Recent publicly disclosed cybersecurity attacks have not been simple events. They capitalize on the disjoint nature of cybersecurity policies, protections, and technologies. An error by a trusting user is compounded by an overly permissive network, that access is used to find and exploit a vulnerable service running nearby, and results or control are passed smoothly to an external address. The result? Hundreds of machines or the personal details of thousands of individuals are compromised. It’s true that 100% effectiveness of cybersecurity awareness training, network configuration, patch management, or firewalling would have halted the attack, but 100% effectiveness can never be reached when both attackers and enabling technology are constantly evolving. The only practical strategy is one of balanced, integrated controls and reporting. This approach provides the information necessary to invest appropriately, prioritize with data, and block, detect, or disrupt, a major event in progress.
Understanding your current cybersecurity solution landscape
A report from Ponemon reveals that, on average an organization is utilizing 47 different security vendors, with this complexity driven by a combination of diverse threats and narrowly focused vendors. The situation is exacerbated by the fact that over half of these organizations confess to not being well-versed in the effectiveness of the tools they have in place. Even with a high number of tools, companies lack confidence in their investments to minimize the risk of breaches. Prior to any optimization efforts, it is essential to assess the current tooling setup.
Start by cataloguing your investments into three phases of protection: prevention, monitoring, and response to events. The key here is balance. Every organization will have their own hot buttons and emphasis, but there needs to be balance across all three. Overinvestment in prevention may lead to inadequate monitoring or response planning. Over-emphasis on response may lead to insufficient attention to blocking attacks in the first place. A balanced view leads to resilient protection and likely to a reduction in the number of solutions supported.
Deriving maximum value
If you were you to stop here, having examined, rationalized, and balanced your cybersecurity investment, you’d already be well ahead of the norm. But you’re not done, as there is even more value in the results of sharing information across these solutions than they provide individually. A security operation that intelligently shares information between domains improves situational awareness, response time, and reduces the likelihood of a widespread security event.
To make this happen, ensure that the outputs of each solution are used to improve or trigger the execution of the others. This could mean using endpoint attack data to drive targeted configurations and reviews on network devices and firewalls, or using the parameters found during penetration testing to create new detection rules in a WAF or IDS. You should also consider establishing automated processes to review user identity integrity when suspicious credential use is detected. Correlating data from multiple sources will give you the most meaningful security intelligence that can easily be acted upon by internal or external teams.
Creating stakeholder supporters
The progress of your new cybersecurity operation is an opportunity to communicate on positive aspects of cybersecurity: protection and progress. This new cadence of messaging elevates security to a first-order business function and eliminates the expectation that security teams only report when something bad is happening or new funding is needed.
- Visibility: The accurate and evolving asset inventory, with each resource delivering appropriate event data, is the foundation of effective security. Reliable visibility is at the core of identifying and driving awareness of vulnerabilities, potentially malicious activity, and anomalous connections or data transfers. Reporting regularly on visibility identifies new systems, as well as organizational gaps in areas of data gathering or software enablement.
- Posture: While existence of a vulnerable condition can be measured independent of a specific implementation, organizational impact is highly contextual. Your operation can use insights derived from integrated sources to perform risk analysis for your business goals. The resulting measure of security posture can be tracked and trended, and it’s useful for communicating security progress to non-technical audiences on a regular basis.
- Activity: The threat landscape changes, as does your own attack surface. Reporting on security developments discovered through threat intelligence or internal alerts provides a topical and relatable subject to share. New applications, expansions, or infrastructure are also noteworthy when discussing changing organizational security status.
Advocating for integrated cybersecurity
With the increasing prevalence and sophistication of attacks, a siloed approach to cybersecurity is no longer sufficient. Organizations need to understand the advantages of integrating security event data and solutions to better protect themselves against well-planned, multi-phase attack campaigns. Securing stakeholder support for an integrated cybersecurity operation is essential. By providing clear examples of the scale and complexity of attacks, such as ransomware, information theft and doxing, it will be easier to demonstrate the value of integrating analytics and data across multiple departments. By emphasizing the importance of staying ahead of ever-evolving threats, integrated cybersecurity solutions will demonstrate more value, driving more acceptance from stakeholders.
In closing
The cost of attacks, compounded by the cost of underutilized security solutions, demands a change in the approaches we take to defense. As many attacks promulgate and thrive in the gaps between disparate security solutions, integrating information and layers of protection is the most cost-efficient and logical step to addressing them. Much like other technologies have been improved through integration with related solutions, the security community is realizing that the path to stronger security is paved with better integration, communication, and support.
By Jack Danahy, Vice President of Strategy and Innovation at NuHarbor Security