Cybersecurity Science Project or Immediate Value: Which Do You Prefer?
A C-suite IT executive recently told us about a nightmare cybersecurity implementation: after extensive network surgery and a seven-figure investment, the platform still wasn’t stood up three years later. This type of story is all too common, and among the many consequences, organizations can find themselves unprotected from common attacks (particularly credential compromise and stealthy admins) despite spending millions on point solutions. In a competitive Infosecurity market, vendors are promising the world, yet project implementations can be plagued by delays and uncertainty, and sunk costs can mean security and IT teams’ hands are tied.
Let’s take a look at what security professionals can do in a confusing cybersecurity landscape to achieve optimal results, from vendor selection to implementation.
Addressing the Most Pressing Challenges First
Despite extensive cybersecurity investment and widespread public awareness, enterprises continue to be plagued by elementary issues like exposed passwords and stealth admins: Preempt research finds nearly 1 in 3 networks have exposed passwords, while 72 percent have poor control over privileged accounts, in turn leading to stealthy admins. We know credentials are the number one target for attackers, comprising approximately 81 percent of hacking-related breaches. Enterprises need to secure user identity in order to achieve good security posture and this should be their immediate priority.
Before beginning implementation, or even selecting a vendor, organizations need to focus on getting value to solve specific use cases. For instance, do you know who your privileged users are? Are your organizations’ passwords exposed to malicious actors? Do you know where NTLM is present in your network, and where it constitutes a soft target? Your solution should ideally identify these types of risk factors right away.
Organizations should invest in platforms that expand and leverage existing solutions, rather than selecting just point solutions that create security silos and visibility gaps. A focus on identity, visibility, and control, as well as platforms that bridge the gaps between siloed security solutions, is critical to achieving an effective security posture.
The Reality of Overwhelmed Security Teams
Today’s security teams are overwhelmed, and given the talent shortage and quickly changing threat landscape, the problem is only worsening. A 2017 survey found 66 percent of information security professionals say they don’t have the staff necessary to address threats. The unfortunate reality for many Security Operations Centers (SOC) has become hours of wasted time daily due to false positives. With a typical analyst estimated to handle 20-25 alerts daily, research finds nearly 70 percent of those alerts are false positives.
Clear goals and expectations setting are paramount, and you should aim to reduce the clutter of false positives. Unfortunately, many security solutions touting analytic capabilities are instead contributing more to distracting noise for SOC teams. Today’s security companies are on a bragging spree about how many data points they analyze, yet these data points are not helpful if they simply add to false alerts – especially without context, accuracy, and actionable outcomes.
Organizations should approach the problem differently. Security executives should strive to achieve immediate business value for every implementation. For instance, can the product quickly deliver insights and visibility across the entire network? Can these insights – and automated response and control capabilities – ultimately reduce the workload of SOC teams dealing with false positives?
SOC teams are already overwhelmed and don’t need more distractions from false alerts and unnecessary investigations. When looking ahead to the end result of the implementation, the goal should be to automate your process (make that automation scalable as your network changes) and trust the technology to get the job done. Furthermore, whether or not you can obtain immediately actionable insights can be an indicator of how your implementation will go. Otherwise, you may end up with something that’s more like a science project, which may require you to over tune the policies so much that the solution ends up as unwieldy shelfware.
The Role of Industry-Backed Frameworks in Successful Cybersecurity Implementations
Cybersecurity is complex and rapidly-evolving. Organizations should look to industry-recognized frameworks for providing short-term and long-term value. While one size doesn’t fit all, established frameworks can provide a guide for your long-term desired outcome, such as achieving Zero Trust or CARTA framework, as well as help you benchmark your security posture against your peers. (Read more on Zero Trust here).
Given that we know credential compromise is the top target for attackers, the Identity and Access Threat Prevention category provides a framework that acknowledges and addresses the most pressing cybersecurity challenges that enterprises face. As users, devices, and apps have moved well beyond traditional network perimeters, and as hackers increasingly compromise those identities and devices; understanding the risk associated with different user identities is key to consistently enforcing policies. Security teams must know the full context of what identity or entity does; its behavior, patterns, and risks; and how all of those factors evolve over time. Effective security posture means being able to detect and distinguish truly malicious behavior from atypical but benign behavior – particularly in the interest of keeping the business running smoothly. Enterprises must be able to act on this context and take real-time action before critical resources are breached.
To learn more about Identity and Access Threat Prevention – and how to fill the gaps between your existing security solutions – contact us at firstname.lastname@example.org.
Posted by Jeff Baker on February 14, 2019 2:40 AM