Managed Detection and Response: Dispelling the Myth of Transparency

Find out what “proprietary technology” really means in the world of security information and event management.

SIEM technology has an important role to play in today’s cybersecurity landscape. It ingests data from across the entire enterprise, analyzes that data to build a coherent picture of security events, and enables security teams to investigate and respond.

Cybersecurity vendors accomplish these tasks in different ways. Often, SIEM solutions must normalize and enrich data to prepare it for analysis. Then they start correlating data points according to internal rules and algorithms to glean insight and construct an intelligible narrative.

But what exactly are these internal rules and algorithms? How do they work, and why should you entrust your entire organization’s cybersecurity framework to them? This is a question most cybersecurity vendors simply won’t answer. Their technology is “proprietary” and they fear divulging trade secrets to customers, competitors, and the public in general.

From the customer’s point of view, this looks a lot like buying a “mystery box.” You don’t know how it works, or even if it works, but you’re expected to trust that your vendor has your best interest in mind.

Isn’t proprietary technology more secure?

It might be — or it might not be. If the owner of that technology doesn’t show you how it works (which many don’t for IP/proprietary code reasons) and has an opaque vulnerability management process, there is no way to tell. This is one of the major obstacles that enterprise InfoSec leaders currently face. Security technologies are more abundant than they have ever been, yet information about them is scarcer than ever. 

It should come as no surprise that organizations use an average of 45 different cybersecurity tools on their networks. Yet even this tool-centric approach fails to fix the problem, as the ongoing surge in modern, industrialized cybercrime shows. Since many security vendors don’t let their customers know how their products really work, those customers have no way of accurately identifying security vulnerabilities and cracks in their networks. The “mystery box” approach ends up hurting more than it helps.

How did we get here? A history of the mystery box approach

In the 1990s, information security technology focused heavily on perimeter security. Vendors developed solutions that typically focused either on security information management (SIM) or security event management (SEM) based on guidelines of the time for secure engineering systems. 

These solutions were built on proprietary databases that locked customers onto the vendor’s technology. This was happening in the middle of the dot-com bubble, when it was normal for technology companies to seek patents and trade-secret protection for everything they developed. Integration, usability, and open-source architecture wouldn’t become industry norms until later.

By the 2000s, data had become cheaper and technology more powerful. SIEMs could now use patterned-based detection methods to identify threats. These solutions could only find threats that were already known, but security vendors began to see the value in sharing their signature databases with one another.

However, vendors kept their infrastructure, data storage, log management, and other technologies under lock and key. Up until the 2010s, these were important value differentiators between vendors.

This changed when cloud computing, open-source infrastructure, and Big Data analytics became industry standards. Technology vendors no longer have to build and maintain on-premises servers or develop their own capabilities, but it’s still profitable to lock customers onto their platforms. True transparency comes with the risk of showing customers they have options.

Visibility empowers customers to make better choices

InfoSec leaders who choose “glass box” vendors over “mystery box” vendors enjoy far greater control over the technologies they implement. They gain the ability to customize technology to meet their needs while accommodating its limitations.

Security-oriented organizations are increasingly choosing to implement and manage their own SIEM and onboarding reputable managed detection and response providers for that purpose. This gives the company full visibility into its risk algorithms and provides users with confidence that their system works as advertised. Organizations that take control of security information and event management can assess and improve their risk management framework in eight principal areas:

• Vulnerabilities – All software can contain vulnerabilities. Deploying, configuring, and maintaining your SIEM platform properly will mitigate the risk of introducing vulnerabilities into your security system. You need visibility to test and verify SIEM operations so you can catch and report potential vulnerabilities before cyber criminals discover them.
• Integrations – SIEM solutions must integrate with many different security tools and log delivery systems to work properly, but every link in the integration chain is a potential point of failure. Your team must be able to verify these integrations as needed and have access to the resources necessary to fix problems before they lead to vulnerabilities.
• Defaults – Many organizations settle with a default SIEM configuration when a customized alternative would perform better. Without transparent technology and communicative vendors, it’s impossible to verify whether your configuration is truly designed to fit your organization’s security needs.
• Alerts – These are essential to SIEM security. Without control or visibility into how your SIEM works, you can’t tell if you are missing alerts, or if the alerts you receive map appropriately to your business priorities.
• Data Sources – SIEM technology is only as good as the log or event data it draws from. If there are already compromised devices in your network, your SIEM deployment may be compromised from the start. Visibility is key to auditing and verifying the assets your SIEM solution is supposed to protect.
• Users – How many SIEM users should your system accommodate, and how many of them should have admin-level access? The deployment process may require you to grant access to many users who don’t need ongoing account privileges. Visibility into your SIEM is critical for reviewing user access over time.
• Configurations – SIEM software comes in multiple formats, from on-premises solutions to containerized solutions housed at a local data center, or full cloud infrastructure. Each of these options presents different risks, costs, and benefits, which you gain the ability to leverage when you take control of your SIEM capabilities.
• Access Levels – To implement zero trust policies, you need to know what levels of access are available in your software. Only then can you configure accounts and maintain the principle of least privilege.

Regain control over your SIEM

When properly implemented, SIEM solutions bring significant improvements to enterprise cybersecurity. It falls on business leaders and InfoSec decision-makers to insist on visibility into the inner workings of their security tools. These systems are too important to entrust to “mystery box” solutions with inadequate transparency.

Security-oriented business leaders need to work with technology vendors that offer an unprecedented “glass box” experience, where visibility comes first. This enables security teams to accurately identify vulnerabilities and proactively address them using best-in-class technologies. As a transparent managed detection and response provider, Castra can help you achieve this standard of security performance for your organization.