Even the best cyber-defense strategy will fail if it’s not executed effectively. A security team’s “ground game” will determine how well it detects and responds to cyber-attacks, but many organizations fall short in this area. They lack the right mix of talent and capabilities, as well as a robust cybersecurity model that can drive appropriate action when threats appear.
Cyber-attacks are nothing new, but their consequences have recently become more significant. The expansion of the Internet of Things (IoT), the proliferation of connected devices and the growth of Cloud -computing all mean that an organization’s “attack surfaces” are growing. For example, by linking their ATMs to their networks, banks have made them accessible to hackers; also, oil and gas companies are connecting refineries, plants and pipeline management systems across networks, sometimes using the Internet to enable vendor system management, which opens the door to cyber-
attacks. This target-rich environment makes it easier for hackers to find an entry point into organizations. Meanwhile, the consequences of security breaches are increasing for CEOs and CIOs, raising the personal and professional stakes for top managers.
Achieving best-practice operational
effectiveness can deliver a wide array of security-related benefits, ranging from fewer successful incursions to faster response times to quicker recoveries when attackers do hit. A strong security ground game can also reduce costs and risks for the business. However, many companies continue to struggle to attain this level of performance for a variety of reasons.
Critical technologies and skills
Experience suggests that security operations lack sufficient rigor and consistency, and that key people remain unaware of company vulnerabilities. Organizations often employ a grab bag of ad-hoc processes and capabilities that offer varying levels of effectiveness. What’s more, many still don’t practice good enterprise-wide “security hygiene” – including basics – both in the business at large and among security professionals.
In the current high-turnover environment, firms often expose themselves by having only one person responsible for a security area, such as malware reverse engineering or incident response. If that person leaves, all of the knowledge goes with him or her.
Another issue is that the cyber-defense capabilities at many organizations exhibit increasing amounts of “noise” that mask valid threats coming both from outside and within the organization. The constantly changing IT environment that characterizes most large enterprises can make it extremely difficult for the security team to keep track of and protect critical information. For example, most leaders intuitively know what the company’s digital “crown jewels” are – they may be customer data, a secret “recipe” or operational algorithms.
Ensuring that the security team knows where to find these resources, however, requires strong information asset-management approaches, which can prove challenging because of business needs that may require the IT infrastructure to flex and change to meet new demands. Keeping track of such issues requires security staff to improve their “soft skills” in order to become more effective in engaging and partnering with the business.
Likewise, security often has insufficient visibility into the organization’s “asset landscape” due to the limitations of the tools and processes it uses. For instance, a security analyst might receive an alert that a potential attack is happening on the network, but because of limited access to the necessary information and people, he or she will spend hours or days attempting to figure out the problem. Yet another hurdle is time itself: where most breaches happen within a few days, the industry takes seven to eight months on average to detect them. Closing this gap should be a mandate.
Organizations have a number of specific steps they can take to improve their security operations:
Assess security capabilities: Evaluate the security processes the company currently uses in terms of their effectiveness when responding to a threat. The arrival of major new sources of data, such as the IoT and Cloud computing, are complicating this challenge.
Invest in talent where it makes sense: Given the almost daily reports of new, high-profile cyber-attacks, demand for top security talent has skyrocketed, making it increasingly difficult to attract and retain good security talent. Organizations need to create new value propositions that go beyond compensation, such as providing access to cutting-edge tools, training, and peer and industry knowledge sharing.
Automate intelligently: Understand the time-consuming and frequent tasks within security operations that occupy staff and investigate the prospects for automating them in order to focus talent on tougher challenges. Hackers clearly hold the high ground today as attack surfaces proliferate. Consequently, good security organizations are taking steps to replace their current reliance on “eyes-on-glass” with automation that can help them to deal with basic threats like “spear phishing”, where the attacker personalizes emails sent to recipients.
Contextualize the collected threat data:
Security teams often lack situational awareness when an incident occurs. They need to know what it means for the business, who the players are, what the priorities are and whether they can act based on the information at hand. Organizations must determine whether the security team understands enough about specific assets to contextualize threat data effectively.
Know what you don’t know: Identify the types of questions that security can’t answer with its current capabilities and then pinpoint the data needed to operate effective analytics and provide clarity. It’s also possible that the company isn’t asking the right questions, or doesn’t have the visibility required to see the needed data, especially given the rapidly expanding digital attack surfaces it needs to cover with the growth of the Cloud and other network elements.
Invest in a highly efficient operating model: Several models exist that align IT services with the needs of an organization’s business side, providing a touchpoint for developing effective security operating strategies. Given the near-constant rate of change that IT functions undergo as companies integrate massive new cloud and IoT assets into their networks, companies need to manage the evolving role of the security organization in terms of risk management, business liaisons, the use of “hunting teams” and staff job rotations. Furthermore, experience confirms the importance of creating a balance among the time spent running the security operations, implementing new technologies and testing the organization’s security posture.
Find a sparring partner: It can be difficult to improve the maturity of cybersecurity capabilities without the equivalent of a boxer’s sparring partner. For example, after mastering static “punching bags”, firms need a life-size opponent to drive additional improvements.
The sparring partner needs to apply all of the attacker’s creativity and intent to ensure that the company’s security innovations keep pace with the latest hacker advances, which continue to increase exponentially. That means engaging all of the business stakeholders: insurance, risk management, marketing and communications, legal staff, the fraud team and so on.
Done right, the sparring partner approach replicates real-world attacks to a far greater degree than is possible by running tabletop exercises, working through compliance checklists or conducting an annual penetration test. The approach reflects a statement by Joe Louis, past boxing champion, who declared, “Everybody has a plan, until they’ve been hit.” An organization’s cybersecurity game plan needs the right mix of talent, skill, capabilities and technology.
There are few signs that the brutal assault on the digital assets of companies and institutions worldwide will diminish anytime soon; in fact, the opposite is probably true. Given this risk-filled environment, firms need the best operational security capabilities possible if they hope to attain the cohesion and clarity required to defend the organization’s most valuable digital assets.