Every organization will, one way or another, land on the radar of cybercriminals or hackers who have an incentive to compromise their systems. Threat intelligence has therefore become a top priority for many organizations around the world.
Some of the top security challenges organizations have faced over the last few years include:
◉ Identifying the right frameworks to implement
◉ Choosing from varying vendor solutions to fill gaps in technology
◉ Mitigating supply chain risks
◉ Managing vulnerabilities and patches
◉ Addressing insufficient skill sets within cybersecurity teams
◉ Handling inadequate threat intelligence and visibility
◉ Securing third-party engagement and integration
◉ Promoting general awareness of cyber resilience among staff
Cybersecurity: A Growing Concern in Digital Transformations
The COVID-19 pandemic prompted a number of mindset shifts. Many organizations started moving to the cloud, and others started to activate digital transformation playbooks that had been shelved for many years.
Organizations that did not think the time would ever come for remote work had to activate many work-from-home programs. Affected businesses ranged from small and medium-sized enterprises to large corporations that had to rework their entire security fabrics to stay resilient as attacks rose.
The Limitations of Existing Cybersecurity Solutions
Top-tier companies are continuously buying new solutions in hopes of solving contemporaneous security issues that arise. These include antimalware and data loss prevention software; upgrades to firewalls, routers, and switches; network access control solutions; data and network monitoring software; and many more.
However, the above solutions often do not communicate with each other after implementation, which creates challenges when it comes to decision making. This leads to an increase in risks to the organization.
An antimalware solution, for instance, might be able to detect malware, but it may not work with the organization’s network and access control solutions to isolate the infected machine or the organization’s firewall to block the IP address of the threat actor. Instead, organizations must rely on manual intervention, meaning that actualizing mitigation controls can take a great deal of time.
Take, for example, a financial institution. The sensitive data it handles might include:
◉ Client lists
◉ Customer credit card information
◉ The company’s banking details
◉ Pricing structures for various services
◉ Future product designs
◉ The organization’s expansion plans
The impacts of a security incident on that financial organization can include:
◉ Financial losses resulting from theft of banking information
◉ Financial losses resulting from business disruption
◉ High costs associated with ridding the network of threats
◉ Damage to reputation after telling customers their information was compromised
“You can get cybersecurity right 99% of the time, but adversaries only need to exploit the 1% to cause tremendous damage.”
The Evolution of Cybersecurity Models
The focus of cybersecurity when it comes to protecting business operations has shifted from the traditional risk management approach, which relies on perimeter and static assessment through grading on the Common Vulnerabilities and Exposures (CVE) system, to a framework of predictive threat intelligence, agile posture, and dynamic controls.
The deciding factor in whether an organization will be able to get back up and running after a security incident is its ability to recover very easily. This is directly proportional to operational readiness and time.
Historically, the definition of security has centered around the concepts of protection, detection, and response. Resilience, on the other hand, involves two other elements: identification and recovery. Being able to identify potential risks and plan out a recovery method is key to maintaining operational status as a business
Comparing Security Software Solutions
Security Information and Event Management (SIEM)
Every modern-day organization should have a security information and event management (SIEM) tool. SIEM software can be either proprietary or open source, depending on the company’s budget and needs.
SIEM tools have several core functionalities, in addition to many other crucial capabilities:
◉ Correlating logs
◉ Analyzing user behavior
◉ Performing forensics
◉ Monitoring file integrity
◉ Providing a dashboard for analyzing incidents
Incident responders may receive thousands of alerts each day from all devices connected to their organization’s SIEM solution. As a result, they often spend a large portion of their time engaged in detection, triage, and investigation.
A typical example could be seen in the case of a malicious IP scanning a target network. The analyst has to filter out false positives, analyze the details of the IP address (such as origin and reputation), and send the details to the firewall to block the IP based on that analysis.
The response time required to investigate alerts and filter out false positives reduces analysts’ productivity, leaving room for attackers to succeed in a potential threat scenario. Post-incident analysis of past breaches often finds that the SIEM detection time and the steps taken by analysts are predictive of the actions performed by various parties.
Security Orchestration Automation and Response (SOAR)
Security orchestration automation and response (SOAR) solutions came into play to solve the above challenge. SOAR systems detect, triage, respond and periodize throughout the full chain of threat intelligence.
Consider, for instance, a malware indicator of compromise in a network of about 200 endpoints. While a SIEM will be able to pick it up, investigating how many other machines are similarly affected and making decisions about whether to isolate them from the network usually has to be done manually.
Likewise, sending the malicious IP address that is acting as the malware’s command-and-control server to be blocked by the firewall is a further step. A SOAR solution automates all these processes by investigating and taking necessary action before sending an alert to the analyst, prompting them to examine the situation further.
How to Measure the Success of a Threat Intelligence Program
Key Performance Indicator | Metric | Possible Measurements |
Workload |
|
|
Detection success |
|
|
Analyst skill |
|
|
Key risks |
|
|
0 comments:
Post a Comment