Prioritize cybersecurity investments with experts’ market visibility
Security predictions at your disposal
Consider a new model for threat evaluation
For a long time cybersecurity has been driven by a reactive approach that focuses on investing in technology to prevent cyber-breaches. Unfortunately, this approach has been proven to be unsuccessful as the number of breaches has increased despite higher security spending. Looking at breaches, in particular, businesses will need to split up the concept of a cyber-breach into two phases:
- The infrastructure breach: when devices or workloads are breached;
- The data breach: when critical data is destroyed, held for ransom or leaked;
Organizations must accept that their infrastructure will be breached, no matter how much they invest in preventative technologies. Consequently, they need to have a plan for how to detect it, how to limit the impact of the infrastructure breach, and how to respond to it as quickly as possible.
Drive detection to make the most of it
If we accept the hypothesis that we have to increase our ability to detect threats, how can we achieve this? We predict that the focus on just log-based detection will shift, to also include network-based and endpoint-based detection. In addition to this there are also environmental specific detection sensors that are adapted and optimized for specific environments, like Cloud and OT/ICS. You should select a detection strategy based on your environment and your requirements.
If compliance-driven detection is most important, then logs are for you. If you want rapid time-to-value and advanced detection and response capabilities, endpoint is for you. If you cannot install sensors on all your endpoints, or you want to mitigate the risk that an attacker could turn off the endpoint sensor, you may need to compliment this with network-based detection. If you have high requirements of detection, you need a combination of all of the above.
It is now common knowledge that cybersecurity is truly a “big data” issue. Regardless if you are analyzing endpoint data, network data or log data. To solve this, organizations will need to increase investments in technology that have strong AI/ML implementations, to help analyze this massive amount of data. To be effective there needs to be a defined problem for which we can use the technology as a tool and not a solution. Good implementations of AI/ML can significantly offload the work of the analysts and are, together with orchestration and automation, the key components for building a SOC for the future.
Add response capabilities as a rescue kit
Now that you have sorted out the technology approach, what’s next? You need people and processes to staff analysis and classification of detections 24×7. Most businesses struggle with the cost and time of building these themselves, so they will buy this as a service (MDR) with the additional benefit that they will also receive 24×7 response.
With any security incident, the amount of damage is inversely proportional to the amount of time before the incident is detected. To be clear: the quicker you can identify a potential incident, the less the damage will be. Therefore, the risk created by an incident depends on how quickly you can detect and respond to a threat. But just detecting a breach is only one part of the story, response and recovery are equally important.
Visibility is the starting point to make the right decision
Cybersecurity investments need to be spent wisely. To make a good decision about where to invest, you need data and visibility to understand where to make the most insightful investments. Here are some examples of areas that we have seen increased demand for.
Endpoint & network visibility
For decades people have been deploying SIEM solutions as the primary way of detecting and responding to threats. We still believe that SIEM is a crucial component in your SOC toolbox, but you can maximize your time-to-value and enhance your threat detection capabilities by deploying endpoint-based detection or network-based detection.
SIEM for machine data visibility
We all know the expression “data is the new oil”. So why not try and make use of all the data that your company creates every day, to help you make data-driven decisions and manage your business more effectively? We believe that just collecting logs for security use cases will shift into leveraging the same (and additional) data for IT and business operations use cases.
Everyone is moving to the cloud and devops teams are spinning new environments up and down by the minute. At the same time, we know that all major breaches in cloud infrastructures have been due to misconfiguration or exposed vulnerabilities. We believe that customer need to get one interface into their hybrid-cloud environments that can help them with actionable intelligence about assets, configuration compliance, vulnerabilities and behavior anomalies across all these cloud environments.
OT / ICS visibility
Industrial Internet of Things (IIOT) and Industry 4.0 are all about connecting machines to other machines, and the optimization and productivity that are needed to make ‘smart factories’. Benefits are immense, but so are the challenges. A major challenge is to bridge the gap between OT experts and security experts so they have an understanding of the adversities in both areas and can build secure OT environments together. A good start is to get visibility over what is connected to these networks and how they communicate. This knowledge can then enable the implementation of segmentation, protection and threat detection solutions to help safeguard these OT environments.
Privileged account visibility
The majority of data breaches are made by using privileged accounts to do lateral movements and data exfiltration. Why? Because it’s easy. A common estimation is that the number of privileged accounts is about three times the amount of normal user accounts. Do you have control over who has access to these accounts? How passwords are shared and rotated? And what people actually do when they are logged in as administrators? Getting visibility to your current privileged accounts is a first great step of your plan to implement privileged account security.
All in all, what is next?
Once you have visibility into your assets and data, investments have to be made across all areas of prevention, detection and response.
- Prevention will shift from ‘all-or-nothing’ to a risk-based approach. Critical data, or employees with access to critical data, should have the appropriate protection needed.
- Detection will shift from ‘standard’ to customer-specific detections. Generic rules in a SIEM are not enough to detect smart opponents.
- Response will shift from ‘oops-help’ to a proactive and planned approach. Mapping your own capabilities and subscribing to external resources will be a priority.
Analysts’ reports can be innovative tools to help you choose the best MDR provider for your business. The last one in date, Gartner’s Market Guide for Managed Detection and Response Services, was published in August 2020 and lists Orange Cyberdefense as a Representative Vendor for MDR services. You can download the Market Guide for free.