Do you know your SOC from your SIEM and more importantly where security compliance and regulation fit in?
It is widely accepted that enterprise cyber-attacks are inevitable - it's not a question of if but when. However, in the age of GDPR all organisations need to have a defined approach for when a security breach occurs, or risk falling foul of regulation.
Large scale data breaches grab headlines and 2019 has delivered its fair share of newsworthy stories. Earlier this year
This data breach ranks as one of the biggest in history and has been a costly one. It was reported that
As the saying goes, bad news travels fast and media outlets are quick to pick up on data breach stories. What we don't hear about is when security defences have proved effective. Security information and event management solutions (SIEMs) and security operations centres (SOCs) are two developments that are helping organisations stay ahead of the threat landscape.
What is SIEM?
Security information and event management (SIEM) software gives enterprise security professionals both insight into, and a track record of the activities, within their IT environment. It collects and aggregates log data generated throughout the organisation's technology infrastructure, from host systems and applications to network and security devices such as firewalls and antivirus filters. The SIEM software then identifies and categorises incidents and events, as well as analyses them. It then provides reports on security-related incidents and events, such as malware or malicious activity. Finally, it sends alerts if analysis indicates a potential security issue.
Networks are often complex and the number of interconnected systems and processes mean that SIEMs typically generate thousands of alerts daily. Many, if not most, are false positives. This is where a security operations team becomes invaluable.
Security operations centres (SOC) monitor and analyse activity on networks, servers, endpoints, databases, applications, websites and other systems. The aim is to look for irregular activity that could indicate a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analysed, defended, investigated and reported.
SIEM solutions tend to generate vast quantities of data, which must be analysed and calibrated to avoid IT teams being overwhelmed with tickets. The SOC team's goal is to detect, analyse and respond to cyber security incidents. Firstly, they must determine the real incidents from false positives. Once an event is identified they use a combination of technology solutions and a strong set of processes to address the issue.
No room for improvisation
A response strategy is vital in the aftermath of an event. When reputation, revenue and customer trust is at stake, it's critical that an organisation can identify and respond to security incidents and events. A SOC will coordinate the primary response to any attack or loss of data. However, in the age of GDPR all organisations, regardless of size, need to have a clear strategy, in the event of an attack it is not the time to improvise.
GDPR requires breaches that are likely to have an adverse effect on individuals to be reported within 72 hours. Within this 72-hour window, a long list of activities needs to be initiated. This includes:
* A description of the nature of the personal data breach including, where possible:
o the categories and approximate number of individuals concerned
o the number of personal data records involved and their categories
* The name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained
* A description of the likely consequences of the personal data breach
* An outline of the measures taken, or proposed to be taken, to deal with the personal data breach including, where appropriate, the measures taken to mitigate any possible adverse effects.
People and processes in alignment
During a data breach is not the time to be defining an approach to a security incident and wondering about compliance and regulation. It's vital that employees know what they should do and everyone understands how their actions can affect the outcomes.
An online information security management system (ISMS) can help organisations to define their processes. CySure's Virtual Online Security Officer (VOSO) is a low cost, simple to use workflow system which guides organisations through the tasks needed to achieve alignment with security policies.
VOSO initiates and guides organisations through the required polices, processes and events in an easy to understand, phased approach that will help mitigate regulatory fines and litigation if a company suffers a data breach. The audit trail in VOSO Plus acts as evidence that organisations have implemented the process and technical controls towards protecting the business and data from internet based cyber-attacks.
Organisations need to be prepared. Now is the time to define a response strategy to ensure a security incident doesn't turn into a business disaster.
- ENDS -
About CySure
CySure is a cyber security company founded by experts with extensive experience in operational and risk management. The company has offices in
For more information please visit CySure
Press contact:
T: +44 (0)1491 845553
E: mary@pra-ltd.co.uk
.
(C) 2020 M2 COMMUNICATIONS, source