31 Oct 3 Scariest Things About Your Security Program
By Tom Young, Executive Vice President of Worldwide Sales
Halloween is a uniquely American tradition of scary movies, costumes, parties and of course, the candy-crazed-trick-or-treaters. While you binge watch the new Netflix series, “The Haunting of Hill House,” and answer the doorbell to hand out handfuls of sugar-infused treats, it might be worth thinking about the really scary risks lurking in your Security Program.
1. Count Patchula
I’m almost embarrassed to include this one, as it’s so trite, over-used, and unexciting. However, the fact remains that the inability to build a scalable, repeatable process to quickly identify, escalate and apply missing security patches, is the single biggest reason security programs continue to get bit by blood-sucking bad actors. In fact, according to Verizon’s 2017 DBIR, “only 61% of organizations complete their patching process and patches not completed after 12 weeks tended to go unpatched.” So, not only are patches taking too long (12 weeks!!), many aren’t applied at all. All the Machine Learning and AI garlic in your security stack to ward off complex, malicious threats aren’t going to help if you continue to leave the coffin door wide open.
Thankfully, solutions are emerging to address the complex, cross-functional, and time-consuming process of finding and fixing needed security patches out-of-band from the decrepit 12-week cycle. Syncurity has worked with WWT to show an example of this using the IR-Flow SOAR platform across Cisco, Tenable, Tanium and VMWare technologies, as well as the inevitable human-based approvals/validations needed. Check out the demo at: https://vimeo.com/292799201/4974b7d5ee
2. The ”Things” (Otherwise known as IoT)
It’s no secret that these creepy Internet of “Things” devices are invading business and consumer lives, and in turn dramatically expanding the cyberattack surface. According to Statistica, these devices will number greater that 23 Billion by the end of 2018 and will almost double to over 51 billion in five years (one of the more conservative forecasts I’ve seen). Think about this. According to World-o-Meter, the earth’s population is approaching 7.7 Billion. That means there’s at least 3x the number of devices as there are humans and given how poorly secured most of these devices are and how many coming online lack “designed-in-security,” it’s no wonder you’re scared. A recent Gartner study revealed 20% of firms experienced an IoT attach in the last three years. But ironically, it’s not these “Things” facts that are so frightening. What’s really terrifying is how little time, resources, and budget are begin dedicated to addressing these risks at most organizations.
Gartner predicts that through 2020, the biggest inhibitor to growth for IoT security will come from a lack of prioritization and implementation of security best practices and tools in IoT initiative planning. This will hamper the potential spend on IoT security by 80 percent. In other words, teams aren’t taking an enterprise-wide approach that’s integrated with the overall security operations and incident response processes to “Things” security.
Getting Sleepy? Boo!
Learn how to keep at least one eye open in the SOC. Complete the form to download the whitepaper.
Thankfully, Syncurity IR-Flow helps organizations ensure a clear process and common reporting framework for assessing, triaging, and remediating/containing IoT risks that are integrated with the overall process using an industry-leading SOAR platform, built to address IoT risks. For example, by integrating with CyberMDX, a leader in medical device IoT identification and security, cyber events can be evaluated based on detailed knowledge of which devices, down to the make and manufacturer, are associated with the risk. And, if corrective action is needed, by knowing which devices are in service, which ones can only be patched by the vendor, and who to contact about the devices needed containment actions, without disrupting live-saving service, IR-Flow can automate the appropriate complex incident response workflows. No need to be afraid of being in the Internet of “Things” dark anymore.
3. Frankenstein Triage/IR
Speaking of Incident Response, the scariest aspect of most security programs is their monstrous approach to consistent, systematic and auditable Alert Triage and Incident Response. Candidly ask most Security teams how they compare to the SANS SOC Survey metrics for average “time-to-containment” and “time-to-remediation,” and they’ll admit, they don’t know. Worse, if they were to ty and find out, it would take the data from multiple different systems, depending on the type of event (e.g., if it’s a user-submitted Phishing email, we check here, here and here, but if it’s a SIEM alert, we’d check there, there, and there). This piece-parts approach to processing cyber risks provides no means to assess the overall risk across all event types, and no consistent, auditable method of capturing the results of the actions taken, either system or human-initiated. Expecting a stitched together assembly of spreadsheets, email threads, wiki pages, etc. to miraculously “come to life” when needed to respond, and to report that response to the Board, is as foolish as reanimating flesh with lightning.
Thankfully, the Syncurity IR-Flow SOAR platform enables enterprises and MSSPs to thread all their cyber risks, regardless of source, into a normalized risk-based Triage process, that’s consistently executed regardless of the assigned analyst, and that records every action, both machine and human initiated, to determine the disposition, and if needed, subsequent containment and remediation process steps. By providing the full lifecycle Case Management and evidence capture and reporting functionality, the IR-Flow SOAR platform takes the fright out of using a ticketing system as a case management tool, fraught with unruly permissions and access to data, which could be inappropriate at best, or in violation of privacy laws in the worst case.
There’s no shortage of scary stuff on the light and dark web of business and consumer life. For organizations trying to move their security up the maturity curve, establishing security operations processes and automation/orchestration around the key frights of out-of-band patching, IoT, and inconsistent Triage/IR case management will limit the horrors of a breach, and the associated time required to re-trace who did what, when, how, and why. What do you think? Let us know at syncurity.net
Addressing Analyst Fatigue In The SOC Whitepaper
White Paper: Reduce Phishing in the SOC
Ebook: Stop Drowning In Security Alerts
Syncurity’s award-winning IR Flow Security Operations and Incident Response Platform
IR Flow Product Overview Datasheet (pdf)
Blog post: How Security Automation Can Reduce Patch Management Cycle Time and Risk
Blog post: Three Reasons Soar Is Needed To Secure Healthcare Iot Medical Devices