In a previous webinar, we discussed the importance of ensuring that your enterprise is cyber resilient and the politics around establishing a thriving cybersecurity practice within your organization. This week’s discussion covers specific tactics and solutions you can implement when you begin this initiative — watch the full webinar replay to learn more about how Cribl supports your cyber resiliency efforts.
The cost of a cyber attack can devastate an organization’s financial position and reputation. The average cost of a breach is around $13 million. Cyber attacks can also result in lost business opportunities — an attack in 2019 delayed the acquisition of an airplane parts manufacturer by one year and lowered the asking price by $150 million.
A robust cyber resiliency strategy can help you avoid these situations. Organizations need to develop policies, procedures, and plans that enable them to protect critical systems, detect cyber threats, respond to incidents, and recover from the impact of those attacks. Here are some ways you can enhance your organization’s cyber resiliency.
Begin XDR Initiatives
One of the first steps towards building a cyber resilient organization is to begin XDR initiatives. The ability to share data from a single source with multiple downstream tools without duplicate infrastructure is critical. If you do have a breach, you need to be able to send security and customer data to security and analysis tools to investigate and detect those attacks.
When you adopt modern XDR solutions alongside existing tooling, it opens up a lot of options. You’re able to validate multiple solutions at one time to make sure that the systems you use on a day-to-day basis are still collecting data and keeping the business secure. Evaluating multiple tools simultaneously can also help reduce procurement time, allowing you to make sure you have the right tools in place to investigate threats appropriately.
We’ve recently expanded our partnership with CrowdStrike to make it easier for our customers to include XDR in their operations. CrowdStream is our new native platform capability that enables customers to seamlessly connect any data source to the CrowdStrike Falcon XDR platform.
Set Up a Security Data Lake
Another important step is to separate your data retention strategy from your security tooling. This is where a security data lake comes in handy. The biggest value add with a security lake is the ability to detect and respond to attacks without being in the same environment where the attack happened.
A security data lake also allows you to store your logs and records in cheap blob storage or whatever other destination you prefer — all in agnostic formats. You can use Cribl Stream’s seamless integration with Amazon Security Lake to help you ingest data from any third-party source. We’ve made it easy to convert that data into Open Cybersecurity Schema Framework (OCSF) and route it to Amazon Security Lake.
You can watch Marc Luescher from AWS show off these capabilities in this livestream from our Cribl User Group.
Migrate Security Tooling to the Cloud
Many of our customers are looking to migrate workloads to the cloud or bring in cloud-based security tools. This is another important piece of the cyber resiliency puzzle for many reasons, but for one in particular — minimizing migration timelines.
Minimizing migration timelines when you’re going from one tool to the next is incredibly important when attacks inevitably occur. Shifting to a cloud-based infrastructure will give you the flexibility you need to use all of your security tools and optimize data ingestion. An observability pipeline like Cribl Stream can help simplify, secure, and reduce the costs of a cloud migration.
Consolidation Your SIEMs
A cyber resilient architecture will help speed up threat detection, investigation, and response time while doing what you need for daily business operations. SIEM consolidation helps on all of these fronts. It can have an especially big impact on larger companies going through a merger or an acquisition, or for individual teams within an organization that want to share data between different SIEM solutions.
Sharing that data allows teams to deprecate systems when they’re ready — instead of being driven by redundant infrastructure costs or arbitrary timelines that come with a merger or acquisition. Updating data formats and cleaning up legacy sources will reduce noise and ingestion volume, lowering license costs and improving the performance of your detection tools.
Share Data Between Security & IT Ops
Being able to share data between Security and IT Ops is also very important — the fact that the term SecOps exists means that these two teams need to work very closely together.
When you have a solution like Cribl Stream in place, you can collect all your data once and share it with separate teams while still keeping control of it. You can easily share security data with IT operations to help with an investigation, but easily redact any sensitive information before it’s shared.
Separate Your System of Analysis From Your System of Retention
When you separate your system of analysis from your system of retention, you can easily replay the data stored in your data lake when an audit or security incident arises. Cribl Stream allows you to take the data in question from your object storage and replay it for analysis.
Separate systems also allow you to send that data to any tool in your toolkit in any format. Every second matters when dealing with security incidents, so being able to shift on a dime and use whatever security tools you may need in the moment will save you valuable time.
You don’t need to launch into all six of these initiatives immediately, but having them on your radar and beginning to implement them will put your organization on the path to being more cyber resilient. Check out the tutorials in our sandbox and our guide to getting started with Cribl Stream to see how it can help you — our free version allows you up to 1TB/day!
Watch the full webinar here to hear the team dig further into these solutions and answer customer questions about best practices, types of cloud data Cribl supports, internal vs external compliance, and more.
