Modern CISOs face a constant challenge as they attempt to stay ahead of an ever-increasing number of cyberthreats. Knowing where to channel investment to ensure enterprise security is maintained can be tough. Intelligent CISO hears from three experts about what their advice would be to security professionals facing this very predicament at organisations around the globe.
There are so many things for CISOs and other security staff to consider when looking for solutions to possible threats and breaches.
Piers Wilson, Head of Product Management at Huntsman Security, makes the case that organisations need to carefully balance system monitoring and employee trust.
He said “Maintaining enterprise security while respecting the trust of employees is very difficult. No organisation wants to be spying on their staff but they can’t run this risk of insiders causing havoc, either on purpose or by accident.
“The problem is, traditional approaches simply aren’t effective at combating insider threats because, by definition, they’re already past all the perimeter defences.
“Therefore, organisations need monitoring systems that can pick up any potentially suspicious activity that could indicate something is amiss without flagging every single thing users do.
“For example, if the business detects a user account accessing data that it shouldn’t, they can quickly step in to prevent any harm from being done – whether the activity was an honest mistake or part of a deliberate attack.
“This approach means having technology that can deal with hundreds, if not thousands, of potential alerts a day; triaging to determine which represent true potential threats and which are false alarms.
“As with any other security tool, the more the system can decide for itself what represents a real threat, the easier it will be for security teams to react as appropriate. This doesn’t mean that other security systems are surplus to requirements. Instead it should form part of a layered approach to security, along with more sophisticated analysis, to ensure that all potential routes are covered.
“When it comes to managing trust of employees, most systems that monitor systems work unobtrusively in the background and only flag activity that could be a problem – and even then, most threats are discounted as perfectly legitimate users.
“Organisations just need to have the right policies in place that manage how they react to any flagged threats to ensure employees don’t think they aren’t trusted. This should go hand in hand with a thorough education program highlighting the cybersecurity threats that a business faces and why such systems are needed.”
Gregory Webb, CEO, Bromium, says detection requires a ‘patient zero’ – ‘someone must get owned and then protection begins’.
He said: “It’s no surprise that 63% of the CISOs we surveyed said they’re worried about alert fatigue. Our customers tell us their SOC teams are drowning in alerts, many of which are false positives.
“Meanwhile, advanced malware is still getting through because cybercriminals are focusing on the weak spots like email attachments, phishing links and downloads. This is why organisations have to consider the total cost of ownership when making security investments, rather than just following the detect-to-fail crowd.
“Application isolation provides the last line of defence in the new security stack and is the only way to tame the spiralling labour costs that result from detection-based solutions. Application isolation allows malware to fully execute, because the application is hardware isolated, so the threat has nowhere to go and nothing to steal.
“This eliminates reimaging and rebuilds, as machines do not get owned. It also significantly reduces false positives as SOC teams are only alerted to real threats. Emergency patching is not needed as the applications are already protected in an isolated container. Triage time is drastically reduced because SOC teams can analyse the full kill chain.”
Statistics obtained by Bromium via a survey of 500 CISOs from global enterprises unveiled that organisations invest US$345,300 per year on detect-to-protect/detection-based security tools, but this cost is minimal compared to the hidden human costs. That US$345,300 cost is based on average 2,000-person organisation.
The research also showed that labour costs are soaring as a direct result of detection-based technology failures. SOC teams receive more than one million alerts every year, but 75% are false positives.
SOC teams spend 413,920 hours per year triaging alerts, an additional 2,448 hours rebuilding compromised machines and 780 hours on emergency patching, the research showed.
Meanwhile, Azeem Aleem, Global Director of Worldwide Advanced Cyber Defence Practice at RSA Security, has outlined why it is so important for businesses to be prepared to mitigate any breaches.
He said: “With every year that passes the attack surface widens, creating more opportunities for hackers and making life even harder for corporate security teams.
“As businesses forge ahead with digital transformations and move more services online, having cybersecurity in place is a business essential. Any breach can have a huge business impact, so mitigating this risk is a must.
“However, security breaches are in some ways inevitable, which is why monitoring and network surveillance is so important. If the worst happens and a breach occurs, businesses must be in a position to identify and remediate the threat quickly – before the hacker is able to exfiltrate data, insert backdoors or cause too much damage.
“They also need to be able to reconstruct the incident quickly and determine exactly what data has been accessed and how much has been extracted.
“By having this information to hand, organisations can close any gaps in security, provide helpful information to any customers that may have been affected and put executives’ minds at ease.
“Today, the vast majority of data breaches start with a hacker stealing the credentials of a legitimate user in a bid to evade traditional threat detection tools. Because of this, many businesses have started to use SIEM tools to spot anomalies in user behaviour.
“The problem is, standard SIEM solutions that monitor internal networks and beam up thousands of alerts to the security team often create more issues than they solve. Organisations need an evolved SIEM that not only takes advantage of machine learning and behavioural analytics to identify threats quickly but also overlays insight about the key risk areas in a business.
“It should then scale up security for these business-critical assets accordingly, to create a ‘live threat matrix’.
“This business-driven security ensures that these key assets are afforded the highest levels of security when the hackers inevitably come knocking.”