Targeted and highly sophisticated cyber-attacks are compelling security practitioners to change the way they deal with evolving threats. The damages associated with breaches are motivating companies to transition from a check-box mentality to a pro-active, risk-based approach to security. This means that security risk management needs to advance beyond traditional yearly assessments.
For decades, security risk management was driven by point-in-time compliance certification that was intended to strengthen an organization’s security posture. Escalating data breaches have proven what practitioners have known for years — being in compliance does not equal being secure. In response to the uptick in cyber-attacks, legislators and industry governing bodies alike have started to revise their guidelines to emphasize the implementation of a pro-active, risk-based approach to security over the traditional check-box mentality.
This approach requires that organizations take real-time information into account when running continuous monitoring and mitigation programs. Technology plays a central role in gathering all the necessary pieces that make up the security risk management puzzle. Many organizations have invested heavily in deploying a technology portfolio that can detect cyber-attacks before they can wrack havoc. This trend has been confirmed by Gartner (“Gartner Says Worldwide Information Security Spending Will Grow Almost…”, Gartner, August 2014), which predicts that worldwide spending on information security will reach $76.9 billion in 2015, an increase of 8.2 percent over 2014.
However, accelerating security incidents are raising doubts about the effectiveness of these investments. A PwC survey (“Managing Cyber Risk in an Interconnected World”, PwC, 2015) of 9,700 companies found that they had detected nearly 43 million security incidents in 2014, a compound annual growth rate of 66 percent since 2009.
So what are companies doing wrong when it comes to their security risk management investments?
First, increasing the frequency of scans and reporting is a step in the right direction. To create situational awareness and expose exploits and threats in a timely manner, organizations need to gather historic trend data and go beyond continuous monitoring. They need to operationalize security risk management by automating data aggregation and normalization from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners.
Unfortunately, relying on manual processes to comb through mountains of logs is one of the main reasons that critical issues are not being addressed in a timely fashion. The Target breach is a good example. The right tools were in place and reported the intrusion, but due to the volume of data that the outsourced security operations team needed to assess on an ongoing basis, the breach was never detected. In fact, Target was alerted to the breach by a third-party, which according to the Verizon Data Breach Investigation Report is not uncommon.
Instead, organizations need to create an orchestration layer that allows them to contextualize security risk management information in an automated fashion. This model allows security experts to focus solely on those issues that pose a risk to the business rather than being distracted by all the noise generated by mountains of security data.