It’s hard to know what’s more challenging for housing providers these days – coping with the increase in the scale and complexity of cyber threats or managing the security tools to contain them and the noise they create.
From talking to Sophos’s numerous housing clients, it’s clear that their IT environments are as complex and dispersed as many other sectors. Users are now anywhere and everywhere. Physical assets such as endpoints, servers, wireless access points, switches and remote devices all need protection. Furthermore, many housing providers have resources in the public cloud as well as SaaS business applications such as Office 365.
Cyber telemetry
You’ve probably invested in multiple security tools to defend your environment, including endpoint and workload protection, firewalls, email security, cloud security, network detection and response and identity solutions. These products, as well as blocking already-known threats, also provide valuable signals – telemetry – to help detect, investigate and respond to today’s advanced human-led attacks.
What can analysts use this telemetry for? Endpoint alerts can highlight suspicious activity and malware. Firewall data can be used to look for intrusion attempts, and network telemetry can spot rogue users and unprotected devices. Cloud alerts can flag up unauthorised network access and efforts to steal confidential data, and email alerts can pinpoint initial entry points into the network. Finally, identity data-logs can reveal malicious network entry attempts and adversaries aiming to escalate privileges.
Each of these telemetry signals is useful on its own, but if you combine them, you can accelerate your detection and response.
Lack of security standards
Why hasn’t anyone been able to do this at scale so far? That’s because, although combining all this telemetry makes perfect sense, doing so is extremely difficult in practice. This is partly because there’s a complete lack of standardisation across the security sector concerning the format of the raw telemetry data. Security vendors use different alert reporting formats and severity levels for the same threats (you’ll be aware of this challenge if you’re currently using a SIEM tool). The inability to correlate this data effectively means housing providers’ IT teams often can’t identify issues quickly. What’s more, they are overwhelmed by alerts and unable to determine which ones belong together and where to prioritise.
If you’ve read my previous articles in Housing Technology, you’ll know that a growing number of housing providers are turning to our managed detection and response (MDR) service to support their IT teams and increase their cyber-security protection. Our MDR service provides the expertise of a remote group of cyber-security specialists to help you search for, analyse, monitor and neutralise threats that technology alone can’t prevent. Instead of reacting to a breach, these teams are proactive in detecting malicious behaviour that could remain undetected and cause a disruptive, costly and reputation-damaging cyber-attack.
Security event flows
One key element of the service is MDR’s ‘security event flow’. We collect all the telemetry from vendors’ tools, put it into our data lake so we can work with it and then put it through what we call our ‘detection pipeline’’. With the clean, correlated and clustered outcome, we create a case that the experts in our MDR operations team can investigate. This process makes what for others is a difficult task seem easy. Taking all those alerts and converting them into usable, prioritised insights enables us to secure our customers’ environments.
We typically process over 31 billion events daily, resulting in over 358 million detections. On the day our team pulled the data for this article, the MDR security event flow created 367 cases, of which 47 were escalated, and one active threat was detected and neutralised.
Faster responses
As these numbers demonstrate, trying to do this without event flow would be overwhelming for almost any housing provider. This solution is one of the reasons we can achieve an average MDR threat response time of 38 minutes, including detection, investigation and remediation. That’s around 10 times faster than even the quickest internal SOC team.
Cyber-security challenges will only become more complex, so adopting smarter ways of working are vital for keeping your organisation secure. That’s one of the reasons why more than 15,000 customers, including many housing providers, trust Sophos for managed detection and response.
Jonathan Lee is the director of public sector relations at Sophos.
