It may surprise you to learn that individuals under the age of 30, often referred to as “digital natives”, are less likely to adopt cybersecurity best practice than those over the age of 30 with “acquired digital DNA”. That’s according to a recent report commissioned by NTT that involved 2,256 organizations in 17 sectors across 20 countries. For security professionals, the good news is that all that work raising awareness for cybersecurity and educating employees has paid off. The bad news is our challenges are mounting. Researchers found that younger people entering the workforce expect to use more of their own applications and devices while believing the responsibility for security rests solely with their employer.
This digital native disconnect from cybersecurity best practice suggests the weakest link in security will continue to be the human element. All threat actors need is one vulnerable device or application and a careless individual, to wreak havoc. When every user has multiple devices, many of which are outside of the purview of corporate IT, the problem grows exponentially. Which is why detection and response will continue to rule the day for security operations.
Now, more than ever, it isn’t a matter of if, but when and how we’ll be attacked. Security teams need the ability to understand threats, hunt for threats and use automation effectively (and responsibly).
Understanding threats requires a platform that aggregates and normalizes data from disparate sources – the multiple internal systems (for example from your security information and event management (SIEM) system, log management repository, case management systems and security infrastructure) and their events and associated indicators, along with the many external threat feeds you subscribe to. Combining your internal and external data provides the context to understand the who, what, where, when, why and how of an attack. Then you can prioritize data based on relevance to your environment and understand what to work on first and the right actions to take.
Being proactive through threat hunting is important too. When a threat actor targets an employee and their device of choice to infiltrate your organization, you’ll start to observe suspicious behavior in your environment. Analysts need to be able to pivot to the adversary and external sources to learn more about associated indicators, and then hunt for and find additional indicators in your environment. They must be able to conduct investigations collaboratively to search for and compare indicators across your infrastructure and find matches between high-risk indicators and internal log data that suggest possible connections. Teams must work together to explore every corner of the organization to pinpoint adversary tactics, techniques and procedures (TTPs) and find the malicious activity for total remediation.
Automation is essential to keep up with an attack vector that is growing exponentially. But you need the right balance with human intelligence. Since you’ve laid the proper groundwork – understanding the threat and working collaboratively to find malicious activity – you can apply automation at the end of the security lifecycle with greater confidence and reliability. Automatically updating your sensor grid with the latest intelligence strengthens defenses by orders of magnitude and frees up the team to move on to the next high-priority activity.
All this said, I don’t mean to imply that we should forgo education. To the contrary. We need to redouble our efforts. After all, acquired knowledge is why people over 30 are more likely to adopt cybersecurity best practice. Education works and will help under 30s understand why the IT and security departments can’t go it alone. According to SANS, focus training to address the top three human risks: phishing/social engineering attacks, passwords and accidents due to lack of awareness and technology complexity. To truly change behavior, SANS advises going beyond annual computer-based training and continuously train and reinforce key concepts year-round through additional methods, including guest speakers, ambassador programs, games, infographics and newsletters.
This is the time of year for prediction articles, which I don’t necessarily believe are useful. But there are two things I feel certain about as we look to the future: 1) the weakest link is here to stay and 2) we have many, proven tools and approaches to help us compensate.
