In case you’ve been out of the loop: NIS2 is approaching. It’s the second version of the EU’s Network and Information Security directive. While it will take some time before it’s integrated into Dutch legislation, and there may be important adjustments along the way, we have a general understanding of what lies ahead.
This directive suddenly obligates more organizations to tighten their cybersecurity measures. So, you may have previously wished for a more secure environment, but now it’s a necessity. While motivation through desire is preferable to compulsion, sometimes the obligation can drive the desire, so they say.
NIS2 Requirements and Their Impact
To be more specific, significant and essential organizations will be subjected to certain mandates. The NCSC has outlined these in detail for those who seek a comprehensive overview. However, what’s crucial to grasp is that the most substantial alteration pertains to a task that you haven’t yet arranged. This task revolves around security operations. You may be familiar with the term due to the security operations center (SOC). However, it’s not the center itself that’s crucial, but the activity—the work.
The reason why this aspect holds a greater impact than other requirements is due to the reporting stipulation within NIS2. It stipulates that incident handling must be effectively structured and that cyber incidents must be reported within 24 hours. This necessitates that incident detection and resolution are consistently operational. This not only involves the technological aspects (software and hardware generating alarms) but also the organizational aspects (who will act upon these alarms?).
Security Operations
When referring to security operations, it means someone engaged in security-related tasks. This doesn’t involve drafting policies, conducting risk analyses, executing awareness campaigns, or similar activities. A security operator is someone who manages the technical measures—ensuring they’re activated and properly configured to fulfill their intended purpose. They also oversee instances where these measures trigger alarms, and subsequently, they investigate the nature of these alarms. Unfortunately, it’s quite common for organizations to acquire advanced security tools without adequately addressing how to manage the generated alerts. Consequently, they possess devices that produce alarms but don’t significantly enhance security.
Security Operations: A Specialized Task
If this work is indeed undertaken, it’s often assigned to someone with broader IT responsibilities. This could either be internally or through external sources. The predicament lies in this task often being treated as a secondary duty—most likely due to time and knowledge constraints—resulting in insufficient or irregular execution.
Security operations specifically entail: hands-on security work. This involves understanding attack methodologies—grasping how malicious actors operate—allowing the recognition, investigation, and interception of their activities. Do you have the financial resources to dedicate someone exclusively to this role? And are you capable of finding an individual with the suitable skills and background? If you intend to employ a solitary security operator, you’re in for a challenge. Competent security operators are usually inclined to work within a robust SOC alongside fellow operators, engaging in diverse and challenging investigations. Your single alarm per month simply can’t measure up to that.
No SOC/SIEM
Consequently, there’s a high likelihood that you’ll need to consider outsourcing. If you haven’t considered this before, you’ll likely begin seeking assistance, guidance, and best practices concerning the procurement of security operations. However, there’s one piece of advice I’d like to offer: don’t initiate a SOC/SIEM procurement process as recommended by external consultants who’ve previously tackled this task. In reality, SOC/SIEM services often perform well on paper. While there are certainly exceptions, there are too few of them, and their services are often prohibitively expensive to serve as a practical option for you.
Prefer Standardization
Instead, your initial step should be working towards standardizing your IT systems as much as possible. Complexity is a direct adversary of security. Consequently, the greater the degree of customization within your IT environment, the more intricate and expensive implementing security measures will become.
The most significant risk of vulnerability is centered around email and document exchanges. Most likely, this will involve platforms such as Microsoft 365 or Google Workspace. Both offer comprehensive tools that facilitate security operations without necessarily necessitating third-party solutions. However, concerns about the market dominance of these platforms, particularly Microsoft in the context of office suites, should be a secondary consideration. Unless you’re a regulatory body, I’d recommend focusing more on enhancing your organization’s resilience as efficiently as possible. As such, prioritize using tools you’re already subscribed to and can activate with ease.
BEGIN WITH THE CORE
Within your Microsoft or Google environment, the initial focus should be activating security operations tools that enable effective monitoring. These tools support incident detection and subsequent actions. In the case of Microsoft, we’re referring to Sentinel, while Google employs Chronicle. Even if these tools are configured solely to monitor activities associated with your office, you’ll already be safeguarded against the majority of common threats.
Growing With The Data Landscape
Once the core monitoring is in place, these tools offer the flexibility to incorporate additional log sources over time. This could include logs from firewalls, CRM packages, ERPs, and production lines, among others. While customization might be necessary to align with your organization’s needs, it should be approached in a flexible and efficient manner—ensuring a solid core—and only expanding when the need arises, all while facilitating simple scaling.
As your IT and data landscape evolves, certain logs might become redundant or new ones may need to be integrated. However, the likelihood of abruptly discontinuing the use of platforms like Outlook and Excel, or the shift from Gmail and Google Docs, is rather low. Therefore, maintaining this core and its ability to support your organization’s agility is paramount.
Outsourcing Security Operations
You may recall that we discussed outsourcing earlier, right? Indeed, this is likely your best option. Your primary IT provider might even offer security operations as an additional service. However, I cannot evaluate their proficiency. Hence, it’s crucial to independently assess their capabilities: How many dedicated individuals perform this work (not as a side task)? What are their qualifications? How rapidly will they notice an issue? How do they operate outside regular office hours?
In essence, you’ll likely be seeking a specialist—a Managed Security Service Provider (MSSP). Such providers usually adhere to standardized procedures to maintain the efficiency of their services. Therefore, look for a provider whose approach aligns with your data core or, better yet, originates from it. Establish clear expectations regarding the service’s function and the associated costs for integrating additional data sources.
Automation Leads To Cost Reductions
Naturally, the costs associated with this type of work or service are a crucial consideration. In the past, when standardized IT environments were less common, a substantial amount of manual work was required for an MSSP to trigger alarms and subsequently follow up effectively.
However, due to your decision to embrace standardization, much of the security operations within your environment can be automated. After all, cloud services can be managed using scripts. If these scripts function well within your Microsoft or Google cloud, they’ll work equally well for all other clients utilizing these services.
Does the party you’re considering offer automation solutions? If so, the core service is likely to be affordably priced. But do they also have experts on hand to step in if a serious issue arises? Someone who can delve into the activities of an intruder who gained access—understanding their actions, their timeline, and ensuring that the access has been thoroughly eradicated? This is what we refer to as Incident Response, and while it’s often distinct from the foundational monitoring service, it’s vital to establish clear agreements around it.
Attic Security
It won’t come as a surprise that I also have a concrete solution to offer: Attic Security. This is a solution we’ve developed entirely within our Zolder team, designed to support small and medium-sized organizations as cybersecurity experts. We safeguard your enterprise, and because attacks don’t adhere to schedules, we stay connected with you through our mobile app. This way, we can keep you informed and provide advice regardless of your location. Attic integrates with Microsoft 365 to comprehensively configure and monitor security features, subsequently notifying you with a push notification and providing advice that you can activate with a single tap, should anything suspicious arise.
If you’re eager to learn more about Attic, you can visit our website and consider completing the contact form to schedule a demo. Alternatively, you can download the Attic mobile app from the Apple App Store or Google Play Store and explore its features at your own pace.