Connect with us

Hi, what are you looking for?


Incident Response

Steps to Improving Security Efficacy

Security executives are charged with improving security monitoring, analytics, operations, and business enablement across the enterprise. One of the biggest challenges they face is achieving more efficacy, especially in light of the recent uptick in data breaches and their ability to circumvent existing security controls. So, what can be done?

Security executives are charged with improving security monitoring, analytics, operations, and business enablement across the enterprise. One of the biggest challenges they face is achieving more efficacy, especially in light of the recent uptick in data breaches and their ability to circumvent existing security controls. So, what can be done?

Typically, security effectiveness is measured by an organization’s ability to prevent known and unknown threats. To prevent a threat from exploiting a vulnerability that would generate a security incident, organizations most commonly rely on the implementation of security controls in combination with security tools. However, as the recent Target data breach illustrated, this is no longer an effective or scalable approach. According to media reports, Target not only had common security controls in place, but also sophisticated security tools that detected the initial data breach in near real time. The problem was that the data from their best of breed tools was not processed and correlated in time to prevent one of the largest third-party originated data breaches in cyber history.

Unfortunately, the Target scenario is not uncommon. Many organizations possess best of breed tools, but continue to rely on manual processes to comb through mountains of logs. It is no wonder that critical issues are not addressed in a timely fashion. According to the Verizon 2013 Data Breach Investigations Report, 69% of breaches were discovered by a third-party and not through internal resources. The scale of security data that needs analysis has simply become too big and too complex to manage. It takes months, and even years, to piece together an actionable picture.

Cyber Security Needle in Haystack

In order to find the needle in the haystack, it is imperative to have all necessary data available to diagnose the patterns that point to an advanced persistent threat or sophisticated cyber-attack. Big data sets can assist in putting specific behavior into context, but there are some real technological challenges to overcome.

According to Gartner (see Information Security Is Becoming a Big Data Analytics Problem, written by Neil MacDonald) “the amount of data required for information security to effectively detect advanced attacks and, at the same time, support new business initiatives will grow rapidly over the next five years.” Gartner adds, “the amount of data analyzed by enterprise information security organizations will double every year through 2016. By 2016, 40% of enterprises will actively analyze at least 10 terabytes of data for information security intelligence, up from less than 3% in 2011.”

Thus, despite the challenges related to big data in security, a first step in improving security efficacy is coverage. In the past, many organizations relied on sampling and point-in-time assessments to validate the existence and effectiveness of controls. Given the velocity and complexity of security threats in today’s environment, this style of control assurance is outdated. In order to improve security processes, continuous collection and diagnostics of relevant data to test the efficacy of controls is necessary. This is why we are seeing the introduction of enhanced regulations (e.g., PCI DSS 3.0, NIST SP 800-137) that prescribe continuous diagnostics of security controls.

In addition to the frequency of control assessments, organizations need to extend their coverage beyond stopping threats from getting in to include prevention of data going out. At the end of the day, the real harm of a cyber-attack lies in the data extrusion or leakage and not in the exploitation of a vulnerability.

Advertisement. Scroll to continue reading.

Last, but not least, coverage needs to be extended beyond the internal network and endpoints to include dispersed web properties, social media channels, mobile platforms, and third-party infrastructures. While this increases big data challenges in security, cybercrime is not single-dimensional and requires an integrated cyber security architecture that covers networks, endpoints, and security analytics on an enterprise scale.

This preventive, pro-active model is based on interconnecting otherwise silo-based security and IT tools and continuously monitoring and assessing the data they generate. The objective is to achieve a closed-loop, automated remediation process that is based on risk.

Continuous security monitoring includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation. By leveraging a common control framework an enterprise can reduce overlap, increase accuracy in data collection and data analysis, and reduce redundant, labor-intensive efforts by up to 75%.

This approach allows for an increased frequency of data assessments (e.g., on a weekly basis) and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners. The benefits are situational awareness which can expose exploits and threats in a timely manner (preventing a Target scenario), and historic trend data to assist in predictive security. Ultimately, this model can significantly improve an organization’s security efficacy.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.