Occasionally, I’m invited by IT departments for ☕ and 🍪. They discuss with me whether they should acquire technology XY on these occasions. To tell the truth, I suspect the real reason for the invitation is the latter and the coffee is just an excuse. 🤷🏼♂️ Nevertheless, I understand their interest in getting more opinions. After all, investing in XY usually involves millions of korunas, and IT expects it to solve cybersecurity issues. The abbreviation XY usually represents sandboxing and SIEM.
What’s wrong with sandboxing and SIEM?
Nothing. Those technologies are fine. The problem usually lies between IT’s expectations and the real “benefits/impacts” of these technologies. They often significantly miss each other. 😕
The reason why expectations and real benefits diverge, in my opinion, is our introverted nature. We, IT administrators, simply do not share our experiences among ourselves enough. Our image of the technologies is shaped by their sellers (who, in turn, tend to be quite extroverted). Yet, salespeople usually lack practical experience with network management and their products and are mainly motivated to sell.
The points below are my observations and experiences. It’s not any dogma, I have too small a statistical sample for that. If you have different experiences, I’ll be glad if you share them in the comments.
So, where do the expectations usually differ?
Saves Us Time (they are not maintenance-free technologies)
Expectation: In recent years, I haven’t encountered a company that didn’t tell me it lacked people in the IT department. Recruiting additional IT specialists is currently difficult due to their scarcity. IT managers thus hope that acquiring a sandbox/SIEM will partially relieve their IT staff and simultaneously enhance the security of their network.
Reality: Both technologies need “operation”. Someone who will examine their outputs and respond adequately to them. Without operation, the benefit of these technologies is very small (e.g. only audit trail for investigation).Planning these technologies, it’s necessary to consider that more people will be needed in the IT department. Especially with SIEM, it’s half a person to several people, which also reflects in the total costs of the given technology (with the current price of labor, it’s multiples compared to the acquisition price of technology).
Solves Network Security without Education (more knowledge will be needed)
Expectation: If these technologies cost millions of korunas, they will be easier to use thanks to artificial intelligence. With the same/current knowledge, we will achieve higher network security.
Reality: The technologies have a certain form of intelligence, but it serves to prepare information for operation, rather than resembling Skynet from Terminator.🤖 The decision/conclusion drawn from the presented information is then up to the operation. Operating a sandbox requires more knowledge than operating antivirus (most companies have it by default…). Likewise, operating SIEM requires more knowledge than operating a log manager.
Therefore, it is necessary to consider that new technologies will require a substantial amount of study.
Securing the Network Despite Skeletons in the Closet
Expectation: It indeed costs a fortune, but it will secure our network without us having to resolve our backlogs (segmentation, passwords, updates…) and we can thus sleep in peace.
Reality: Before procuring advanced technologies (sandbox, SIEM), it is necessary to have resolved “backlogs” such as: network segmentation and permissions (tiering, least privilege), patch management, password management, maintaining order and having an overview of one’s network (in large companies, entire data centers are sometimes forgotten 🤯). If this is not resolved, attackers typically need only a few hours to conduct an attack (lateral movement). Thus, there is a lesser probability that sandbox/SIEM will detect the attack in time. Especially if the company does not have 24×7 supervision – the attack occurs at night, and by morning, there will be nothing left to monitor.
Moreover, “resolving” the aforementioned is usually much simpler and cheaper than deploying SIEM and sandbox.
It Works as Wonderfully as They Claim
Expectation: The manufacturer proclaims that, thanks to machine learning, artificial intelligence, and neural networks, the technology will protect us against both known and unknown threats. Hence, we no longer need to fear ransomware and hackers.
Reality: The field of IT security is full of exaggerated claims. Personally, I would prefer if manufacturers spoke modestly and strived to provide some form of guarantee for their products (instead of saying, “this is bulletproof technology, but if you get hacked, we are not responsible”). Technologies often have a series of flaws and blind spots. No “silver bullet” technology exists (or at least, I haven’t discovered one yet).
We try, from time to time, to test the technologies we use with our customers, to know how much we can trust them. This year, we tested FortiGate from Fortinet and before that ESET (attackers managed to disable ESET in 20 minutes last time). This helps align expectations with reality. If you haven’t seen the articles/lectures yet, definitely take a look – especially the FortiGate test is quite eye-opening.
Sandbox and SIEM are advanced technologies that allow companies to even catch elite hackers (cybercriminals). However, unlike basic technologies (network segmentation, password management, updates, MFA, antispam, antivirus, no admin privileges for users), they may not be suitable for everyone. It is therefore necessary to consider their benefits and costs for a given situation.
I believe that through discussion and sharing experiences, we can all enrich and improve ourselves.
May your networks stay secure,