Last Updated on July 27, 2021
For a business looking to balance detection and prevention in its cybersecurity program, two favored technology investments are Security Information Management (SIM) and Data Loss Prevention (DLP) solutions. But which should you get first? Or do you need both?
To offer business and technical leaders a practical perspective on what really matters in cybersecurity, a recent episode of The Virtual CISO Podcast featured Dr. Eric Cole, influential author and Founder/CEO of Secure Anchor Consulting. John Verry, Pivot Point Security CISO and Managing Partner, is the show’s host.
Start with a SIM
“The first thing I would have [a client] do is a SIM,” Eric advises. “And the second thing I would have them do after that is a DLP. But I couple things I always point out. I tell a lot of my clients, ‘Listen, you need a SIM. You need visibility. You need to know what’s going on.’ I’ll come back six months later. They’ll be, like, ‘Eric, you gave us bad advice. We went and got a SIM. We put it in place, and it’s not doing anything. It’s not catching anything. I’m like, ‘Okay, show me the use cases that you have for the SIM.’ They go, ‘The what?’” I’m like, ‘Let me get this straight. You bought a tool. You didn’t tell it to do anything. It’s not doing anything, and you’re mad?’
Tuning your SIM
A SIM isn’t “plug-and-play”— you need to tune it into what to look for. It’s only as good as you are at telling it what to detect.
Likewise, a SIM’s business value is only as great as your ability to respond to potential incidents once it detects them. More isn’t always better when it comes to SIM data.
“The other problem I see all the time… And you see this after a breach, where these vendors come out and go, ‘Our tool detected the attack. The company failed.’” Eric shares. “It’s like, ‘Wait a second. You tuned your SIM with all these use cases. It’s generating 20,000 alerts a day, but your team can only handle 200.’ It doesn’t take long to show that that’s not going to work.”
If your team can only handle a small number of alerts a day, then you should program your SIM to alert only on the highest, most critical scenarios. Might you miss some attacks? Yes. But your goal is to understand what the big threats are, and make sure you target your SIM to those use cases.
As Eric says, “If you’re alerting on 20,000 and your team can only get to 200, you’re missing all of them. It’s this idea of don’t let ‘good enough’ get in the way of perfection. Catch the big priority items first, and worry about the noise later.”
Scoping your SIM coverage
John further advises SMBs to appropriately limit the scope of SIM coverage: “The other problem I see with SIMs is someone gets a SIM, and what’s the first thing they do? They point every device, every application, everything in the network to this. It ends up being just a giant log consolidation tool—which is great for incident response, but not for incident detection.”
“You’d be much better off saying, ‘Okay, I’m not going to listen to 500 devices. I’m going to listen to the 30 that are the most important in my environment where the crown jewels are kept.’ That way, I’m maximizing my signal to noise ratio, which I think you’d agree is the key to a SIM,” explains John.
If you’re looking to fine-tune your SMB’s cybersecurity program, this podcast episode with Dr. Eric Cole is packed with practical guidance and big-picture insight.