14 Nov CyberConnect17 Reflections – Are The (Relatively) Rich Getting Richer?
By Tom Young, Executive Vice President of Worldwide Sales
While suffering the slow Wi-Fi on an Amtrak Northeast Regional train out of New York’s Penn Station last week, I wondered if Acela riders are experiencing the same pain. That thought reminded me of a nagging conclusion that kept entering my mind the entire time I was in New York for the CyberConnect 2017 conference: In the world of cybersecurity, as with Amtrak Wi-Fi, the relatively “rich” seem to end up with the best resources, while the rest of the community struggle to make do.
Don’t get me wrong, CyberConnect17 was a well-run, informative series of sessions, hosted and delivered by thought (and action) leaders, including former NSA chief and Commander of U.S. Cyber Command General (Ret.) Keith Alexander, Jim Routh of Aetna, Jason Witty of US Bank, and others. I’d go again in a heartbeat.
Many new ideas at CyberConnect17, still, most organizations wrestle for budget just to address their expanding attack surface and increasing alerts
As I spoke with fellow attendees after each session, I kept hearing a familiar refrain – it’s hard enough to get budget to attend these types of events, let alone hire or task experts to implement what the event’s talks detailed: Enlisting data scientists to do threat modeling of 150 different scenarios, or build a Cyber Threat Intelligence (CTI) program with 3-4 people to reverse engineer malware, and assimilate reams of research/intelligence.
I was struggling to rationalize my own personal experiences with customers and prospects, versus anecdotes we hear from much larger organizations where budgets and staff are seemingly limitless, in comparison. Most organizations I’ve seen are struggling to keep pace with their firm’s:
- Expanding attack surface (e.g., cloud, mobile, and IoT)
- Increasing alert volumes (e.g., flags from end-user behavioral analytics, wire-speed anomaly
- Detections, and cloud access security brokers), and
- A Lack of budget and resources
The Amtrak Wi-Fi example solidified the notion I’ve had after trying to help organizations automate and orchestrate their security operations to reduce cycle time, and by proxy, risk, throughout the Incident Response (IR) lifecycle. Very large firms have the relative luxury of applying massive amounts of people and technology to their SOC challenges. However, the majority of firms do not have this leeway, leaving them feeling farther and farther behind in the battle against the bad guys.
Cyber-security process management, alert triage, investigation prioritization and incident response remain the more fundamental day-to-day focus for SOCs
Hiring data scientists to rationalize alert and intelligence streams, standing up a CTI program to proactively hunt and analyze malware samples and setting up automation to update IT infrastructure with hundreds of new indicators of compromise (IOCs) daily are all exciting, thought-provoking initiatives. But they can feel like “Star Wars” (or this epic, if you prefer) for most SOCs or “Cyber Defense Fusion Centers,” as I’ve started hearing people refer to them.
Among most SOCs in the audience, the day-to-day challenges are more fundamental:
- Defining/documenting their preferred process for alert triage and Incident Response
- Consistently executing, documenting and auditing these processes, and
- Effectively prioritizing investigations based on potential business risk
While not as sexy sounding as using “AI” and “Machine Learning” (terms so over-used and over-hyped that they’ve lost their meaning) to model, even predict, emerging threats, the act of establishing these basic, requisite IR building blocks is essential, and it doesn’t require massive budgets or staff. It does require leadership to make defining these basics a priority, and implementation of a platform within which these processes can live, be executed, measured, and improved.
Without technology to instantiate, guide, and track these processes, as well as measure their results, the firms with limited budgets will never keep pace. These platforms enable the journey through the stages of Security Operations maturity, regardless of the size and sophistication of the IT and security infrastructure, and they set the stage for automation, according to the risk appetite of the organization (see Syncurity Founder & CSO, JP Bourget’s Dark Reading column, “Finding Your Appetite for Security Automation (and Why That’s Important).”
Meanwhile back on earth… a Cyber-Security Operations Platform, such as Syncurity’s IR Flow, is within reach for most SOCs looking to fortify and streamline their Security Operations
So, as I watch the spinning Safari color wheel, which seems to be invoked by even the simplest of browsing actions, I think of how most enterprises would love to have a fully automated SOC, supported by data scientists and a CTI unit. Their reality is that they would be best served by something more fundamental – a Security Operations platform to define, execute, and measure SOC processes, while capturing an audit and eDiscovery-proof System of Record, from which they can begin to automate based on their risk tolerance.
Feeling more like the firms with limited budget and resources, than the Aetnas and US Banks of the world? Let’s talk. We feel your pain and can help.
Click to call: 703-570-4220, or, complete our inquiry form and we’ll contact you during business hours.