Security Analytics and Operations – Leveraging People, Processes and Technology to Secure the Network and the Bottom Line

According to an October 2016 Fortune Tech article by Jonathan Vanian, entitled Here’s How Much Businesses Worldwide Will Spend on Cybersecurity by 2020, organizations will be spending approximately $73.3 billion in 2016 on network security with a projected 36% increase totaling $101.6 billion in 2020. Stake holders know all too well that the pennies you save today may equate to dollars in lost revenue and fines tomorrow following a significant breach or personal information leak. Finding the balance between risk and ROI is the type of thing that keeps CISO’s and CTO’s sleepless at nights.

This becomes even more critical for multinational corporations as we approach the May 25, 2018 General Data Protection Regulation (GDPR) implementation date. Post GDPR implementation, failing to protect the data of EU citizens could result not only in lost reputation and accompanying revenue, but hefty fines totaling more than some information security budgets.

This brings into sharp focus the need to make the best use of the resources we have while ensuring that we invest in the strategies that provide us the best return. Striking a balance between technology and personnel allows us to leverage each one in a coordinated effort that makes each one a force multiplier for the other.

One of the true pleasures I get here at DFLabs is speaking to our customers, listening to their pain points and discussing how they are dealing with them both on a strategic and tactical level. It never ceases to amaze me how creative the solutions are and I’ve been blown away more than once by some truly outside of the box thinking on their part.

ESG Research recently published a whitepaper entitled Next Generation Cyber Security Analytics and Operations Survey where in one of the (many) takeaways is that the top 5 challenges for security analytics and operations consist of:

  1. Total cost of operations
  2. Volume of alerts don’t allow time for strategy and process improvement
  3. Time to remediate incidents
  4. Lack of tools and processes to operationalize threat intelligence
  5. Lack of staff and/or skill set to properly address each task associated with an alert

These 5 pain points come as no surprise and while there is certainly no “silver bullet” there are some steps we can take to lessen the severity and improve our cyber incident response position significantly.

Total Cost of Operations

Addressing the total cost of operations can be the biggest factor in building a solid security analytics and operations capability. The key here is to leverage the resources you currently possess to their maximum potential, be it personnel, processes or technological solutions. Automation and incident orchestration allows the blending of human to machine or machine to machine activities in a real-time incident response. This not only makes the best use of existing resources, but provides you the much-needed insight to determine where your funds are best spent going forward.

Volume of alerts don’t allow time for strategy and process improvement

In the whitepaper entitled Automation as a Force Multiplier in Cyber Incident Response I address the alert fatigue phenomenon and discuss ways to address it within your organization. The strategy discussed, including automatically addressing lesser priority or “nuisance” alerts will provide your operations team with additional time for strategizing and process evaluation.

Time to Remediate Incidents

We are certainly familiar with the term dwell time as it applies to InfoSec. One of the 5 focus areas outlined in Joshua Douglas’ paper entitled Cyber Dwell Time and Lateral Movement is granulated visibility and correlated intelligence. This requires a centralized orchestration platform for incident review and processing that provides not only automated response, but the ability to leverage intelligence feeds to orchestrate that response. Given this capability, that single pane of glass now becomes a fully functional orchestration and automation platform. Now we can see correlated data across multiple systems incidents providing us the capability to locate, contain and remediate incidents faster than we thought possible and reduce dwell time exponentially.

Lack of tools and processes to operationalize threat intelligence

The ability to integrate threat intelligence feeds into existing incidents to enrich the data or alternately to create incidents based on threat intelligence to proactively seek out these threats is integral to your security analytics and operations capabilities. This could be a centralized mechanism in your strategic response and an integral part of your orchestration and automation platform. The ability to coordinate this activity is referred to as Supervised Active Intelligence (SAI)™ and provides the ability to scale the response using the most appropriate methods based on fact-based and intelligence driven data. This coordination should enhance your existing infrastructure making use of your current (and future) security tools.

Lack of staff and/or skillset to properly address each task associated with an alert

Of all the pain points in security analytics and operations, this is the one I hear about most frequently. The ability to leverage the knowledge veterans possess to help grow less experienced team members is an age-old issue. Fortunately, this may be the easiest to solve given the capabilities and amount of data we have available and the process by which we can communicate these practices. Orchestration and automation platforms must include not only a Knowledge Base capable of educating new team members of the latest in IR techniques, but incident workflows (commonly called “Playbooks”) that provide the incident responder on his first day the same structured response utilized by the organizations veterans. This workflow doesn’t require the veteran to be present as the tactics, techniques and procedures have already been laid out to guide less experienced employees.

We’ve seen that there are some significant pain points when developing a structured security analytics and operations capability. However I hope you’ve also seen that each of those points can be addressed via orchestration and automation directed toward prioritizing the improvement of your existing resources, with an eye toward the future.

A Weekend in Incident Response #13: Can Smaller Banks Comply with New York’s Proposed Cyber Security Rules?

Back in September, 2016, the New York State Department of Financial Services proposed a set of cyber security rules aimed at improving security among financial institutions. If accepted, the proposed rules will make it mandatory for banks and other financial institutions, as well as insurance providers, to develop a cyber security plan, and appoint a CISO (Chief Information Security Officer), who would enforce that plan in case of a cyber security incident.

While the state’s intention with the proposal of these rules is to help protect financial institutions from cybercrime, with many of the affected organizations provisionally stating that they are in favor of them, there were many institutions that didn’t seem to welcome the new requirements. Smaller institutions were concerned that these requirements would become an unnecessary additional financial burden for them. However, there are solutions that could help make the implementation of these requirements more cost effective for all organizations, including the smaller providers of financial services.

Cybersecurity Programs and Policies at the Center of the Requirements

There are a few main areas encompassed in New York State’s Proposed Cybersecurity Requirements for Financial Services Companies:

● Establishment of a Cybersecurity Program
● Adoption of a Cybersecurity Policy
● Designation of a CISO, (Chief Information Security Officer)
● Third-Party Service Providers

There are some additional requirements for the cyber security programs that are supposed to include – among other things – written incident response plans for response to and recovery from cyber security events, and annual risk assessments of the integrity, confidentiality, and availability of information systems.

Incident Response Platforms

Though the proposed requirements appear to be too cumbersome, expensive, and difficult to implement for small financial institutions at first glance, there are affordable solutions on the market that can be adopted to address all the above cyber security rules. There are platforms providing an automated incident response and assist organizations in recovering from cyber security events quickly and efficiently. Incident response platforms are the most cost-effective solution that all regulated entities can adopt in order to adhere with the proposed requirements.

Such platforms are all-in-one solutions allowing for the identification of cyber risks and cyber security events, enabling recovery to normal operations, by performing automated forensics. Other capabilities include – determining the exact number of incidents that have occurred within a certain period of time and what has caused them. Additionally, there are incident response platforms capable of performing predictive analytics, allowing an organization to prioritize its response, resulting in reduced reaction time and significant financial savings.

Another important feature of an incident response platform is the ability to track digital evidence and create automated incident reports. They can be sent to an organization’s cyber security team.

Considering that every new state or federal requirement presents an additional burden for small banks and other financial services providers, these types of platforms are one of the rare solutions that will allow them to comply with those requirements without having to spend substantial amounts of money. These platforms automate the entire cybersecurity incident response and recovery process, effectively streamlining an organization’s cybersecurity plan in the most cost-effective manner.