Thwarting cyber threats just takes a little security operations strategy
Advice for staying ahead of cyberthreats abounds, yet most organizations still find themselves struggling to keep pace in a consistently evolving threat landscape.
Recently, the Forbes Technology Council asked a panel of 13 IT experts for their strategies and approaches to more effectively do battle in what often feels like an all-out cyberwar. Let's take a look at a few of the suggestions that security operations teams should be considering.
Security Operations Strategy 1: Adopt a Zero Trust Model
If the saying goes "trust but verify," Zero Trust presumes that you should never trust and always verify. The Zero Trust model, created by John Kindervag, says organizations should never automatically trust anyone or anything inside or outside its perimeter without verifying before granting access.
Implementing a Zero Trust approach requires an inherent shift in an organization's security operations processes and mindset. It also requires having a firm inventory of your environment's users, machines, applications and the like to effectively manage and verify access and activity. This is why you'll see a variety of technologies employed in support of a Zero Trust model - from multi-factor authentication (MFA) and identity access management (IAM) to encryption, analytics and security orchestration.
Security Operations Strategy 2: Get Clear Visibility into Your IT Infrastructure
Drawing up an effective defense plan is impossible if you don't know what you're supposed to be defending. No amount of technology or process can make up for a lack of visibility within your environment. Organizations must get a better view and inventory of the assets and users for which they're responsible and then apply technologies and processes accordingly.One solution that is still in relative infancy is NOC/SOC integration. SANS found that only 12% of organizations have fully integrated these two functions at both the process and technical levels. However, the advantages of bringing these groups into alignment are numerous, ranging from a deeper understanding of risks and threats to improved visibility, reduced duplication of efforts, opportunities for cross-training and improved incident response.
For a practical example, see how Horace Mann Educators Corporation leveraged security orchestration to create an integrated operations center (IOC) here.
Security Operations Strategy 3: Understand Your Top Threats
Knowing is half the battle. While the threats seen by any given organization can seem random, it isn't always the case. Closer introspection can often reveal patterns related to attack vectors, compliance gaps and vulnerabilities.
Work with your various internal stakeholders to hone in on the issues that arise most frequently. Look at case histories. Can your team identify common incidents? Understanding the threats that are most prevalent within your environment enables your team to do two things.
First, your team can better prioritize what processes to put in place first. Do your users get an overabundance of phishing attempts? Move solidifying your workflows around phishing response to the top of the to-do list. Second, understanding your most common threats helps you allocate resources more effectively. Does a particular type of vulnerability arise over and over again? Allocate resources to to addressing it quickly and look for ways to automate management of said vulnerabilities going forward.
Security Operations Strategy 4: Automate and Orchestrate Your Workflow
We talk about it all the time - technology is in oversupply and talent is scarce, which means security teams can't keep up with growing alert volumes. Most SOCs face an overabundance of repetitive tasks in the form of weeding out false positives which can be easily handled through security automation.
However, before you can take full advantage of orchestration and automation, you need defined workflows to...you know...orchestrate and automate. Security operations teams too often rely on tribal knowledge and undocumented, manual processes which ultimately lengthens incident response and increases MTTD and MTTR. As a first step, SOC managers should work with their teams to define and document processes, codifying them into playbooks. From there, security orchestration and automation can be applied to unify and automate your technologies and processes.
For more on how your security operations team can get started using security automation, check out our webinar on security automation quick wins.