ITSM and SIEM Equals Cybersecurity Maturity
Cybercrime is lucrative.
The FBI’s 2021 Internet Crime Report identifies the potential losses from cybercrime in 2021 as exceeding $6.9 billion, a 64% increase from the previous year. The report calculates the losses over the last five years at $18.7 billion.
These staggering figures demand that organizations take cybersecurity seriously. However, most organizations still lack the tools and processes to effectively protect their organization, with a 2021 survey reporting that 66% of CISOs “feel their organization is unprepared to cope with a targeted cyberattack.”
For security-minded organizations, the subsequent steps in the journey to “Cybersecurity Maturity” are implementing proactive processes, building and executing strategies beyond patching and firewalls, and accessing real-time visibility across the organization’s information security. But often, as the organization matures and its technology requirements increase, many in IT hit the same wall: organizational growth has exceeded resource functionality and operational maturity, leaving cybersecurity teams struggling to monitor IT environments and identify security-related events at the right time, before becoming catastrophic.
The pivotal enhancement to meet these criteria and make better sense of large amounts of cybersecurity data, keeping the organization’s finger on the pulse of its performance, can be achieved with a Security Information and Event Management (SIEM) system used in tandem with an ITIL-focused ITSM.
SIEM works by deploying collection agents to gather and correlate security-related events and data from different sources and specialized IT security equipment:
- End-user devices
- Network equipment
- Anti-virus systems
- Intrusion prevention systems
Consolidating and sifting through numerous data sources, quickly separating the noise from legitimate events, efficiently spotting trends/patterns, and then promptly tracking and resolving alerts/notifications are key cybersecurity challenges ITIL-focused ITSM alleviates.
Control and Governance for Cybersecurity Events
ITIL-focused ITSM should be considered the primary step, a central requirement, to provide the control and governance needed for managing security events before they have a chance to disrupt business operations. This data and event log entries are critical for spotting out-of-the-ordinary patterns more accurately, recognizing potential threats and vulnerabilities, and prioritizing relevant security incidents faster.
To ensure IT teams receive alerts when issues arise, the ITSM solution includes security event management as another ticket category, so organizations can easily create, track, and resolve security-related tickets within the tool, accurately capturing work and task information relevant to the security event throughout its lifecycle. The organization’s IT Security Services can even have their own SLA automatically applied from the ITSM solution. Management of these events within ITSM provides the audit framework necessary to report on MTTR and other metrics the IT Security team will need.
The Benefits of ITIL-focused ITSM with SIEM
An ITIL-focused ITSM solution, serving as the system of record for cybersecurity activities, security events, and security event response, can establish the necessary foundation for proper SIEM. ITSM plays an integral role in empowering IT teams to more easily build standardized workflows that include measurable and repeatable processes to automatically route data to the right personnel, ensure all types of endpoints are secure, and defend the network perimeter.
As the system of record, it is a single pane of glass for auditing those processes and providing visibility into the organization’s security posture and IT environments. With centralized ITSM, organizations have the framework to define their cybersecurity processes, understand what is on the network, and leverage Asset Management data to capture a baseline snapshot of devices, providing the means to identify security vulnerabilities, detect anomalies and misconfigurations, and ensure devices and endpoints remain protected.
Define Your Cybersecurity Processes
Any organization lacking Cybersecurity Maturity will need to define its cybersecurity processes. Because business rules and IT environments change over time, these processes require ongoing review and maintenance to remain aligned with the organization’s unique wants and needs. Processes can include:
- System scans
- Incident Response
- Recovery Planning
- Cybersecurity Awareness Training
Defining your cybersecurity processes provides repeatable workflows to deliver reliable outcomes. Once defined, the collection of standardized methods becomes the IT Security Service Catalog within your ITSM solution, enabling end-users to request security services in a faster, more streamlined manner. Most importantly, these processes must be repeatable, reportable, and provide consistent results.
Network Discovery to Manage Devices and Endpoints
Network Discovery is essential in establishing the first line of defense for the organization’s cybersecurity posture. Discovery provides the means to understand:
- What is on the network
- What should be on the network
- What possibly should not be on the network
- What is missing from the network
Network Discovery can feed information to the ITSM solution, enabling the management of devices and “marking” devices to be managed. Once done, new devices will appear unmanaged, allowing the IT team to respond appropriately and address any risks. Network Mapping aids in monitoring, ensuring IT teams have the correct data to understand the relationships between devices. Accessing this relationship data is critical for executing a faster and more structured technique for identifying the impact of security events and performing root cause analysis.
Asset Management and CMDB to Manage Cybersecurity Events
Within the ITSM solution’s CMDB, Discovery data becomes Configuration Items with all its relevant information easily accessible, including Event/Log data, and incorporating Event/Log data makes it available to the ITSM reporting/analytic solutions for reviewing metrics and KPIs regarding security-related events. With a single pane of glass for any device’s information, this Asset Management data enables the ability to quickly define a baseline, a near real-time snapshot of the device’s configuration. These baselines perform a valuable function when security events occur. Daily, this data provides context and additional details on incidents, Problems, and Change processes, ensuring a more efficient response. Now, cybersecurity teams have greater visibility into how devices should look when properly configured, understanding which configuration is responsible for the event, how it may impact other CIs/devices in the environment, and what actions to take for effective remediation.
For more information about how ITIL-focused ITSM and SIEM can remediate potential threats and prepare an organization to defend against a cyberattack, contact Flycast Partners. Our vendor-certified ITIL and ITSM experts have years of experience assisting organizations by building better cybersecurity strategies and fostering operational maturity.