Despite increased investments in preventive security measures, many organizations are losing the war against cyber criminals.
The data breaches at Target, Home Depot, Staples, Michaels, Kmart, eBay, Anthem, and Sony Pictures Entertainment, were just the tip of the iceberg.
New methodologies developed by the National Institute of Standards and Technology (NIST) and other industry standards bodies (e.g., the Payment Card Industry) are being implemented by many organizations, but best practices for addressing cyber security threats remain vague. At the same time, board members are demanding quantitative risk data that spans all business operations, while business units need to neutralize the impact of cyber-attacks. So what can be done to minimize cyber security threats?
As news of more data breaches and third-party originated cyber-attacks make the news, businesses and regulators alike are sharpening their focus on how to report on and mitigate these risks. According to Gartner, worldwide spending on information security will reach $76.9 billion in 2015, an increase of 8.2 percent over 2014, it appears. However, at the same time we’re seeing an increase in security incidents, which are raising doubts about the effectiveness of these investments. A PwC survey (Managing Cyber Risk in an Interconnected World, PwC, 2015) of 9,700 companies found that they had detected nearly 43 million security incidents in 2014, a compound annual growth rate of 66 percent since 2009.
It’s clear that the dynamics of the threat landscape have changed, and that organizations need to respond accordingly. An effective starting point is to focus on the four essential building blocks of any cyber threat defense strategy, namely:
1. Continuous Monitoring
Most organizations rely on best-of-bread, silo-based tools (e.g., fraud and data loss prevention, vulnerability management, or SIEM) to gather security data. This creates an endless high volume, high velocity, and complex stream of data feeds that must be analyzed, normalized, and prioritized. Unfortunately, relying on manual processes to comb through mountains of logs is one of the main reasons that critical issues are not being addressed in a timely fashion.
Implementing continuous monitoring as propagated by NIST only adds to the big security data conundrum, as an increase in frequency of scans and reporting exponentially increases the data volume. Big data sets can definitely assist in putting specific behavior into context, but there are some real technological challenges to overcome. Big data risk management software can assist organizations in aggregating the different data sources, leading to reduced costs by unifying solutions, streamlining processes, creating situational awareness to expose exploits and threats in a timely manner, and gathering historic trend data, which can assist in predictive security.
2. Cyber Risk Visualization
One of the most efficient ways to identify imminent threats to an organization is to create a visual representation of its IT architecture and associated risks. This approach provides security operations teams with interactive views of the relationships between systems and their components, systems and other systems, and components and other components. Ultimately, it enables security practitioners to rapidly distinguish the criticality of risks vis-à-vis the affected systems and components. This allows organizations to focus mitigation actions on the most sensitive / at risk business components and increase board / auditor transparency.
3. Risk-Based Prioritization
Effective prioritization of vulnerabilities and incidents is essential to staying ahead of attackers. While security monitoring generates big data, in its raw form it remains only a means to an end. Ultimately, information security decision making should be based on prioritized, actionable insight derived from the data. To achieve this, big security data needs to be correlated with its business criticality or risk to the organization. Without a risk-based approach to security, organizations can waste valuable IT resources mitigating vulnerabilities that in reality pose little or no threat to the business.
Furthermore, big security data needs to be filtered to just the information that is relevant to specific stakeholders’ roles and responsibilities. Not everyone has the same needs and objectives when it comes to leveraging big data.
4. Closed-Loop Remediation
Lastly, closed-loop, risk-based remediation leverages subject matter experts within business units to define a risk catalog and risk tolerance. This process entails asset classification to define business criticality, continuous scoring to enable risk-based prioritization, and closed-loop tracking and measurement.
By establishing a continuous review loop of existing assets, people, processes, potential risks, and possible threats, organizations can dramatically increase operational efficiency, while improving collaboration among business, security, and IT operations. This enables security efforts to be measured and made tangible (e.g., time to resolution, investment into security operations personnel, purchases of additional security tools).
By focusing on these four cyber security building blocks, organizations can not only fulfill their board requirements for quantitative risk reporting that spans all business operations, but also serve their business units’ need to neutralize the impact of cyber-attacks. These methodologies can also help break down security silos, improve time-to-remediation, and increase visibility into enterprise risks.