Organisations’ ability to detect and respond is behind the curve. We must be ready to evolve, understand the critical needs of the business and transform Security Operations into a proactive, intelligence led model.
Falling victim to a cyber-attack is a by-product of the fourth industrial revolution and is now a matter of when, not if it happens to your organisation. All of the preventative measures in the world will not stop a determined adversary from gaining access to an environment and what happens next could mean the difference between a swift and successful recovery or a prolonged period of business disruption, amongst other potential impacts.
As a consequence, your Security Operations team are now the crucial element in the earliest possible detection and launching a proportionate response, to a cyber-attack. Security Operations staff must be well organised, well equipped, and well trained to rapidly and effectively identify cyber security incidents and appropriately intervene in order to minimise the damage attackers might cause.
In too many cases organisations’ ability to detect and response is behind the curve, with defenders often taking months to detect incidents. According to IBM, the mean time to identify a data breach in 2019 was 206 days1. This is more than enough time for an attacker to perform further internal reconnaissance, move laterally across the network, identify and extract the victim organisation’s critical data, and position themselves to do worse, before the intrusion is even detected.
Why is detection still so slow on average? Many organisations are still dependent on traditional security information and event management (SIEM) tools, which can reliably detect commodity attacks when configured correctly. However, will miss the more sophisticated campaigns by advanced attackers that are intentionally covert, utilising carefully crafted techniques to fly under the radar.
Speed is always a priority, but awareness is imperative. After an attack has occurred and been detected, fully understanding what is happening and why, is critical to inform how an organisation responds. Inefficient processes, low capacity, insufficient training and a failure to embrace automation all have the potential to compound the ultimate cost of a breach downstream, giving adversaries the unnecessary advantage of more time to compromise further systems and achieve their objectives . Whether these are the ultimate theft of sensitive data, other forms of espionage, fraud, temporary disruption or more permanent forms of sabotage.
An outdated managed security services (MSS) model can actually hinder incident response efforts. If a provider simply passes incidents ‘over the fence’ without additional support through the rest of the incident response process, the client organisation’s Security Operations team can be left with a mountain to climb in order to understand the attack and how to respond most appropriately, therein delaying containment and recovery.
When responders face this type of uphill battle to remediate even the most routine of cyber incidents, the result is less time to dedicate to proactively hunting and responding to the more sophisticated attacks. Allowing them to persist undetected and the ultimate impact aggregate over time.
The situation described above is all too common and has been picked up by industry, even up to supervisory bodies. This has led to a significant shift in the approach to address these challenges, moving beyond a reliance on the traditional SIEM centric approach to embrace proactive functions like threat hunting and advanced analytics. This helps put Security Operations teams on the front foot, not only enabling quicker detection of more sophisticated adversaries, including nation state actors, but also demonstrating the organisation taking a predictive and intelligence-based stance.
Security orchestration, automation and response (SOAR) tools are another new technology that can aid in this transition. Automating repeatable steps in response to common incidents increases efficiencies and frees up skilled analysts and incident responders to develop and run the proactive functions described above, activities that derive more job satisfaction and therefore aid retention of scarce talent.
However, this emerging approach to Security Operations is itself not without pitfalls. Crucially, any organisation seeking to become more predictive, agile and adaptive through implementing this strategy, must fully understand the prerequisites and carefully select a partner ecosystem which match their philosophy.
The key is to choose to partner with a managed security services supplier with the transparency and flexibility to support this journey. Threat monitoring no longer stops at detection and businesses should seek a provider that truly integrates itself throughout the end-to-end processes of continuous threat, vulnerability and attack lifecycle management, providing tailored support and specialist expertise throughout. Every incident is an opportunity to learn, every attack is an opportunity to demonstrate success.
Here are some key things to look out for when transforming to a proactive Security Operations model:
It’s survival of the fittest, but falling isn’t important, it’s the getting back up that is!
For every battle your Security Operations loses, and they inevitably will, they will have won many more and so learning from these is an important factor in the continuous evolution and optimisation of your cyber defensive capabilities. It’s only by taking this evolutionary approach to Security Operations that organisations can place themselves into a defensible position and demonstrate they have successfully minimised impact potential and driven down cyber risk.