Security defenses need to change. There is now a broad realization that the security status quo just won’t cut it. I agree with my RSA colleague who recently published a blog entitled, prevention is ideal, but detection is a must. Effective detection (or monitoring) is often where today’s security programs are weakest and in most need of change and maturation. Unfortunately there is no (magic) security box or tool that you can purchase that can protect you from advanced threats or make your incident response program more mature. The reality of security today is that good prevention is necessary, but not sufficient. What shores-up insufficient prevention are security strategies that are focused on fast detection, investigation, and response.
While modern security technologies can be an important part of maturing your monitoring and response program, there is no substitute for coordinating this with the right enhancements to your human capital and processes. Or as most organizations eventually realize, what is needed to positively change their security posture is to build-out their incident response program. Whether one refers to this team as a CIRC, CIRT, or SOC, the monitoring and response capabilities that they represent have become a must-have for most organizations.
If you are struggling with the issue of your incident response maturity and how to improve it, check out The Critical Incident Response Maturity Journey paper I wrote, with a lot of help from colleagues both inside and outside of RSA. Wherever you find your organization on its incident response maturity journey, having a realistic improvement plan in conjunction with the organizational will to implement it is usually more than half the battle.