Why Singaporean Businesses should Incorporate AI / Machine Learning into their Cybersecurity Operations

Did you know that 96 percent of Singaporean businesses have reportedly suffered a data breach? And cybercrime is not slowing down. With the financial risk from cyberattacks estimated to be US$5.2 trillion between 2019 and 2023, it creates an ongoing challenge for investors, corporations, and consumers around the world. In Singapore, experts detected approximately 4.66 million web threats in 2019. This shocking statistic acts as a reinforcement for the need for innovative ways of enhancing cybersecurity within our region.

Earlier this year, Finance Minister Heng Swee Keat revealed that the Singapore government will be investing S$1 billion to strengthen its cyber and data security systems to safeguard its critical information infrastructures, as well as its citizens’ data. Moving forward as a digital economy and smart nation, and with increasingly adopted technologies like artificial intelligence (AI), Machine Learning (ML), and Internet of Things (IoT), the Singapore government will also provide more funding to local deep-tech startups and small and midsized businesses (SMBs).

While the term AI was first coined in 1956, today is it a field of computer science, focused on how machines can imitate human intelligence. Successful applications of AI include beating humans at Go, diagnosing cancer, and operating autonomous vehicles. Over the last 10 years, the potential of AI to help with cybersecurity problems has evolved from being over hyped into a critical ingredient of enterprise security programs. In their Top Security and Risk Trends for 2020, Gartner projects that “AI, and especially machine learning (ML), will continue to automate and augment human decision making across a broad set of use cases in security and digital business.”

Finding a Needle in a Haystack

While it is common knowledge to security professionals, others may be surprised by the daily volume of security logs generated by enterprises. The number of logs generated by firewalls, authentication servers, endpoints, and a variety of other devices and security tools total multiple millions every day.  Security information and event management (SIEM) tools can use rules to filter and prioritize these logs into alerts but it is the job of security analysts to investigate the most critical alerts. For example, out of 10 million daily logs, hundreds may require expert human investigation.

Security analyst investigations include examining detailed log data, reviewing correlated events and threat intelligence, and looking for suspicious behavior. Analysts must quickly determine if the event has actually compromised the organization’s security, is a potential threat, or is a false positive. This difficult and time consuming work is made even more challenging by the high percentage of alerts that are false positive. This is why it is not uncommon for security analysts to get “alert fatigue” – losing motivation to thoroughly investigate alerts.

Reactive investigations are necessary but insufficient for a robust security defense. Security teams should also proactively hunt for threats that are not triggered by system alerts. Targeted attacks often aim at stealing critical data and use techniques like obtaining user credentials, upgrading access to a privileged user, and moving laterally across the network. These attacks, also known as advanced persistent threats (APTs), can result in an attacker gaining unauthorized access to a system or network and remaining there for an extended period of time without being detected.  The time a hacker goes undetected on your network, or “Dwell Time”, is commonly measured in months. APTs that use multi-stage attacks that occur over longer periods, commonly referred to as low and slow attacks, are hard to detect with rule based analytics alone. The practice of hackers changing or morphing their attack techniques further adds to the challenge of threat hunting.

AI to the Rescue ai-cybersecurity-superhero-in-gallant-pose

Initial approaches to detecting threats used a subset of AI called unsupervised machine learning to detect anomalies. Unfortunately, while AI has been proven to predict significant future events, the range of behaviors of users, applications, and external data is so complicated it is very hard to identify malicious outliers. The result was many AI-powered products that generated too many false positives to be practical.

While unsupervised learning attempts to find patterns among data points without knowing the meaning of the data, supervised learning infers a relationship based on existing data labels. For example, an AI model can learn to recognize pictures of a table after being trained on a large number of images that are identified as tables. However, in the field of cybersecurity, it is very hard to obtain labelled data to train detection models. Additionally, hackers can change or adapt the attack techniques faster than a supervised learning model can be trained.

The solution to these limitations is active supervised learning, which engages human experts to help create and train threat hunting models. Organizations that are using both AI and humans are 20 times stronger against cyberattacks than traditional methods. The resulting AI models combined with expert feedback can quickly learn to distinguish between malicious and normal behavior. AI-powered threat hunting enables security analysts to significantly increase productivity and detect and respond to more real threats that would have otherwise resulted in a damaging breach.

Can AI Defend Against AI?

Just as security teams and technology vendors are adopting AI to detect and contain threats, hackers can also use AI to power their attacks. Hackers are expected to use AI techniques to target organizations, develop new exploits, and detect vulnerabilities. AI is expected to increase the speed of attacks while reducing cost. For example, writing an effective phishing email takes time and creativity, AI can help automate this process.

The good news is developers of security tools are also rapidly adopting AI as part of the product development and enhancements. However, there is still a lot of marketing hype around AI, so we advise you to dig into the details to assess if your vendors are fully leveraging AI/ML technologies before you make the leap.

Conclusions

Organizations can use machine learning to detect suspicious and unusual patterns that are nearly impossible to discover through the human eye. The intelligent detection algorithms can compare the network data packets continuously to discover anomalous traffic, then apply strategies, such as statistical monitoring and anomaly detection, to identify malware variants communicated over a network. Cybersecurity is traditionally a very time-consuming task but with effective use of AI, you can begin to make your cybersecurity teams more efficient.

Europe’s 2020 Cybersecurity Evolution: Securing Teleworkers

How cybersecurity of organisations in Europe will change and adapt with teleworking and the migration to the cloud

When 2020 arrived, no-one could have predicted nor expected the drastic changes that we are seeing in the light of the COVID-19 pandemic. Not only has the pandemic changed cybersecurity, it has also created a huge paradigm shift in the way that organisations work.

The pandemic caused a rush across Europe to get employees out of the office and working from home, creating a requirement to better secure the teleworkers. Prior to the pandemic, only 5.2% of people regularly worked from home across the EU. A Europe-wide push for people to self-isolate proved challenging for the majority of the continent’s population who typically hadn’t been working from home; however, now that this paradigm has shifted, organisations across Europe are turning their attention to how they will work in the future.

Person on a laptop creating a plan to securing teleworkers

Creating the New Normal in the Cloud

There has been much talk in the media about the “new normal” and what that will look like when it comes to cybersecurity. With lockdown restrictions easing, the return to the office is firmly on the board’s agenda. Most European organisations are considering two options – allow their employees to work from home full-time or adopt a “hybrid” workplace approach, where employees will split their time between working in the office and at home.

The pandemic has helped many employees realize how much they enjoy the work/life balance  and appreciate not having to commute to an office five days a week. They have also proven that they can work just as effectively from home as in the office. Research predicts that the number of UK employees working from home on a regular basis will double, increasing to 37%, compared to 18% before the pandemic hit.

In line with this change, many European organisations have reduced their real estate and have a decreased need for on-premise solutions. This is creating a shift to cloud-based solutions that will provide stronger protections for teleworkers. The growth in cloud computing has been massive and transformational – and quickly sped up with the pandemic.

Cybersecurity for Teleworking

If employees are going to work from home on a regular basis, their cybersecurity hygiene should be considered by the organisations they work for. There are a myriad of different challenges with securing teleworkers; for instance, employees might be more likely to fall victim to a phishing email or cut corners when it comes to backing up important company data.

Phishing attacks have grown by over 60% in the UK since the COVID-19 pandemic and are widely recognised as the top cause of data breaches. Hackers are getting much more sophisticated in their approach to phishing attempts and once an employee clicks on a malicious link, they may be able to gain access to the employer’s device or sensitive data.

Cybersecurity for home workers is very different than for the office. Employees’ home networks will often have weaker protocols (WEP instead of WPA-2, for example), which can allow hackers to access network traffic much more easily. To help with this change, many organizations are looking for upgraded security tools and services that can be entirely cloud based. It’s a good time to review remote access solutions and policies, to ensure your team is working securely while remote.

Securing the Cloud

With the transition of more employees working from home, it is not surprising that cloud technologies are being adopted at an incredible rate in recent months. Of the 250 IT leaders surveyed, 82% said they have increased their use of the cloud in direct response to the COVID-19 pandemic, with 60% saying their use of off-prem technologies have continued to grow post-pandemic. The same study also found that respondents believe that by 2025 only 22% of workloads will reside on-prem, compared to 35% of workloads that resided on-prem prior to the COVID-19 outbreak.

Cybersecurity Securing Teleworkers in the Cloud

From a business continuity perspective, there has never been a better time to make the move to the cloud. The ability to allow employees to work from anywhere via a virtual desktop or remote infrastructure has been instrumental to keeping employees working, and business moving, during the COVID-19 pandemic.

However, now data sovereignty issues become more of a focus and risk, especially for Chief Regulatory Officers and General Counsels. This country-specific requirement states that digital data must remain within those country’s borders and is subject to the laws of the country in which it is collected and processed. Many countries have had data protection laws for decades, and with the stricter rules put in place by the EU’s General Data Protection Regulation (GDPR), the concerns have become much more prominent.

So while the migration to cloud-based technologies may be straight-forward, securing it may not. Some teams are well equipped to deal with the transition, but many teams find themselves struggling to secure their teleworkers. The cybersecurity skills shortage in Europe is expected to be nearly 350,000 by 2022, which means many teams will have to look for alternative ways to secure their cloud technology.

For many in Europe, the idea of a SOC-as-a-Service, or outsourced managed services, wasn’t a consideration prior to the pandemic. But given the swift changes organizations had to make, they have realized that partners can help to fill a gap with their IT security. Cloud-based SOC-as-a-Service providers offer a lot of flexibility for organizations and 24/7 protection that many organizations can’t fulfill in-house.

If you find yourself trying to build out a secure, cloud-based security program, here are a few principles that you should follow when transitioning data to the cloud:

  • Monitor and secure your Office 365 implementation. Office 365 is continuing to be adopted at an exponential rate, especially since the global coronavirus pandemic hit earlier this year. While it allows businesses to be more efficient and productive when it comes to remote working, it is also a high-value target for cybercriminals. Properly monitoring your Office 365 environments for your remote workers can help to detect account compromises, identify phishing attempts or suspicious email patterns and detect password attacks, suspicious file sharing, permission changes or downloads. Protecting your organisation and having use cases to monitor your remote workers Office 365 environment is crucial, whether you have a hybrid cloud or multi-cloud model – is even more important if you have employees working from home.
  • Make sure your data is secure. The encryption of data in transition should be end to end. In addition, all interactions with servers should happen over SSL transition (TLS 1.2). This will ensure the highest level of security. The SSL should only terminate within the cloud service provider network.
  • Get a virtual private network (VPN) and virtual private cloud (VPC). Having a dedicated cloud environment gives you total control of your data. Customers can connect securely to your corporate data centre, and all traffic from and to instances in your virtual private cloud can be routed to their corporate data centre over an industry standard encrypted Internet Protocol Security (IPsec) hardware VPN connection. This should also be monitored 24/7 for suspicious activity.
  • Look for partners who can help. If you’re struggling to secure your cloud environments, consider finding a partner to assist. Utilising SOC-as-a-Service or other managed security services allows you to not only fill a gap within IT security, but also offers significant cost savings through tailored service offerings. Their continuous detection, protection and response is a great option for organisations that do not have resources for a 24/7 in-house team.
  • Ensure partners follow rigorous compliance standards. If you find yourself looking for partners, make sure their compliance standards are robust. Two of the most important are SOC 2 Type 2 and GDPR. SOC 2 Type 2 is good for internal risk management processes, regulatory compliance oversight and vendor management programs. It confirms that a cloud service maintains the highest possible level of data security. GDPR is the European standard when it comes to data compliance. You should ensure your partners are adhering to best practices that will achieve GDPR compliance.

There is a lot to consider during this time of uncertainty, but once the dust settles, migrating to the cloud properly will provide benefits to your employees and customers alike. If you’re looking for a partner who can help you with this transition, or if we can be of help in any way, please feel free to contact us.

5 Reasons MITRE Framework is Being Adopted by the Industry

Since the MITRE ATT&CK framework was released in 2013, it has become widely used by cybersecurity teams. Built to be complementary to other frameworks, like the Lockheed Martin Cyber Kill Chain, the ATT&CK method (Adversarial Tactics, Techniques & Common Knowledge) was created to be a “foundation for the development of specific threat models and methodologies”.

The MITRE ATT&CK framework breaks down known tactics and techniques into 11 main categories. This free resource provides cybersecurity teams with a systematic approach on how to classify attacks and assess risk based on how an attacker might act. As the cybersecurity landscape continues to evolve, we expect frameworks like MITRE to play an important role and be a key component in The SOC of the future.

Here are five reasons the MITRE framework is being adopted in the industry and why you should consider using it for your organization.

Structure Your Defenses

Using the MITRE framework automatically creates an organized approach to building your cybersecurity defenses. The standardization they provide in their matrix is logically built out to help organizations form a baseline cyber strategy. Organizations both young and old can utilize this framework to achieve comprehensive detection of known threats. Using tools such as DetectionLab will allow you to create a mock environment to see how specific tactics behave so you can create correlation rules that will trigger an alert for suspicious activity.

Be Stronger Together

The MITRE framework is constantly being worked on and developed by the excellent team at the MITRE Corporation. Additionally, they accept and encourage public submissions recognizing that we are stronger when we work together. While they only publish updates twice a year, they do a great job keeping abreast of the latest threats from across the globe. And if you’re using Sigma format when writing use cases (which we highly recommend), you can also take advantage of the rules already created by the community.

Be the Best, With the Best

Although there are many security frameworks available, many in the industry believe that MITRE is the best framework to use. The framework is newer and, in many cases, considered more relevant to today’s cyberthreats. It also provides much more granularity into known tactics and techniques, which makes it a valuable tool for anyone new (or not!) to cybersecurity. The level of description provided for each technique (or sub technique) helps to answer the critical question, “how can I detect this?” The MITRE framework provides a high level of detail that includes a definition of the tactic, procedure examples, mitigations, detection details, platforms the activity is performed on, and data sources that have logs that will show the activity. It gives you much of what you need to understand each type of activity and start looking for this in a network/system.

Build Trackable Metrics

Using the MITRE framework gives you a baseline for mapping trends. Not only will this help you track where your attacks are coming from, and how you can better defend your organization, but it may also help you to discover defensive strengths and weaknesses – and then provide direction on how to close any gaps in your security posture. As an added bonus, you can use the ATT&CK Navigator, which is a tool that allows you to customize your matrix. This tool acts as a whiteboard for MITRE, allowing you to color code, annotate, and even export to Excel. It is a good way to visualize your coverage; at a quick glance, you can see what areas you have got covered – and where you have gaps – helping you ensure you have well-rounded coverage.

MITRE ATT&CK Navigator

Speak A Common Language

The broad adoption of MITRE makes it an easy way to communicate details to others in a more digestible fashion – not only within your organization, but also to clients, partners, and others in the industry. This is why so many Managed Security Services Providers (MSSPs) have adopted this framework within their organization. It has also become the common language in the cybersecurity community, allowing us to work together to fight against cybercriminals.

Wherever you are in your cybersecurity journey, it is never too late to redefine your processes to better align with your long-term strategy. Proficio finds the MITRE framework is a great way to provide our clients with comprehensive cybersecurity coverage, using use cases written in Sigma to map use cases to MITRE ATT&CK. If you are interested in seeing how the MITRE framework, and Proficio, can help keep your organization better protected, please contact us to learn more.

5 Strategies to Stretch Your Cybersecurity Budget

More than ever before, organizations are asking their cybersecurity teams to find savings, delay expenditures and get more value from their budgets.

While pushing vendors for price concessions, decreasing pay, or even laying-off employees are options, IT leaders should use the pandemic as an opportunity to rethink their overall approach and find sustainable strategies to maximize the ROI from their IT security investments.

1. Be Business Driven

In order to do this, you must first have the relevant business data to make decisions.

Prioritize key outcomes from your cybersecurity program such as reducing risk, preventing data theft, and meeting compliance mandates. Frameworks such as NIST CSF, ISO 27001, CIS 20, COBIT, and HITRUST are useful tools, but aligning with something like the Sherwood Applied Business Security Architecture (SABSA) methodology allows for the prioritization of projects based on the business context and value. It is important to stay strategic and align cybersecurity outcomes with key business objectives.

Analyze your existing and planned spending in support of prioritized outcomes. Things to consider include the cost of employees, contractors, services, technology, support contracts, and infrastructure. Understand the variability of costs over a short-term and long-term basis. Some costs may be locked in over the term of a contract while others may be more easily reduced or eliminated. Many vendors and MSPs have utility-based pricing, that not only allows you to shift to an OpEx model but provides the flexibility to pay for actual usage as opposed to max capacity potential in advance.

2. Maximize the Value of Existing Tools

Many organizations do not take full advantage of the products they have. This may be due to a skills gaps, incomplete implementation by the vendor, or simply because the original champion for the product has left the company. Whatever the reason, getting more out of your current tools improves cybersecurity outcomes and can delay spending on potentially unnecessary technology refreshes. Ask your vendors for free or low-cost training options and request a product roadmap briefing. You may find the functionality you think is missing is available for free in the next update.

In some cases, you may also find that spending money on external resources will help you better leverage a product’s capabilities. For example, in our experience many organizations only effectively use 50% of the functionality of next-generation firewalls (NGFWs). This is often due to incorrect or incomplete configurations and poorly defined standards. Partnering with a Managed Security Service Provider (MSSP) with mature operational processes and the necessary skills can help you maximize your investment in existing technologies, such as NGFWs or next-generation endpoint software.

3. Get Creative with Staffing

Employee costs make up a significant percentage of a typical organization’s budget – which means it’s also an area where there can be cost savings. It is important to maximize productivity by a combination of accomplishing more from existing staff and keeping salaries of new hires at reasonable levels.

Even before COVID reset the norms around working from home, the role of security in the digital transformation was a hot topic. The pandemic has accelerated aspects of the digital transformation specifically forcing the rethink of the traditional workspace and adding a layer of workforce monitoring at a scale that most organizations were not ready for, but it’s opened many employers and employees up to the idea of remote working or telecommuting. By considering a remote workforce from an expanded geographical base, you can reduce the cost of labor and access a larger pool of skilled professionals. In addition, you should consider hiring interns. While many organizations see their intern program as way to recruit and train future full time employees, interns often provide immediate value by off-loading entry-level but time-consuming tasks from other team members.

Look at how you can maximize productivity of your current team by analyzing what work can be automated or even eliminated. Removing mundane tasks from the to do list of skilled resources allows team members more time for professional growth which is more cost effective than hiring new resources to cover skills gaps. Implementing productivity improvement initiatives, such as streamlining workflows or implementing SOAR automation, allows staff to free up time to focus on other priorities or even engage in further training.

4. Outsource Security Operations

A Security Operations Center (SOC) plays a critical role in helping protect organizations from damaging cyberattacks and meet compliance mandates. The primary function of a SOC is threat identification, analysis and response.

Standing up an in-house SOC is complex, time-consuming, and expensive. Studies have shown that the cost of building an in-house SOC can be five times more expensive than outsourcing. Based on our industry analysis, the breakeven point where an in-house SOC makes economic sense, starts at organizations with over 500 security appliances and more than 10 000 employees. This assumes a 75% utilization of all resources and no advanced capabilities like Red Teams or threat intelligence research. It is often more effective for smaller organizations to focus resources on strategic planning and architectural work level and to outsource the more operational functions to a service provider.

Most organizations cannot justify a big enough team to support the range of functions needed for around-the-clock security operations. A 24/7 SOC operation with a 3 tier Analyst team would require 8 X level 1, 5 X level 2, and 3 X Level 3 Analysts, this however is only productive at scale, and for a small organization these resources will be significantly under utilized. Additional team members, with specialized skills such as SIEM administration, use case development, threat hunting, and incident response, are needed to mount an effective cyber defense. For all but the largest organizations, partnering with MSSPs provide significant cost savings and is far more effective.

Acquiring, integrating, and tuning software is another challenge for organizations considering building an in-house SOC. In our experience, many businesses find that the software subscription for an enterprise SIEM is comparable to an MSSP’s fees for a complete service. In an outsourced model, an organization only pays for the actual utilization of the resources when a shared resourcing model is leveraged. And consuming infrastructure on a utility basis allows for more flexibility to ramp up and down without the burden of fixed costs.

While switching to an MSSP is economically beneficial, the real motivation should around the efficacy of the service and improved cybersecurity outcomes. Next-generation MSSPs and MDR service providers bring their clients’ superior threat visibility and best-in-class threat response and containment. Operational maturity is immediately improved when an MSSP is leveraged.

Overhead Proficio SOC

 

5. Consolidate and Rationalize

Studies have shown that consolidation of vendors and technologies significantly increases effectiveness of solutions and significantly reduces operational costs. There are more than 1600 security vendors in the US market alone, which has created this culture of purchasing the best of breed technologies to fill perceived gaps in the architecture. Adding devices and technologies amplifies the skills gap and more often than not reduces the effectiveness of the security controls. On average, proactive operations of a device, irrespective of its function, requires about 6.4 hours of effort per month.

By identifying the overlapping capabilities across technologies and removing the redundant functionality through the elimination of the point solutions, an organization often will cover the gaps in the headcount through the cost savings from technologies that do not need to be renewed and maintained as well as a reduced skills requirement.

The selection of a security platform to meet the control and monitoring requirements that has the ability to integrate into the rest of the corporate network and data center infrastructure has been shown to be significantly more efficient and cost effective. The benefit of integration offsets functional advantages of point products.

Managed Detection is achieved through effective configuration of technologies that allows for tighter controls and effective visibility into network and endpoint activity. Reducing the amount of the devices and technologies sending log data, through the removal of ineffective technologies and enhanced enrichment with business context, provides for more accurate threat detection and decreases false positives allowing analysts to more effectively investigate and hunt threats.

IT leaders also need to carefully balance the impact of incremental expenditures on risk reduction. For example, the volume of log data ingested by a SIEM (measured in terms of GB/Day or Events Per Second) drives software subscription fees and storage costs. By carefully selecting the type and quantity of log data and combining use case analytics, correlation rules, and threat intelligence, you can keep costs minimized while still ingesting data critical for threat detection.

Conclusions

Businesses have always struggled to determine what is the right budget for cybersecurity and this not likely to change. The COVID environment only increases and complicates this challenge.

Gartner’s revised forecast for information security spending in 2020 went down from 8.7% to 2.4%. They stated, “The coronavirus pandemic is driving short-term demand in areas such as cloud adoption, remote worker technologies and cost saving measures.”

Boards and executive management are looking for CISOs to educate them on how to fund this critical function and for well-thought-out ideas to keep their organizations protected while maintaining a tight budget.

10 Ways to Address the Cyber Skills Gap

With all the layoffs and furloughs due to COVID-19, you may be wondering if the shortage of cyber professionals is still a problem. According to Gartner, the answer is yes. Citing the rise in COVID-19 themed cyberattacks, Gartner saw the demand for information security roles surge in February 2020.

Industry experts now count the global shortage of cybersecurity professionals in the millions. To hiring managers, this simply means good people are very hard to find and even harder to retain within their budget.

Skill-Gap-Labor-Shortage

The labor shortage is complicated by the proliferation of roles that are needed to support a strong cybersecurity defense. For example, staffing a Security Operations Center (SOC) requires a team of security analysts, threat responders, security engineers, and SIEM content developers. Many organizations are not big enough to support full-time employees with such a narrow cybersecurity specialization. And when you add in the requirement to staff a 24/7 operation, the cost and time to build a team can become insurmountable.

Here are three areas where you can combat the staffing shortages in our industry.

Talent Sourcing

  1. Partner with Educational Institutes

Universities and Technical Colleges offer a range of cybersecurity courses and degree programs that may one day help shrink the skills gap. In the meantime, employers should identify local educational institutes and recruit students into intern and entry-level positions. Consider offering to be a guest presenter, hosting a tour of your company, or contact the college’s student placement team and ask about hiring events.

  1. Hire More Women

Women only make up a quarter of the cyber workforce, but bring many desirable skills and unique perspectives to cybersecurity roles. Get involved in networking groups for women interested in cybersecurity and demonstrate to female candidates that your organization is an environment where they are valued and can achieve their career goals.

  1. Recruit Veterans

veterans_cybersecurity

Veterans are accustomed to working in demanding environments, using advanced technology, and being trusted with confidential information. There are multiple opportunities for employers to support veteran’s groups that focus on cybersecurity training and gain more visibility as a potential employer.

  1. Look for Adjacent Skills

Hiring managers like to find people who have experience in a role that is similar to the job vacancy they are trying to fill. In a tight labor market, you can expand your candidate pool by recruiting based on skills vs. roles. For example, search for candidates with computer networking or ITSM skills, that can be trained on the missing skillset.

Reduce the Need

  1. Automate

IT teams should look for opportunities to automate workflow and remediation tasks, to create faster processes and reduce the workload. Security Orchestration Automation and Response (SOAR) tools can increase productivity and reduce the need for incremental hiring.

  1. Train

Skills Gap Employee Training

Like automation strategies, effective training increases the productivity of your IT security team. Cybersecurity professionals are often focused on achieving certifications that increase their marketability but do not necessarily increase their productivity. Map your teams skills gaps to key objectives and explore training courses that allow your team to optimize the tools you have in place.

  1. Retain

Employee turnover has a negative impact on productivity and quality and is a significant time drain for hiring managers. Effective retention strategies include offering a career path, paying competitively, providing training, and offering the ability to work remotely.

Change the Dynamic

  1. Co-Managed/Outsourced Model

Skills-Gap-Outsource MSSP

Many organizations do not have the scale or budget to hire a team of cyber professionals. Outsourcing this function to a managed security service provider (MSSP) taps into a pool of trained experts, allowing the client to leverage the MSSP’s investments in tools and benefit from their mature processes.

  1. Hire Remote Employees

COVID-19 has altered the expectations of working from home. Traditionally, companies required security staff to work in a secure physical location or Security Operations Center (SOC). While there are still advantages from team members collaborating from the same location, IT security managers are becoming more accepting of virtual collaboration. This shift provides more flexibility for those in the industry and will be a differentiator in combatting the cyber skills gap.

  1. Move SOC Location

The challenge of staffing and managing a 24/7 operation is non-trivial. Studies of human behavior show that productivity and effectiveness degrade during second and third shifts. Adopting a follow-the-sun model allows employees to work during local business hours, attracting higher quality and more experienced professionals who otherwise would not sacrifice their quality of life by working graveyard shifts. Moving a SOC can also take advantage of the availability of skilled labor in locations near universities or other big employers.

Reopening Safely – Cybersecurity Recommendations for Organizations Returning to the Office

According to the consulting firm, McKinsey, organizations will need to navigate through the stages of Resolve, Resilience, Return, Reimagination, and Reform during the COVID-19 pandemic. Many organizations are now in the Return stage as they ask their employees to come back to their business locations.

The challenge for IT organizations is how to manage the transition through these stages as securely and effectively as possible. It is not as simple as flipping a switch, where business operations return back to the way they were before COVID. Successfully reopening will require advanced planning, locking down networks, and avoiding human errors often caused by a rushed implementation.

Industry experts expect COVID to accelerate digital transformation. From the supply chain, through manufacturing and on to customer engagement, businesses need solutions that are more adaptable, agile, and digitally enabled. For example, the digital transformation of the supply chain includes digitally connecting buyers with a network of partners, uploading design data, getting instant pricing, and performing design for manufacturing on the fly.

Digital transformation will require businesses to rearchitect their networks and applications, creating new cybersecurity challenges.

Protect Your Networks

Sales of notebooks rose dramatically in March and April of 2020 as office workers transitioned to teleworking. Whether permanently or following a staggered work schedule, many of these workers will be trading in these notebooks for their old desktop computers as they return to their traditional place of work. IT teams should proactively secure desktop PCs by applying security patches, updating endpoint security, and adjusting thresholds for desktop logs.Calendar with Band Aid - Patch Tuesday

Unpatched vulnerabilities are a significant cause of avoidable data breaches. Patch management for Microsoft products alone is a major undertaking. Known as Patch Tuesday, on the second Tuesday of each month, Microsoft releases security-related updates for Windows, Office, and related products. Microsoft issued 339 security patches in March, April, and May of 2020. When reviewing vulnerabilities, teams responsible for patching should not only assess the criticality of the vulnerability but also consider its exploitability. For example, Microsoft classifies CVE-2020-1054 as “Important” with a rating of “Exploitation More Likely”. According to Microsoft, an attacker that exploited this Win32k Elevation of Privilege Vulnerability could run arbitrary code in kernel mode, and then install programs; view, change, or delete data; or create new accounts with full user rights.

Risk-Based Vulnerability Management (RBVM) tools help address the trade-off between criticality and exploitability. Asset discovery, continuous vulnerability scanning, risk indexing, and patch management are components of RBVM solutions. RBVM Managed Services take this a step further by offering experts that provide lifecycle vulnerability management services and make patching recommendations that factor in compensating controls, deployment challenges, and business continuity.

Review Remote Access Solutions and Policies

Chances are that your IT team has already experienced a trial by fire experience setting up remote access for a large number of employees as their organizations adopted a work from home policy. Now is a good time to re-evaluate your VPN capacity as the pendulum swings the other way.

Your approach to working from home will significantly affect your required VPN capacity. Some organizations are embracing teleworking on a long-term basis, while others see this as a temporary solution until there is a COVID-19 vaccine. Use a network performance monitoring tool to analyze usage of your VPN. If you do not have one, many good tools are available on a free trial basis. For example, products like PRTG can be used to monitor multiple VPN parameters including traffic, users, and applications.

PRTG VPN Monitoring

PRTG VPN Monitoring

Through the process of rebaselining your capacity needs, you will determine if your existing VPN hardware and licensing are sufficient for your expected requirements. This is also a good time to consider rearchitecting your approach to remote access. Strategies include moving data and applications to the cloud and using products like Citrix Access Control. Moving away from traditional VPNs will likely add flexibility and scalability to your users and mission-critical applications. However, these benefits come at a price and often have longer implementation timelines than expected.

In addition to reviewing operational aspects of your VPN infrastructure, a reopening plan should revisit policies that secure VPNs including password policies, 2FA, and software updates. SOC teams or managed service providers should constantly monitor VPN activity for anomalous behavior. Easy to use dashboards should provide visibility into VPN user activity, geographic locations, and variations from expected thresholds. Having a better understanding of your VPN traffic and trends will increase your security posture by streamlining the level of effort required to properly analyze alerts.  Event notifications will drive security analyst investigations and remediation steps.

Questions to consider:

  • How many employees are just doing what works and bypassing security controls to get things done?
  • Is it normal for your organization to have successful remote VPN logins from resources outside the country?
  • Did your organization need to “relax” any security or compliance policies to enable employees to use RTP (Real-time Transport Protocol), used in live video streaming services like Zoom, WebEx or others?
  • How many different RTP applications are running on these hosts and are they configured to meet your organization’s security and compliance strategy?

Network Access Control (NAC) solutions add to your remote access security program by controlling user and device access to the corporate infrastructure. The case for NAC deployment is stronger in an environment where employees are switching between office and home locations and there are BOYD and IoT devices being connected to the network. Examples of NAC vendors are Forescout, HPE-Aruba, and Portnox.

To further leverage your NAC investments, ask your SOC or MDR Service provider to build correlation rules with endpoint security software, and then automate the containment of infected devices on your network.

Assess COVID’s Impact on Scoping New and Upcoming Projects

Many information security teams planned to build out new capabilities or implement new security controls this year. Underlying these plans were assumptions on the cost and resources required for these projects.

The COVID pandemic should cause planners to look carefully at their assumptions. For example, projects to deploy new SIEM (Security Information Event Management) software or centralize log management, need to be scoped with more than a snapshot of current traffic. With people out of the office and certain on-premise systems and controls operating at low usage, the amount of storage required (usually measured in gigabytes per day or events per second) might be artificially low compared to when the office reopens.

Estimating staffing levels for security operations during COVID can have similar challenges. For many organizations, the number of security alerts processed by a security operations team is directly correlated with increased user activity. Users will click on suspicious links, access suspicious websites, attempt to install suspicious software and perform other activities that will result in work for security analysts to investigate. As a result of COVID, many organizations were forced to furlough workers. Additionally, remote users may not be going through certain on-premise controls such as web filters and firewalls. As a result, alerts the security operations team are processing might be artificially low compared to activity levels when offices reopen.

To combat the risk of under scoping resources for these projects, assess activity levels for pre-COVID periods, such as January and February of 2020. Businesses are being affected by COVID in different ways and management teams are rethinking their go-forward operational models. We suggest getting a range of inputs to properly scope the requirements for new security products and services.

Cloud ComputingAccelerate Transition to the Cloud

Workloads were increasingly being migrated to the cloud before COVID. Post-COVID, the adoption of cloud computing will likely speed up as companies deal with uncertainty and value the ability to flexibly scale up and down capacity. Businesses are also reviewing their reliance on physical data centers because of safety concerns related to site visits during the COVID pandemic.

When formulating a cloud security strategy, IT leadership will need to consider trade-off risks against the benefit of increased agility. According to Gartner’s predictions around the cloud, through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data and 99% of cloud security failures will be the customer’s fault.

In the “2019 Data Breach Investigations Report” (DBIR), errors were found to be one of the top causes of data breaches. Errors that have resulted in misconfigurations of cloud infrastructures are increasingly cited as the cause of the loss of sensitive data. Examples of such misconfigurations include:

  • Data encryption not turned on
  • Access to resources not provisioned using IAM roles
  • VPC Flow logs being disabled
  • Publicly exposed cloud resources

In the case of Capital One, 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, and an undisclosed number of customers’ personal information was disclosed due to a misconfigured web application firewall.

The first steps to minimizing misconfigurations in the cloud are training your security teams to understand cloud infrastructure and documenting and auditing processes. Next, use cloud-native security tools that allow you to monitor your networks for suspicious activity such as a malicious actor abusing a set of compromised credentials, moving laterally across the cloud environment, or attempting to exfiltrate information. For many organizations, it is more practical to outsource the responsibility of configuring and monitoring cloud infrastructures to outside experts or a Managed Security Service Provider (MSSP).

Conventional wisdom has been that users of cloud computing must realize their responsibility for security and not overly rely upon providers who are primarily concerned with securing their platform vs everything their customers build and store within it. While cloud providers have considerably improved their security, data and applications hosted in a cloud infrastructure require the same security programs used for on-premise networks. In this shared responsibility model, event logs must be collected, analyzed and monitored; traffic in and out of virtual networks must be inspected and protected by virtual NGFWs and WAFs; and hosts must be scanned for vulnerabilities.

Today, the three cloud providers that dominate the market are AWS, Azure, and Google. As an enterprise grows its cloud infrastructure, it is likely they will consider a Multicloud approach. The idea is using more than one vendor reduces dependency and provides the user with more leverage. For organizations that are selecting a MSSP to monitor their cloud infrastructure, check if your prospective provider can support the top three players in case your organization decides to follow a Multicloud strategy.

Post-COVID Threat Landscape

Cybersecurity teams should always be anticipating new threats and new threat actors and be prepared to detect and respond to damaging attacks.

We recommend reminding your employees that phishing attack campaigns continue to be a successful tool for attackers, attempting to entice email recipients to click on embedded links to download malicious programs or launch nefarious websites. The crafting of these phishing emails will prey on anxieties regarding the spread and impact of the COVID-19 pandemic.  Attackers are fully aware of the social status of this worldwide pandemic and they will craft emails with the intent of eliciting an emotional response.

Attackers are seeking to harvest verified credentials.  If an employee does click on a malicious link but closes the web browser before any download can begin, the attacker has confirmation that the email account is legitimate. This will result in more targeted phishing emails.  Credential gathering and phishing emails are on-going security challenges for organizations to maintain their security posture. To get ahead of this threat, organizations might consider an organization-wide password reset as well as using multi-factor authentication.

While the themes used in cyberattacks are changing, it does not appear that the actors behind these attacks or the attack vectors have changed. Enterprises must maintain heightened vigilance for malware, ransomware, and phishing attacks, but that is not new. Endpoint security tools must be fit for purpose and kept updated. Implementing security tools is only half the battle, they need to be correctly configured, monitored, and their alerts investigated. Where internal teams lack the expertise or time for these functions, a managed endpoint detection and response service provider can fill the gap. Finally, the need for employee security awareness and training can never be overstated.

Increased Risk of Insider Threats Insider Threat Employee Police Lineup

Unfortunately, many organizations are being forced to furlough or lay off employees as a result of the impact of COVID on their business. Disgruntled employees are more likely to steal data or credentials to retaliate against perceived grievances. According to research from Gartner, “seeking harm and revenge on employers is a bigger incentive for insider threats than is stealing money.”

Passwords are the first line of defense against insider threats. Organizations must immediately change passwords, close accounts, and remove access to shared resources when an employee leaves. Your company will be liable for the confidentiality of your partners’ information, so it is equally important to inform third parties and vendors that may have provided the employee with access. This risk is enhanced where your company has signed a covered entity or business associate agreement.

Ensure departing employees have up to date paperwork protecting confidentiality and inventions, return corporate devices, and do not have company data on personal devices.

Depending on your organization’s security controls and collection of event logs, user activity can be an indicator of insider behavior. Examples of logs that can be monitored and investigated for anomalous behavior or used for correlation rules include:

  • Detect the first time a USB drive is plugged in
  • Detect data exfiltration by monitoring DNS activity for total bytes transferred
  • Detect unauthorized access attempts to sensitive systems
  • Detect activity from expired user accounts
  • Detect credential sharing for your privileged accounts by correlating account logins from disparate locations
  • Detect download events from SaaS applications like Salesforce.com for indicators of data exfiltration

Be Prepared for the Short Term and Long Term

No one knows with certainty what will be new normal for the business. Questions like when will workers return to their physical offices, what percentage of the workforce will return to physical offices, and will businesses move certain functions to permanent remote roles are all hard to predict.

In the short term, we can expect issues with technology and existing information security procedures. For example, furloughed employees may not have their access properly shutoff, their phones may still be configured to check email, their accounts might still be enabled for certain systems, or they may still have access to certain physical assets. As a result, Windows accounts will expire without password updates causing spikes in failed authentications on an organization’s domain.

Over the long term, information security programs should be evaluated based on their ability to provide visibility to threats and their efficiency in meeting operational requirements.

Expect gaps in visibility for organizations switching to a work from home model without an architecture setup to route internet traffic from work machines through a web filter product. Employees can access phishing sites, competitor websites, or use their machines for non-work-related activity because the organization does not have visibility into this layer of network traffic or the ability to log network and endpoint telemetry to a central location.

Businesses that are not experienced with remote workers will need to create new processes to ensure their employees can work efficiently. For example, if a machine is suspected to be compromised, how will the organization perform remote forensics if they do not have a detailed cloud-based EDR product logging significant endpoint telemetry? Additionally, if the employee’s machine is compromised, do you stop that employee from working and ship a replacement laptop to the employee? As a result, the employee can do nothing while the new machine is being delivered. For some businesses, this is nothing new, but for others these changes will require some level of effort to smooth over.

Get Ahead of Upcoming Audit Inquiries

Part of reopening is preparing to meet compliance standards and undergo security audits.

Security audits have become a common feature of almost every industry. Preparation and planning reduce the disruption of an audit and increases the likelihood of a successful result. Companies that take a checkbox approach to meet compliance standards can fail to adequately assess the cybersecurity risks to their organization.

Preparing for an audit should start with a review of the latest changes to compliance standards. Risk and security teams should compile and update key documents that describe the organization’s security policies. These should include a list of technical controls and safeguards, password and user account policies, configuration management, patching, incident response plan, and backup and disaster recovery.

Conclusion

The COVID pandemic is placing enormous stress on individuals and organizations. Those responsible for enterprise security operations and risk management are being challenged to respond to more change and uncertainty than ever before.

In this environment, it is key that IT leadership aligns it operational objectives with their organization’s strategic goals. IT teams must be agile and deliver value while ensuring the integrity of day to day operations. At Proficio, we address these same challenges through partnering with our clients, empowering our team of security experts, and creating innovative solutions to real world problems.

By:
Bryan Borra, Director of Security Engineering, Proficio
Paul Fletcher, Security Advisor, Proficio 

Not All Partnerships are Equal

As Henry Ford once said, “Coming together is the beginning. Keeping together is progress. Working together is success.” While many people have an understanding of how partnerships work in their day-to-day lives, defining a true partnership in a business relationship can be more challenging. In the field of cybersecurity, finding a “true partner” means you share the risk and both strive to improve your security posture.

A True Partner

A true partnership works best when both groups share the risk, agree on the end goals, have open lines of communication and build their relationship on mutual trust and respect. Companies that embrace such partnering behaviors believe in creating mutually beneficial relationships that bring value to both parties.

Partnerships come in many shapes and sizes. There can be partnerships between vendors, where they provide complementary products or services that are further enhanced by working together. There can also be strategic relationships developed between provider and client, where they view the relationship as more than just a business transaction.

Your partners should also be building strong relationships within the technology sector. Knowing that they not only use best-in-class technologies but that they have good working relationships with those vendors means that you can maximize your technology investments. A good partner should not only be able to help you to optimize the technologies you already have in place, but also make recommendations for policy and infrastructure to ensure you reduce your risk and meet any compliance requirements.

Finding Your Partner

When you are on a team, you have certain expectations of your teammates and hope you can rely on them in critical situations. However, a lot of organizations do not have the in-house resources to staff an effective cybersecurity operation. Understanding the economics and potential cost savings of using a managed service provider is an important part of any decision to outsource security operations.

In cybersecurity, you should look for partners who act as an extension of your team. They do not just care about selling you their latest tool or services – they sincerely care about the security and safety of your company. They should have a programmatic view on cybersecurity and take your concerns seriously. Equally important is the culture of the organization with whom you choose to partner. Do they share similar values, and can you trust that they will view your security as important as you do?

Throughout the relationship, a partner should have the skills and resources to respond to security incidents and help guide your overall cybersecurity journey. And while relationships in cybersecurity may not last forever, the need for true cybersecurity partners will never change. The current environment of COVID-19 only reminds us how businesses can be disrupted when they least expected it. And with the shortage of skilled cybersecurity professionals, choosing your partners has never been more critical.

Narrowing The Search

Once you decide what you’re looking for, how do you find someone who checks all the boxes? Many may sell you on ideals but it’s crucial they also follow through with what they sell. When looking for the right partner for your cybersecurity needs, you should ask critical questions to make sure you’re making an educated choice.

Things to look for include:

  • How do their SLAs compare to other vendors?
  • Do they provide transparency and trackable metrics?
  • Do you receive insight into your cyber risk and recommendations for improvement?
  • Will they create custom content?
  • What is their long-term focus?
  • Are they industry recognized?
  • How available is their team?
  • Do you have similar preferred methods of communication?
  • Can you visualize the value they would bring to your team?

Selecting a partner who shares the risk will give you confidence that you are building a more secure organization. As your partner helps you mature your cybersecurity program, you should see a measurable change throughout the partnership and be able to track metrics over time.

Once you’ve found the right partner, you will be enabled for success not only tomorrow but for the long-term future.

So – what do your current partnerships look like?

Preparing for Tomorrow: Cybersecurity in a Remote World

This article originally appeared in InfoSecurity Magazine

The world is adjusting to a new reality. While working from home may be the norm for many tech companies, organizations of all shapes and sizes are now faced with the unique challenges that come from remote employees, trying to navigate how to secure their networks in an uncertain world.

Today, they are concerned with keeping the employees – and company – safe and connected, but as the days become weeks, and weeks are certain to become months, they also have to start considering their future plans.

A lot of people are wondering what their jobs will look like after the dust of COVID-19 settles, and it’s a good question. A friend recently mentioned…

Read Full Article

Cybersecurity in the World of COVID-19

People around the world are grappling with the new reality of COVID-19 which is drastically changing the way organizations do business. From protecting employee and customer health to maintaining operational and economic resilience, we are challenged with finding ways to keep business running smoothly – and safely – in this new normal.

For IT leaders, looking for ways to reduce their cybersecurity risk, we recommend focusing on three key areas: working from home, opportunistic attacks, and operational disruptions. Here are some recommendations on how to get through this difficult period:

Working from Home

To encourage social distancing and help employees struggling with recent school closures, many organizations have their employees working from home. While this may be a temporary measure, industry analysts have suggested that COVID-19 may be the inflection point in a greater acceptance of remote working.

Proficio recommends the following cybersecurity best practices for teleworkers:

  1. VPN Connectivity: Strengthen security for VPN by reviewing password controls, adopting two-factor authentication and strong encryption, and monitoring VPN access by geolocation, anomalies to baseline home VPN locations, and users.
  2. Monitor Activity: Increase active monitoring of VPN and Office 365 activity logs in your Security Operations Center, enable new VPN user reporting (if you do not have active reports or dashboards) and at minimum, review them daily.
  3. Secure Endpoints: Apply and update effective endpoint security software and use endpoint detection and response techniques to protect remote users from account compromises and device infection. If you lack in-house resources for managed response to endpoint compromises, we recommend contracting with an MDR service provider.
  4. Educate: Remind your users of best practices for working from home, including backing up data, using secure WiFi and home routers and monitor the use of Remote Desktop Protocols (RDPs). It is also key to remind them of the increased volume and sophistication of phishing attacks, so it is important they stay alert and be on the lookout for COVID-19 scams.
  5. Cloud Safety: The use of cloud-based infrastructure and applications is growing rapidly, and with the increase in teleworking, the use of the cloud will further accelerate. Organizations should implement use cases to help monitor cloud-based applications for anomalous user behavior and review their procedures for configuring and securing virtual servers.

Opportunistic Attacks and Active Defense Mitigation

Cybercriminals are already exploiting people’s anxiety around COVID-19. For example, phishing emails purported to be sent by the World Health Organization and CDC that contain new “information” about the virus or claiming to be from charitable organizations raising money for victims.

According to researchers at Proofpoint, phishing attacks involving emails that contain Microsoft Office document attachments are being used to lure victims and exploit a Microsoft Office vulnerability. In parallel with this type of activity, there has been a surge in the number of registered COVID-19-related domains and malicious applications, promising to track the virus.

In this environment, Proficio recommends the following:

  1. Caution users to be ultra-vigilant and on the lookout for scams, phishing attacks, and social engineering tactics that take advantage of the current situation. Use trusted sites, such as CISA, for guidance and information.
  2. Tailor multi-layer protections on email, infrastructure, systems and applications to detect malware, spam, and domains that pertain to “corona”, “virus”, “COVID”, “infection”, and related terms.
  3. Enrich and correlate log data with new sources of threat intelligence from government agencies, broadcast and social media, and local websites.
  4. Monitor security events on a 24/7 basis and use a framework like MITRE ATT&CK to more comprehensively understand and respond to threats.
  5. For quicker action, automate containment actions to respond to attacks at the perimeter, endpoint, and cloud. Ask your service provider for SOAR-as-a-Service.
  6. Regularly scan for vulnerabilities and adopt a risk-based vulnerability management approach to more effectively patch assets with real and exploitable vulnerabilities.
  7. Continuously monitor your organizations’ security posture. Build real-time dashboards that show trends in attack volumes and methods to pinpoint gaps in security.

Risk of Operational Disruptions

The impact of employee sick leave or quarantining could undermine an organizations operational readiness and reduce the capability for IT teams to respond to attacks. Even if your team is not seriously affected, there is a risk that they will be distracted with unplanned tasks such as supporting remote workers or adjusting to new family schedules. Similarly, in the world of COVID-19, it is also likely that your vendors may be disrupted or less responsive.

To minimize this impact, Proficio recommends:

  1. Review your business continuity plan and be prepared to implement it.
  2. Understand your vendors’ preparedness and plans. If you are reliant on an outsourced 24/7 monitoring or support, understand if your service provider operates from a single SOC location, as this adds risk in the event of localized virus hot spot.
  3. Implement cross-training, if this is not already in place.
  4. Check that your list of vendor contacts and their back-ups are available, especially in the case you have limited named support contacts.
  5. Adopt best practices to reduce the risk of contagion, including social distancing, working from home and reduced travel.

We hope you all find yourself safe in this time of uncertainty but please feel free to reach out to us if you need help in any way.

Focus on the Big Rocks

I travel 200,000 miles a year, talking to CIOs and CISOs all over the world. While I encounter a wide range of issues relating to the security posture and maturity of these organizations, the one theme that resonates with them all is a conversation around focusing on the “big rocks”.

Too often, the people responsible for cybersecurity get mired in a discussion about all the ways an attacker can potentially get data from your company. We can get trapped in a daily tactical battle to scour through false alarms or resolve the compromises of a user device or their credentials. The problem is that we are not able to see the whole forest through all the trees.

Senior managers are often recognized for their ability to see the big picture and focus on the big rocks.

So, what are these big rocks?

  1. The Map: It may seem straight-forward, but many companies that have extensive applications, data, and devices do not have a map of their business-critical assets, zones, or users. Being able to locate, categorize, and prioritize your assets is a first step to defining risk, and implementing defense in depth, threat monitoring, and threat response.

    NIST-Framework

    The NIST Framework prescribes a set of activities that help companies to achieve cybersecurity outcomes.

  2. The Holes: If you have a leaky boat, the priority is patching the holes that are letting in the most water. The same goes for cybersecurity. Although this seems simple, most companies are not applying a risk-based approach to vulnerability management and patching the systems that are most critical, exposed, and exploitable. You should also perform a gap analysis of your security controls aligned to your map of assets and compared with security best practices defined in any number of frameworks or regulations – then fill the big gaps first.
  3. Top-Level View: It is amazing how clear your security posture can be if you have the right level of visibility. If you are in the trees, focusing on the small rocks, it is hard to see the best path forward and planting more trees before you have a good view will only compound the problem. For cybersecurity effectiveness, organizations should first acquire good threat visibility through collecting enriched log and threat data. And then apply active monitoring and actionable alerting combined with orchestrated and automated threat response. This approach is called Managed Detection and Response. Understanding your high-level security posture and relative risk also requires continuous business intelligence for IT security. Ask your team or managed security services partner for a comprehensive dashboard providing this visibility.
  4. The Plan: Have a plan for success and work through your plan. Too often, we think that if we ignore the noise it will go away or we are caught in the trap of playing whack-a-mole for every compromise without figuring out how to keep the mole out of your yard. Success arrives when you tune your visibility to actionable threats, use your map, patch the right holes, and look at the forest from a high-level view. Only when the noise is reduced and vision focused, are you equipped to implement a comprehensive response plan. Such a plan will include detection of the threat, acknowledgment and triage of next steps, and containment and resolution of the immediate threat to your business. You must fully remediate the cause of the threat, so it does not reoccur. Lastly, your plan should include measuring your security posture and response lifecycle, and always be making improvements.

My recommendation to cybersecurity leaders is to write down your “big rock” objectives and list the key outcomes needed to accomplish them. Your teams will appreciate the clarity of vision and join in your mission to reach these goals on your combined journey.

For more detail on how we help executives achieve their cybersecurity objectives, please feel free to contact us at info@proficio.com.

 

By Brad Taylor | CEO | Proficio