheque each month for what can be a highly variable cost.

In a time where security threats are likely to increase and continuity is vital, SIEM is only a realistic option for those who can genuinely afford to buy the product, and then employ the staff needed to deploy/maintain it, as well as the Analysts required to monitor and respond to the alerts. This means some go without. Or, of those with a SIEM service but find it impossible to manage a variable cost, they simply cut corners and blind themselves to security events in order to save money. As such, there’s a tendency to resent SIEM providers, as the value they provide goes down over time. Hence why we see such low satisfaction rates.

Additionally, the traditional model of deploying SIEM on premises has run its course, as with so many end-points remaining outside organisational premises and not connecting via VPN it is impossible to get real-time, or even delayed, telemetry to assist in identifying and investigating security incidents.

Business continuity and the survival of the economy is vital during these times. Surely our most advanced security solutions should be readily available to all, with the flexibility to match? Now is the time to provide a fixed cost alternative to the traditional SIEM providers that is readily adaptable to changes in the number and location of employees.

Finally, with the rapid change to remote working driving those organisations without SIEM to adopt the technology, SIEM solutions are notoriously slow to deploy, with deployment projects taking up to six months to conclude.

All organisations should be able to quickly and effectively deploy a SIEM solution, with access to a range of platform-led services and controls; giving the visibility they require, but charged at an affordable, fixed cost and with the ability to support devices that don’t ever, or at best infrequently, connect to the network.

Business continuity is the single most important item on the table currently and you need certainty. What you don’t need is the distraction of deciding whether you can afford, and can readily deploy and operate technology to deliver, a level of security protection versus trying to maintain a properly functioning business.

The SIEM industry needs to deliver the visibility it promises, but at a predictable cost that is accessible to all and with the flexibility required by today’s challenges. Let’s take the SIEM tax off the table.

COVID-19 has changed how we work securely

Massive increase in remote working requires technology and market changes

Neil Campbell, VP Asia Pacific and Japan, Rapid7

Quick Cookie Notification