History as we know it, is recorded; somewhere by someone or something. We learn from these historical documents. They are entered as evidence in legal proceedings. We use these documents and pictures as a means of learning and education, to ensure we do not repeat past failures. To find the flaws and to correct as we go. There are careers around collecting evidence, storing it, and interpreting it. There are history classes, from ancient history to 20th century history, to teach others what, how and why something occurred.
Our whole way of life is documentation. From the moment we are born, and even after we leave this earth, someone somewhere is keeping tabs on everything.
The metadata of our life is an openbook. (pun?)
From an IT perspective we collect lots and lots of logs. From active directory to firewalls. There is a whole industry on selling us a means to collect, store and even interpret these logs. Some of us have even set up alerts based on some predetermined sequence of events or anomalies.
These logs and the collection of them can become huge and cumbersome, even for the smallest of companies. They become so massive that there is no way a single person can keep on top of them during normal business hours. Even if you have a large scale log collection and correlation system, it still requires human interaction, interpretation and action. When your environment of 200 employees is pushing over 400 events per second, it may not sound like a lot, but if your IT and Security team is 1 or maybe 2 people, there is no way you can keep up with this flow during business hours, let alone complete all of your other duties.
Just focusing on events that we know about over the past year (written up in media accounts) they range from hotel chains, credit industry, retail outlets, shoe manufacturer, online retailers and the US Navy. All of these events occurred and were not identified, or noticed, until some time after the event (some were not noticed for 4+ years, all the while the breach was ongoing during the whole time).
This continuous monitoring we have all talked about for years, really needs to be upgraded. Monitoring and automated alerts only get us so far when it comes to security. Spending on security appliances and EDR packages has skyrocketed over the years, and yet we still have this issue of detecting, alerting and remediating. This right now, comes down to human intervention. Leveraging all the AI and ML helps, but, at the core of this is the human who is making the final decision (if any).
There are many firms out there that offer similar type functions that Milton offers, but as add-on service to their core offerings. Using someone else to do live threat hunting and log monitoring is ok, if they truly provide value.
Something we like to talk about here at Milton, is the concept that we are a "Force Multiplier" for our customers. What you get from us, is a caring team that is part of your security team, for a fraction of what it would cost to hire a single person, let alone 4 or 5 to work 24*7 shifts.