Eliminating, Resolving, Addressing: Rebuilding Risk, Compliance and Operational Clarity

The situation

When we first engaged with this client, we quickly identified significant health issues with their enterprise security search head. They were experiencing long-running searches and frequent quota-related problems, yet they were initially unaware of these issues. Upon further investigation, we discovered compliance gaps, including difficulties in meeting certain standards and legal requirements.

Additionally, some of their existing security measures were not fit for purpose. While they believed these measures were functioning as intended, in reality they were not delivering the expected results. Compounding the issue, they lacked both a risk register and a defined operational model, leaving them uncertain about their security landscape and unprepared for emergency situations.

The client was also working with a third-party security team, but when we arrived, there was little clarity on the value this team was providing. They were aware of its presence and involvement but had no real understanding of its role or impact.

 

Engagement Objectives

• Complete a Risk Modelling Exercise with the client: enabling the client to repeat this exercise themselves as needed.
• Stabilise the Enterprise Security Search Head (SH): correct all Splunk and Operate identified health issues back from red to green.
• Test and document all Detective Use Cases(DUCs): providing a register of all DUCs and the e2e testing completed to check they were working and fit for purpose, disable those that weren’t to save the client resources and money.
• Onboard Missing Data Feeds to empower Detections: onboard data feeds identified by DUC review and risk modelling exercise and map it accordingly.
• Assist in creating an Operational Model: host/assist them to create a workshop allowing the client hands on experience creating an Operating Model.

Apto’s Approach

One of our first steps was to carry out a discovery exercise. A key part of this was understanding the client’s existing use cases and identifying what needed to be monitored. To achieve this, we conducted a series of workshops to assess their assets, determine their monitoring requirements and establish what measures could be implemented to improve their security visibility. Additionally, we worked to clarify the shared responsibilities between the client and their third-party security team. However, one of the main challenges was resistance from the third-party team, who were reluctant to engage with us, making it difficult to gain full buy-in from all stakeholders. Another critical element was determining which security frameworks the client needed to align with. When we arrived, they had multiple conflicting ideas but no clear direction. We collaborated with them to narrow this down to three frameworks and provided guidance on how to justify and implement them effectively.

In the design phase, we leveraged insights from the discovery exercise to develop new detections, addressing key gaps and enhancing their security coverage. We also facilitated additional workshops, not only to refine the detection process but also to equip the client with the knowledge to create the necessary documentation themselves.

Finally, during the deployment phase we ensured end-to-end testing of everything we implemented. This included validating all use cases, diagrams and models to confirm they were functioning correctly. We meticulously tested for any edge cases that could trigger errors or cause issues, ensuring the system was robust and fit for purpose.

Outcomes

As a result of this engagement, we successfully stabilised all existing issues, bringing their system health status to green across the board. We also provided them with a comprehensive overview of their framework coverage, highlighting any gaps that might require future attention. Additionally, we outlined the legal requirements they were now meeting and provided clear guidance on the next steps for those they still needed to address.

We established an ongoing risk management process, helping them define several key risks during our time with them. While it wasn’t feasible to cover every potential risk within the timeframe, we equipped them with the necessary tools and documentation to continue the process independently.

To further support their compliance efforts, we developed a series of bespoke dashboards, making it significantly easier for them to investigate key compliance elements (such as vulnerabilities) which had previously been a long-winded and inefficient process.

 

Business Impact

One of the key impacts of this engagement was optimising the client’s use of their search head, making it far more cost-effective. Initially, their system was overloaded, causing frequent skipped searches while they were paying a high licence fee for ingestion. By working with them to reduce ingestion costs, we not only helped save money on renewals but also improved resource efficiency and usability.

We also provided the client with a much clearer view of their overall compliance. When we arrived, they were attempting to align with five or six different frameworks, which created unnecessary complexity. We helped them refine their focus to just three, ensuring alignment across all levels of the organization, from the security team to the C-suite, so everyone was on the same page regarding what needed to be done to achieve full compliance.

Another major impact was establishing a comprehensive risk management process. When we first engaged with them, they had no formal process in place and lacked awareness of its importance. Beyond just implementing the process, we ensured they understood its purpose and knew how to maintain and evolve it over time, providing them with long-term security and compliance benefits.

 

Challenges Faced

• Lack of Risk Register – The lack of a client risk register meant we were starting blind and had no guidance for the detections that were required.
• Client Mindset – Initially the client could not see the value in the time and money spent completing a risk modelling exercise, in addition to the time needed to create an operational model.
• Lack of Buy-In – A lack of buying from the needed stake holders within the client, as well as a Third-party security team caused delays at the beginning of the engagement.

 

What we have learned

Off the back of this engagement there were 3 key points we learnt:

1. We managed to gain a robust and repeatable approach to risk management. We’ve now got a lot of documentation and workshops that we’re able to take and provide to clients with underpinned knowledge required for this process. Therefore we can take this to future clients and explain why this is crucial in order to achieve strong security maturity.
2. For any engagements where workshops are required, we learnt the earlier we can achieve buy in form relevant stakeholders the better. So we’ve now got a much better understanding of what teams needs to be involved, alongside the need to establish clear ownership and accountability for subsequent domains.

Last but not least, we learnt the value of a risk led approach when engineering security detections, as opposed to a data led approach. When you try and focus just on the data that you’ve currently got you can lose sight of what data you’re missing, whereas if you look at it from the risks you can really get the bigger picture.