The central nervous system of any cyber programme
Organisations’ ability to detect and respond is behind the curve. We must be ready to evolve, understand the critical needs of the business and transform Security Operations into a proactive, intelligence led model.
Falling victim to a cyber-attack is a by-product of the fourth industrial revolution and is now a matter of when, not if it happens to your organisation. All of the preventative measures in the world will not stop a determined adversary from gaining access to an environment and what happens next could mean the difference between a swift and successful recovery or a prolonged period of business disruption, amongst other potential impacts.
As a consequence, your Security Operations team are now the crucial element in the earliest possible detection and launching a proportionate response, to a cyber-attack. Security Operations staff must be well organised, well equipped, and well trained to rapidly and effectively identify cyber security incidents and appropriately intervene in order to minimise the damage attackers might cause.
Without detection, there can be no response
In too many cases organisations’ ability to detect and response is behind the curve, with defenders often taking months to detect incidents. According to IBM, the mean time to identify a data breach in 2019 was 206 days1. This is more than enough time for an attacker to perform further internal reconnaissance, move laterally across the network, identify and extract the victim organisation’s critical data, and position themselves to do worse, before the intrusion is even detected.
Why is detection still so slow on average? Many organisations are still dependent on traditional security information and event management (SIEM) tools, which can reliably detect commodity attacks when configured correctly. However, will miss the more sophisticated campaigns by advanced attackers that are intentionally covert, utilising carefully crafted techniques to fly under the radar.
Speed is always a priority, but awareness is imperative. After an attack has occurred and been detected, fully understanding what is happening, and why, is critical to inform how an organisation responds. Inefficient processes, low capacity, insufficient training, and a failure to embrace automation, all have the potential to compound the ultimate cost of a breach downstream, giving adversaries the unnecessary advantage of more time to compromise further systems and achieve their objectives . Whether these are the ultimate theft of sensitive data, other forms of espionage, fraud, temporary disruption or more permanent forms of sabotage.
An outdated managed security services (MSS) model can actually hinder incident response efforts. If a provider simply passes incidents ‘over the fence’ without additional support through the rest of the incident response process, the client organisation’s Security Operations team can be left with a mountain to climb in order to understand the attack and how to respond most appropriately, therein delaying containment and recovery.
When responders face this type of uphill battle to remediate even the most routine of cyber incidents, the result is less time to dedicate to proactively hunting and responding to the more sophisticated attacks. Allowing them to persist undetected and the ultimate impact aggregate over time.
The evolution of detection and response
The situation described above is all too common and has been picked up by industry, even up to supervisory bodies. This has led to a significant shift in the approach to address these challenges, moving beyond a reliance on the traditional SIEM centric approach to embrace proactive functions like threat hunting and advanced analytics. This helps put Security Operations teams on the front foot, not only enabling quicker detection of more sophisticated adversaries, including nation state actors, but also demonstrating the organisation taking a predictive and intelligence-based stance.
Security orchestration, automation, and response (SOAR) tools are another new technology that can aid in this transition. Automating repeatable steps in response to common incidents increases efficiencies and frees up skilled analysts and incident responders to develop and run the proactive functions described above, activities that derive more job satisfaction and therefore aid retention of scarce talent.
However, this emerging approach to Security Operations is itself not without pitfalls. Crucially, any organisation seeking to become more predictive, agile and adaptive through implementing this strategy, must fully understand the prerequisites and carefully select a partner ecosystem which match their philosophy.
The key is to choose to partner with a managed security services supplier with the transparency and flexibility to support this journey. Threat monitoring no longer stops at detection, and businesses should seek a provider that truly integrates itself throughout the end-to-end processes of continuous threat, vulnerability and attack lifecycle management, providing tailored support and specialist expertise throughout. Every incident is an opportunity to learn, every attack is an opportunity to demonstrate success.
Ready to evolve?
Here are some key things to look out for when transforming to a proactive Security Operations model:
- Tune into the needs of the business. Security Operations does not exist in isolation, it is there to safeguard an organisation and to protect its critical assets. Procurement cannot be based on whatever the buzzword of the day is. Security investment decisions must be made and prioritised by the business’s requirements and centred around enabling effective detection and response to mitigate key threats and to minimise the potential impacts on the organisation’s most critical functions.
- Setup for success with clearly defined requirements. Before jumping into the world of detection and response vendors and solutions, be clear on what your organisation wishes to achieve. How do the capabilities you are procuring realise benefit and help to mitigating risk? Taking the time to define your Security Operations model in advance will help you to make the right decisions.
- Establish meaning and purpose. Security Operations plays an essential part as the nerve centre within an organisation’s cyber programme and therefore it should be embedded culturally and reinforced operationally. It should become second nature to consider and support the business objectives in all that they do. It’s equally important to raise awareness and demonstrate, to the business, the important work that Security Operations do to safeguard against cyber-attacks. Celebrating your cyber heroes and giving deserved recognition will help to retain and develop top talent.
- Harness intelligence to achieve proportionality. It’s become a long-term goal in IT to avoid ‘exit purgamentum’, the principle that highlights the quality of your inputs is directly related to the quality of your outputs. This is never more relevant than with threat intelligence. As the threat landscape is constantly shifting and evolving with the acceleration of complex, digital transformations, so too are attackers tactics, techniques and procedures. As such, the risks associated with new lines of business, an expanding attack surface, complex supply chain ecosystems and effects of global pandemics will all require equal attention and importance, and will influence the need for a predictive, agile and adaptive cyber defence strategy
It’s survival of the fittest, but falling isn’t important, it’s the getting back up that is!
For every battle your Security Operations loses, and they inevitably will, they will have won many more and so learning from these is an important factor in the continuous evolution and optimisation of your cyber defensive capabilities. It’s only by taking this evolutionary approach to Security Operations that organisations can place themselves into a defensible position and demonstrate they have successfully minimised impact potential and driven down cyber risk.