Faced with a growing threat landscape, a shortage of skilled cyber security professionals, and non-technical employees who lack awareness of cyber security best practices, to name a few, CISOs are continuously confronted with a number of existing and new challenges. To mitigate some of these challenges by eliminating security threats and minimizing security gaps, they must make some critical strategic decisions within their organizations.
Even though we are only at the beginning of April, 2018 is already proving to be a year of increasing cyber incidents, with security threats spanning across a range of industry sectors, impacting both the private and public sectors alike. We have seen many data breaches including Uber, Facebook and Experian that have made it clear that no organization, not even the corporate giants, are safe from these cyber threats and attacks. We are now also seeing newly evolving threats affecting the popular and latest smart devices including products such as Alexa and Goоgle Home. New technology not fully tested, or security vulnerabilities from IoT devices being brought into the workplace, now bring additional concerns for CISOs and their security teams, as they try to proactively defend and protect their corporate networks.
This problem seems quite simple to identify in that corporate policies are not being updated fast enough to keep up with dynamic changes and advancements in technology, as well as to cope with the increasing sophistication of advancing threats, but managing this problem is seemingly more difficult. This generates an additional set of challenges for CISOs to enforce policies that still need to be written, while conquering internal corporate bureaucracy to get them created, modified or updated. This is just one challenge. Let’s now discuss a few more and some suggested actions to manage them.
How CISOs Can Overcome Their Challenges
CISOs in international corporations need to focus on global compliance and regulations to abide with a range of privacy laws, including the upcoming European Union’s General Data Protection Regulation (GDPR). This new regulation due to come into force on May 25th, 2018 has set the stage for protection of consumer data privacy and in time we expect to see other regulations closely follow suite. International companies that hold EU personal identifiable information inside or outside of the EU will need to abide by the regulation and establish a formalized incident response procedure, implement an internal breach notification process, communicate the personal data breach to the data subject without delay, as well as notify the Supervisory Authority within 72 hours, regardless of where the breach occurred. Organizations need to report all breaches and inform their affected customers, or face fines of up to 20 million Euros or four percent of annual turnover (whichever is higher). A new law called the Data Security and Breach Notification Act is also being worked on presently by the U.S. Senate to promote this protection for customers affected. This new legislation will impose up to a five year prison sentence on any individual that conceals a new data breach, without notifying the customers that had been impacted.
So how can CISOs proactively stay ahead of the growing number of cyber security threats, notify affected customers as soon as possible and respond within 72 hrs of a breach? The key is to carry out security risk assessments, implement the necessary procedures, as well as utilize tools that can help facilitate Security Orchestration, Automation and Response (SOAR), such as the IncMan SOAR platform from DLFabs. IncMan has capabilities to automate and prioritize incident response and related enrichment and containment tasks, distribute appropriate notifications and implement an incident response plan in case of a potential data breach. IncMan handles different stages of the incident response and breach notification process including providing advanced reporting capabilities with appropriate metrics and the ability to gather or share intelligence with 3rd parties. This timely collection of enriched threat intelligence helps expedite the incident response time and contribute to better management of the corporate landscape.
The Need to Harden New Technology Policies
Endpoint protection has also become a heightened concern for security departments in recent months, with an increasing number of organizations facing multiple ransomware and zero days attacks. New technologies used by employees within the organization, not covered by corporate policies, such as Bring Your Own Device (BYOD) and the Internet of things (IoT) have brought new challenges to the CISOs threat landscape. One example as we mentioned earlier are gadgets such as Alexa or Google Home, where users bring them into the office and connect them to the corporate WIFI or network without prior approval. When connected to the network, they can immediately introduce vulnerabilities and access gaps in the security network that can be easily exploited by hackers.
Devices that are not managed under corporate policies need to be restricted to a guest network that cannot exploit vulnerabilities and should not be allowed to use Wi-Fi Protected Access (WPA). CISOs need to ensure that stricter corporate policies are implemented to restrict and manage new technologies, as well as utilizing tools such as an Endpoint Protection Product (EPP) or Next-Generation Anti Virus (NGAV) solution to help prevent malware from executing when found on a user machine. NAGV tools can learn the behaviors of the endpoint devices and query a signature database of vaccines for exploits and other malware on real time to help expedite containment and remediation to minimize threats.
Maximizing Resources With Technology as a Solution
With the significant increase in the number of and advancing sophistication of potential cyber security threats and security alerts, combined with a shortage of cyber security staff with the required skill set and knowledge, CISOs are under even more pressure to protect their organizations and ask themselves questions such as: How do I effectively investigate incidents coming in from so many data points? How can I quickly prioritize incidents that present the greatest threat to my organization? How can I reduce the amount of time necessary to resolve an incident and give staff more time hunting emerging threats?
They will need to assess their current organization security landscape and available resources, while assessing their skill level and maturity. Based on the company size it may even make business sense to outsource some aspects, for example by hiring a Managed Security Service Provider (MSSP) to manage alert monitoring, threat detection and incident response. CISOs should also evaluate the range of tools available to them and make the decision whether they can benefit from utilizing Security Orchestration, Automation and Response (SOAR) technology to increase their security program efficiency and effectiveness within their current structure.
Security Infrastructure and Employee Training Are Paramount
In summary, CISOs will be faced with more advancing challenges and increasing threats and these are only set to continue over the coming months. They should ensure that their security infrastructures follow sufficient frameworks such as NIST, ISO, SANS, PCI/DSS, as well as best practices for application security, cloud computing and encryption.
They should prepare to resource their security teams with adequate technology and tools to respond to threats and alerts and to minimize the impact as much as feasibly possible, with set policies and procedures in place. To enforce security best practices across all departments of the company, it is important that security decisions are fully understood and supported by the leadership team as well as human resources, with a range of corporate policies to meet the challenges of ever changing technologies.
CISOs need to promote security best practices and corporate policies, industry laws regulations and compliance by educating and training relevant stakeholders, starting with employees. The use of workshops, seminars, websites, banners, posters and training in all areas of the company will heighten people’s awareness to threats and exploits, increasing their knowledge, while also teaching them the best way to respond or to raise the alarm if there is a potential threat. The initial investment in education and training may be a burden on time and resources but in the long run will prove beneficial and could potentially prevent the company from experiencing a serious threat or penalty from non-compliance.
Completing a full analysis of current resources, skill sets and security tools and platforms will all play a part when deciding whether in-house or outsourced security operations is the best approach, but the benefits of using SOAR technology to leverage existing security products to dramatically reduce the response and remediation gap caused by limited resources and the increasing volume of threats and incidents, as well as to assist with important breach notification requirements, should not be overlooked.
According to an October 2016 Fortune Tech article by Jonathan Vanian, entitled Here’s How Much Businesses Worldwide Will Spend on Cybersecurity by 2020, organizations will be spending approximately $73.3 billion in 2016 on network security with a projected 36% increase totaling $101.6 billion in 2020. Stake holders know all too well that the pennies you save today may equate to dollars in lost revenue and fines tomorrow following a significant breach or personal information leak. Finding the balance between risk and ROI is the type of thing that keeps CISO’s and CTO’s sleepless at nights.
This becomes even more critical for multinational corporations as we approach the May 25, 2018 General Data Protection Regulation (GDPR) implementation date. Post GDPR implementation, failing to protect the data of EU citizens could result not only in lost reputation and accompanying revenue, but hefty fines totaling more than some information security budgets.
This brings into sharp focus the need to make the best use of the resources we have while ensuring that we invest in the strategies that provide us the best return. Striking a balance between technology and personnel allows us to leverage each one in a coordinated effort that makes each one a force multiplier for the other.
One of the true pleasures I get here at DFLabs is speaking to our customers, listening to their pain points and discussing how they are dealing with them both on a strategic and tactical level. It never ceases to amaze me how creative the solutions are and I’ve been blown away more than once by some truly outside of the box thinking on their part.
ESG Research recently published a whitepaper entitled Next Generation Cyber Security Analytics and Operations Survey where in one of the (many) takeaways is that the top 5 challenges for security analytics and operations consist of:
- Total cost of operations
- Volume of alerts don’t allow time for strategy and process improvement
- Time to remediate incidents
- Lack of tools and processes to operationalize threat intelligence
- Lack of staff and/or skill set to properly address each task associated with an alert
These 5 pain points come as no surprise and while there is certainly no “silver bullet” there are some steps we can take to lessen the severity and improve our cyber incident response position significantly.
Total Cost of Operations
Addressing the total cost of operations can be the biggest factor in building a solid security analytics and operations capability. The key here is to leverage the resources you currently possess to their maximum potential, be it personnel, processes or technological solutions. Automation and incident orchestration allows the blending of human to machine or machine to machine activities in a real-time incident response. This not only makes the best use of existing resources, but provides you the much-needed insight to determine where your funds are best spent going forward.
Volume of alerts don’t allow time for strategy and process improvement
In the whitepaper entitled Automation as a Force Multiplier in Cyber Incident Response I address the alert fatigue phenomenon and discuss ways to address it within your organization. The strategy discussed, including automatically addressing lesser priority or “nuisance” alerts will provide your operations team with additional time for strategizing and process evaluation.
Time to Remediate Incidents
We are certainly familiar with the term dwell time as it applies to InfoSec. One of the 5 focus areas outlined in Joshua Douglas’ paper entitled Cyber Dwell Time and Lateral Movement is granulated visibility and correlated intelligence. This requires a centralized orchestration platform for incident review and processing that provides not only automated response, but the ability to leverage intelligence feeds to orchestrate that response. Given this capability, that single pane of glass now becomes a fully functional orchestration and automation platform. Now we can see correlated data across multiple systems incidents providing us the capability to locate, contain and remediate incidents faster than we thought possible and reduce dwell time exponentially.
Lack of tools and processes to operationalize threat intelligence
The ability to integrate threat intelligence feeds into existing incidents to enrich the data or alternately to create incidents based on threat intelligence to proactively seek out these threats is integral to your security analytics and operations capabilities. This could be a centralized mechanism in your strategic response and an integral part of your orchestration and automation platform. The ability to coordinate this activity is referred to as Supervised Active Intelligence (SAI)™ and provides the ability to scale the response using the most appropriate methods based on fact-based and intelligence driven data. This coordination should enhance your existing infrastructure making use of your current (and future) security tools.
Lack of staff and/or skillset to properly address each task associated with an alert
Of all the pain points in security analytics and operations, this is the one I hear about most frequently. The ability to leverage the knowledge veterans possess to help grow less experienced team members is an age-old issue. Fortunately, this may be the easiest to solve given the capabilities and amount of data we have available and the process by which we can communicate these practices. Orchestration and automation platforms must include not only a Knowledge Base capable of educating new team members of the latest in IR techniques, but incident workflows (commonly called “Playbooks”) that provide the incident responder on his first day the same structured response utilized by the organizations veterans. This workflow doesn’t require the veteran to be present as the tactics, techniques and procedures have already been laid out to guide less experienced employees.
We’ve seen that there are some significant pain points when developing a structured security analytics and operations capability. However I hope you’ve also seen that each of those points can be addressed via orchestration and automation directed toward prioritizing the improvement of your existing resources, with an eye toward the future.
Back in September, 2016, the New York State Department of Financial Services proposed a set of cyber security rules aimed at improving security among financial institutions. If accepted, the proposed rules will make it mandatory for banks and other financial institutions, as well as insurance providers, to develop a cyber security plan, and appoint a CISO (Chief Information Security Officer), who would enforce that plan in case of a cyber security incident.
While the state’s intention with the proposal of these rules is to help protect financial institutions from cybercrime, with many of the affected organizations provisionally stating that they are in favor of them, there were many institutions that didn’t seem to welcome the new requirements. Smaller institutions were concerned that these requirements would become an unnecessary additional financial burden for them. However, there are solutions that could help make the implementation of these requirements more cost effective for all organizations, including the smaller providers of financial services.
Cybersecurity Programs and Policies at the Center of the Requirements
There are a few main areas encompassed in New York State’s Proposed Cybersecurity Requirements for Financial Services Companies:
● Establishment of a Cybersecurity Program
● Adoption of a Cybersecurity Policy
● Designation of a CISO, (Chief Information Security Officer)
● Third-Party Service Providers
There are some additional requirements for the cyber security programs that are supposed to include – among other things – written incident response plans for response to and recovery from cyber security events, and annual risk assessments of the integrity, confidentiality, and availability of information systems.
Incident Response Platforms
Though the proposed requirements appear to be too cumbersome, expensive, and difficult to implement for small financial institutions at first glance, there are affordable solutions on the market that can be adopted to address all the above cyber security rules. There are platforms providing an automated incident response and assist organizations in recovering from cyber security events quickly and efficiently. Incident response platforms are the most cost-effective solution that all regulated entities can adopt in order to adhere with the proposed requirements.
Such platforms are all-in-one solutions allowing for the identification of cyber risks and cyber security events, enabling recovery to normal operations, by performing automated forensics. Other capabilities include – determining the exact number of incidents that have occurred within a certain period of time and what has caused them. Additionally, there are incident response platforms capable of performing predictive analytics, allowing an organization to prioritize its response, resulting in reduced reaction time and significant financial savings.
Another important feature of an incident response platform is the ability to track digital evidence and create automated incident reports. They can be sent to an organization’s cyber security team.
Considering that every new state or federal requirement presents an additional burden for small banks and other financial services providers, these types of platforms are one of the rare solutions that will allow them to comply with those requirements without having to spend substantial amounts of money. These platforms automate the entire cybersecurity incident response and recovery process, effectively streamlining an organization’s cybersecurity plan in the most cost-effective manner.