12 Feb Solutions to Top 6 Reasons You’re Not Addressing Your Biggest IT Security Threats
By Tom Young, Executive Vice President of Worldwide Sales
Roger Grimes, a principal security architect at Microsoft, recently wrote a well-respected article for CSO Online summarizing the “Top 6 Reasons you’re failing to focus on your biggest IT security threats”
These Top 6 reasons include:
- The sheer number of IT security threats is overwhelming
- Threat hype can distract from more serious threats
- Bad threat intelligence skews focus
- Compliance concerns don’t always align with security best practices
- Too many projects spread resources thin
- Pet projects usually aren’t the most important ones
Despite all of the people, process and technology found in an average Security Operations Center, the fact that many firms are not able to easily address these “Top 6 reasons” isn’t a lack of desire.
It’s the lack of security operations data.
More specifically, it’s the lack of an enterprise-class, Security Operations platform to help organizations manage, capture and report on all of the relevant security operations activity data.
The reason this data is important is because this data is aggregated from all of the security and threat intel alerts that have been escalated to the Security Operations team (SIEM, MSSP, security tools, user-submitted phishing emails, etc.) along with what the dispositions were (e.g., false positive, combined with other alerts and escalated into an incident, the outcome of the incident, etc.) as well as the resulting timeline for the entire alert triage and IR processes.
Without this data, most firms have no idea how much time it takes for their alert handling and incident response teams to detect and remediate security incidents, let alone know where to find that data.
The 2017 SANS SOC Survey provides a simple reference of where most firms fall on the “Time-to-Detect” and “Time-to-Remediate” bell curve.
With this in mind, here’s a quick rundown of how the security operations data provided by an enterprise-class Security Operations platform could help address each of these Top 6 Challenges:
1. The sheer number of IT security threats is overwhelming
As Grimes says in the CSO Online summary, “Computer defenders could be likened to 911 call center dispatchers who are getting more emergency calls each day than any single ambulance crew can adequately respond to, and so they have to triage and prioritize.” The question is how. When using an enterprise-class SecOps platform like Syncurity IR Flow, inbound alerts are automatically evaluated against a series of business risk indicators and ranked based on potential damage. These alerts are then enriched through a series of automated steps typically done manually by SOC analysts – looking up IPs, domains, MD5 hashes, and other IoCs to determine what confidence and risk multiple threat intel sources ascribe, validating user and asset information, etc. As these values are pulled into the alert record, the risk score is dynamically re-calculated, so that the resulting decision – escalate to an incident, combine with similar alerts and escalate, or close as a false positive or because it was caught by an existing security control, etc. – can be taken quickly by the analyst. The speed with which this risk-scoring and triage is done, is the key factor in reducing cyber risk for most organizations. The fact that the staff is overwhelmed, and that most lack a platform to perform objective, risk-based analysis at machine speed prevents this reason from being addressed.
2. Threat hype can distract from more serious threats
Many people have heard of “breach fatigue” where they just can’t put the latest in the drumbeat of massive breaches in context or react meaningfully. The same applies to “threat fatigue.” And hype cuts both ways – overweighting emphasis on some threats, while underserving others. Once again, in the CSO Online article, Grimes cuts to the heart of this issue as he describes the general indifference to Meltdown and Spectre seen across his network. I’m reminded of when a doctor friend told me during the peak of the Ebola hype cycle, that more people in the US would die from the flu that year than Ebola, but nobody seemed to be putting that in perspective (ironic how the flu is now this year’s “Ebola” disease story).
What’s needed is an objective way to report on how each of the threats, and their sources correlate to real-world risk to the organization. Imagine if when a particular threat intelligence alert was raised, the environment was automatically searched for the presence of the damning IoCs, the scope of the potential risk was captured, scored and ranked along-side the other thousands of risks pouring in. The risk would then either be escalated due to severity, contained and remediated, or deprecated as either being low risk or not relevant. Those alerts that are escalated are worked using the Case Management workflow capabilities of the SecOps platform, and the results of all the alerts and incidents are captured and preserved for reporting, analysis, and compliance.
This data would yield valuable insights as to the efficacy of the various sources of threat intel, as well as particular classes of indicators. Knowing this, the risk-scoring could actually be improved by ranking alerts from high-fidelity sources as higher risk, and therefore addressing them more quickly. Again, an enterprise-class SecOps platform that properly separates alerts from incidents, and supports the lifecycle of both to capture a true picture of security and threat alert efficacy would help security teams avoid “hype” distraction and could quickly and confidently dispatch the inevitable hype-driven executive inquiries that ask, “Are we at risk due to this, and if so, what’s our exposure?”
Request an IR Flow Demo
3. Bad threat intelligence skews focus
To some degree, the answer to the second “reason” applies here, too, but there’s additional insight to share. Grimes highlights the paradox, “Ask them what’s the number one way that their company is broken into, causing the most damage. Is it malware, social engineering, password attacks, misconfiguration, intentional attacks, lack of encryption, etc.? I’ve never met the Threat Intelligence (TI) team that could tell me that with a straight face, with data to back up the conclusion. How can a company most efficiently fight the right threats if they can’t even determine the biggest threats?” Dilly dilly.
The challenge is, how does a SecOps team actually generate a Pareto analysis of the actual risks they face? There’s no objective way to know which use cases represent the most risk, unless each of the alerts generated by the SIEM, MSSP, native security tools, TIP, or some combination are consistently evaluated, closed or escalated, and worked to conclusion as incidents. Simply looking at the alert volume for each use case doesn’t necessarily mean those risks weren’t prevented, or that they each represented the same level of business risk. All the alerts must be risk-scored, triaged and when needed, escalated and worked to conclusion as incidents if an organization is going to have any chance of properly assessing, resourcing, and addressing their most prevalent risks, especially those highlighted by threat intelligence.
4. Compliance concerns don’t always align with security best practices
Roger Grimes does a great job of calling out “Checkbox” compliance, which has driven massive security spend and created tremendous human resource burn across every industry. It’s all too common that security money and resources are spent not on the projects that have the best risk reduction potential, but on those that reduce compliance risk. As a business executive, it’s easy to see how the argument that the organization can’t afford to be out of compliance wins, as this risk is easily quantified – fines, reputation damage, public reporting, etc. As a business sector, security has historically done a poor job of helping executives quantify the risk-reducing potential of various projects, because as suggested above, there’s no “System of Record” (SOR) that objectively captures and quantifies business risk due to security threats.
As idealistic as it sounds to say, we’re not going to require an outdated password and other compliance-driven practices, it’s not going to happen. Regulators are the last to learn and adapt. The challenge is taking the limited funds and resources and applying best practices in the areas where the most risk exists. Once again, knowing these risks is a big challenge for most organizations, and again, it’s a problem solved by an enterprise-class SecOps automation & orchestration platform, but there’s another benefit to adopting this type of solution. What is best practice, and how do you capture this, ensure the security teams adhere to it, and demonstrate you’re following it when audited, investigated or — God-forbid — sued by customers or shareholders? A SecOps platform enables best practices for alert and incident handling to be instantiated and used such that all of these challenges can be met. Without such a platform, the ad hoc, manual and scripted processes typically in place will fall short of enabling and quickly adapting security best practices.
5. Too many projects spread resources thin
This peanut-butter approach of spreading resources thinly across too many projects is a cliché, and most executives would say, “we’re not doing that. If anything, we’re being ruthless in our prioritization of projects, budget, and people.” Unfortunately, the breach results across the collective business and government landscape prove this just isn’t the case, and the shelves of projects/technologies gathering dust despite promises of AI and Machine Learning magic, prove there’s plenty of room for improvement.
Once again, the biggest missing piece of information when making budgeting decisions is that Pareto analysis of risks based on their monetary impact and probability. But there are also political and technical influences to overcome. People want to work with new and exciting technologies that have the promise of revolutionizing the cyber battle of good vs. evil. It’s just not exciting to the CISO, security team, BOD, etc. when they hear that better prioritization and expedited application of needed patches is the single best way to reduce business risk due to cyber attacks.
Regardless, the three layers of the OSI model not taught in computer science – Political, Religious (e.g., Windows vs. Linux) and Financial – are very real and can only be mitigated with objective data and analytics about the various sources of risk, their historical impact, and efficacy of the security program to defend, detect and mitigate them. This System of Record (SOR) is accepted as the standard to many other enterprise processes – SAP GL to Finance, Salesforce CRM to Sales & Marketing, Workday HCM to HR, etc. Sadly, there hasn’t been an emphasis on establishing this SOR for Security. However, the market trend towards what Gartner calls SOAR – Security Orchestration Automation & Response – and platforms such as Syncurity IR Flow, will hopefully change that.
6. Pet projects usually aren’t the most important ones
Sometimes CISOs suffer from “shiny object syndrome,” even though their teams are already too busy with existing work and projects. Although pet projects will always exist, the challenge is not how to avoid them, how to let them die in obscurity or how to let them languish due to a lack of funds or resources, but to properly prioritize them against all the other options based on their risk-reducing potential ROI.
While most firms and agencies have already spent significant sums on Threat Intel and IAM, organizations are still failing to address their biggest IT security threats. SOAR solutions deliver the next best enabling security technology ROI compared with other security solutions, according to the 2017 “Cost of Cybercrime” study conducted by Accenture and the Ponemon Institute, per the chart below (Figure 1).
Figure 1. Accenture Ponemon Institute 2017 Cost of Cybercrime
Security operations platforms like Syncurity IR-Flow have delivered strong security-related project ROI for leading Fortune 500 companies, healthcare organizations, and government agencies. If you’d like to learn how security operations data can help you address the Top 6 Reasons you’re failing to focus on your biggest IT security threats,” contact us today or schedule a demo.