Just having come back from the most recent RSA Conference in San Francisco, I think I can say with confidence that the security industry has moved beyond, at least at the level of strategic planning, security strategies which are purely based on prevention. Security professionals generally agree that what is needed is a better balance across prevention, monitoring, & response; what I refer to as the new defense-in-depth approach. If you still need some persuading on this point I encourage you to spend some time reviewing the conference content, in particular Amit's keynote. For the purposes of this blog I will assume you are struggling more with the "how" of doing this than with the "why".
As part of my job here at RSA I talk with many customers and prospects on a very regular basis. Organizations both large and small and with high and low-levels of security maturity are all wrestling with how to do incident detection and response better. Often the first binky that organizations have to give up is that there is no single technology and no analytic or rule that can be deployed to provide sufficient detection and response capabilities. Does malware sandboxing, next generation firewalls, next generation AV, better privileged access management, threat intelligence, SIEM, and many other technologies help? In many cases "yes". Do they themselves deliver what is needed to address today's incident detection and response challenges - "no". If you are having trouble letting go of what many (including me) call the security technology "silver bullet" or "magic box" problem, I encourage you to watch this video of John Kindervag of Forrester explaining why silver bullets are good for slaying vampires, but aren't good for improving your security.
This blog isn't nearly long enough to completely cover the "how" of improving your incident detection and response maturity. But I have recently refreshed a paper I wrote on this topic a while back. In this paper I offer up first a framework with which you can assess your current level of incident detection and response maturity across the intertwined categories of people, processes, and technology. Using this framework and a bit of honest reflection you can fairly assess your current security monitoring program maturity. After going through this process, look at your checkmarks on the table in the paper wherever they landed and then look right to get some ideas of where it might make sense to focus going forward. Don't forget to celebrate your successes and not wallow in your weaknesses.
If it wasn't already obvious to you, RSA is very well positioned to help you improve your incident detection and response program across all of the critical areas, including but not limited to technology. Uniquely in this space RSA provides a combination of specialized professional services, multiple integrated products, as well as an ecosystem of expert partners to help organizations of all sizes on this maturity journey.
Whether your program is short on strategy, expertise, heads, repeatable processes, integration, visibility, detective or forensic technology, or other related areas, RSA can help you move the needle. What we provide in this area falls in the solution space we call the RSA Advanced SOC solution. Connect with us so we can help you launch or accelerate your organization on its incident detection and response maturity journey.