Security tools are a crucial part of any effective organizational cybersecurity strategy. However, have you noticed that it seems as if the industry is very much focused on developing complex solutions to problems that only a small proportion of organizations out there ever experience? A recent visit to RSA Conference confirmed this view: I was overwhelmed by a dizzying array of advanced technologies and ‘silver bullet’ solutions.
Against this backdrop, security leaders are understandably confused — which can lead to focusing on the wrong things. Instead, CISOs need to go back to basics, and prioritize three key areas to get the most out of incident response.
Today’s CISOs have an unenviable job. Tasked with supporting digital transformation efforts which could make-or-break the organization, they must face down an extremely agile, determined and increasingly well-resourced enemy.
The latest findings from NTT Security’s 2019 Global Threat Intelligence Report (GTIR) reveal that application-specific and web application attacks doubled over the past year. But they’re far from the only threat facing firms. DNS hijacking, brute forcing, phishing, keyloggers, information-stealing trojans, coin mining malware, ransomware — the list goes on.
All the while the attack surface continues to grow, thanks to the adoption of digital technologies and a continued increase in reported vulnerabilities: over 16,500 of which were found last year alone.
Amidst this rapidly evolving threat landscape, IT security bosses have been led to think that there’s a solution for every problem, that the next iteration of Product X will help solve Security Challenge Y. In reality, this often leads to tool bloat and unrealistic expectations. One IT leader I spoke to was trying to manage 42 separate security products in their SOC. That’s the kind of scenario that’s unlikely to produce the desired results.
As an industry, we need to take some of the blame here. Yes, security vendors are under tremendous commercial pressure to release new products to tackle new threats. But, are we quantifying the organization’s risk posture as what they need and where the attacks are mostly generated from?
We tell the customer to be proactive, but as an industry we have been continually reactive in churning out products to respond to threats.
Three key areas
This has created confusion among customer organizations and complicates efforts to find where the real source of cyber risk lies. Three areas that are often currently ignored should take center stage:
1. Proactive incident response: Corporate executives too often believe “we can’t be hacked”. They don’t accept the reality that threats are everywhere and that the bad guys only need to get lucky once, whereas defenders need to be successful 100% of the time to prevent a breach. This means that they most likely haven’t even begun to identify their most important corporate assets.
Deciding what the “crown jewels” are is a crucial first step in any effective incident response strategy. If you don’t know what your most important assets are, you’ll be ill prepared to take action when an incident does occur. Organizations need to get to a point where they can take proactive incident response measures to minimize the all-important breach exposure time (BET). This stood at an average of 177 days for EMEA organizations last year, which is unacceptably long.
2. Content filtering: Filtering of the white noise, i.e. how do I fine tune my products to develop an actionable intelligence capability is one of most significant pain points. Organizations should develop a flexible framework to identify specific threats to an organization (from threat intelligence, business driven requirements, ongoing security monitoring) that allows consultants to be able to draft specific attack scenarios. These attack scenarios can be broken down into their components (via the Cyber Kill Chain) to enable mitigation and blocking strategies to be deployed (firewalls/proxies/honeypots etc.) as well as mapping specific detection use cases to each element of the Kill Chain.
Once you’ve minimized BET, you can start to track your online adversaries by outlining their TTPs and then following proactive threat-hunting techniques. This is the best way to get on the front foot and begin to pre-empt attacks. A key discipline to master in doing so is content filtering — that is, filtering out the “white noise” specific to your environment so that you are able to focus on the intelligence that matters most. Products don’t just come plug-and-play in this space; content filtering is a gradual process that will require you to learn the lessons of previous attacks en route to a more effective incident response capability.
3. Metrics systems: How do you evaluate if your security posture is working? You can’t simply wait until you’re hacked to know that something needs changing — IT security must be more proactive than that. This is where metrics become a key part of the incident response strategy. You will need to put a great deal of thought into what metrics are needed from a management, operational and technical security standpoint to help measure what’s working and what isn’t.
They need to be relevant to your organization, otherwise the team will be swamped with meaningless alerts that will actually make their job harder. Consider starting with a mission statement for your SOC, and from there identify the scope and networks that must be covered by any metrics. It may then help to break out the individual security teams and their own mission statements, to gain greater granularity.
This is just a snapshot of what’s required for IT security leaders to start regaining the initiative in the battle against online threats. It will take time but, the good news is, it’s never too late to start.