As we look back on a succession of headlines about data breaches and security lapses at some of the world’s largest companies, we find a consistent theme. Attackers have continued to improve their techniques requiring companies to compensate and raise the bar on cybersecurity. However, there are still several gaps that CSOs should address to avoid the headlines in the future.
1. Information overload
The average company is adept at storing information but much less proficient in using it. There is so much data out there that many find it difficult to separate the signal from the noise. This is only magnified by the scale and reach of today’s companies.
Some SecOps teams suffer from false positive fatigue. It is a common ailment resulting from repeated instances where security alerts turn out to be a false alarm. False positive fatigue dulls the senses and makes teams less likely to respond with vigilance when receiving real alerts.
Companies in this condition have seen success by triaging security information. Modern security software can do a lot to reduce the false positives with baselines, thresholds, and heuristics. Such systems are only as good as the data they are based on, but today’s systems can make use of significant historical and current operational data to make better decisions. This reduces the false positives and usually results in fewer false negatives as well. Such software ultimately minimizes the strain on SecOps teams, allowing them to perform at their best.
2. Insufficient integration
Another problem is the insufficient integration between security systems and systems management tools. Companies still struggle to transform independent silos of security information into a cohesive matrix of integrated systems containing security insights and metrics. It is not enough to deploy security systems if they do not work together. Companies must also combat their technology sprawl, consisting of various on-premise and cloud systems. In such a complex environment, it is easy for valuable information to fall through the cracks. This is one factor leading to attacker persistence on networks. Currently, attackers remain on a network for an average of 146 days before they are identified.
SecOps teams need a single dashboard that provides visibility into each of the systems. Also, the information from systems such as SIEM, IAM, DLP, and IPS must be integrated, so data is normalized, consolidated, and analyzed comprehensively. Additionally, standard processes can be executed across the board to ensure that no system lost in the mix.
3. Human bottlenecks
We, humans, are often a bottleneck in the incident response process. Each minute following an incident potentially increases the damage to the company and its customers. By the time a team is assembled, and the incident response manual is consulted, the impact may have increased severalfold. There is a time for us to step out of the way to let computers do their job.
We have spent decades developing intricate response plans. Now is the time to turn those plans into workflows. The robust processes and procedures for handling incidents can be used to script appropriate workflows to detected and validated events. Response workflows can be executed quickly following identification to reduce damages. Incident response workflows also ensure consistency in the response. A response team can practice over and over, yet still make a mistake when the pressure is on, whereas computers will perform reliably over and over.
Machine learning is also improving where systems can more reliably validate incident indicators and select the appropriate response. Each new incident trains the system so that it is better able to respond to the next attack.
4. Credential trust
A recent statistic from Microsoft asserts that 63 percent of all network intrusions are due to compromised credentials. Successful phishing tactics, poor password management, or lax account management security have made it much more difficult to trust credentials alone.
The actions users perform must be evaluated for anomalies so that abnormal behavior prompts a response. There are tools available that can provide insight and action to prevent successful infiltration of systems and exfiltration of data. Credentials may need to be verified again as conditions change such as moving to a different location, performing a different set of tasks, or logging in at a different time. Two, three, or more forms of authentication can be used depending on the riskiness of the behavior.
5. Soft targets
It takes continual effort to stay on top of patches, best practices, and the latest hardening techniques, but these steps are vital in protecting systems from vulnerabilities and other weaknesses. Even one soft target can open a company up to attack.
Companies should have systems in place to audit and verify that systems are hardened and up to date. Vulnerability scanning, penetration testing, and patch management validation tools can be used to test systems and ensure that they are properly configured.
Seizing the opportunities
It is clear that something needs to be done now to address these five security challenges. Consider how your cybersecurity strategy will close these gaps. Identify an ideal mix of technologies and how those will be integrated to provide the most value, ease of management, and protection. Seek out automation whenever possible and build in more credential verification and behavioral analytics.