How bad is it?
When a security incident occurs, how confident are you that you can explain the impact to the rest of the organization in language that they understand? Despite all the money we have invested in security, it's still too difficult to put security details in business context fast enough.
When you can't, or don't feel confident when you do, you're in what we like to call the "gap of grief." And, too many organizations are finding themselves in this gap today.
What causes the gap? In two words, complexity and (lack of) context.
Let's think about how security strategies evolved. Over the years, for security exclusion, in other words, to "keep the bad guys out", most organizations layered multiple preventative tools. We started with static, signature-based technology like firewalls, IDS/IPS, and A/V. As threats became more sophisticated, we added next-gen firewalls, sandboxes, and other "advanced threat solutions". The problem with this "new threat, new box" strategy is that it creates tremendous complexity, yet still leaves gaps in coverage and visibility that attackers can exploit.
Most organizations did the same thing for security inclusion, or "letting the good guys in". They knew they needed better control over users identities, but they implemented multiple, disconnected controls and wound up with islands of identity that actually made access less convenient, and not much more secure.
Same with risk management, in those organizations mature enough to take a proactive approach. Information to understand our risk posture, especially new sources of cyber risk, lives in too many places, and can't be gathered and integrated efficiently. We have blind spots, and the organization is exposed to risks they don't even know exist.
In this patchwork of point tools, each is providing information about their limited view of the environment. They all generate alerts when something is amiss. But because they aren't connected, and don't correlate data, security teams drown in a sea of alerts. Some are real, but too many are false positives, exacerbating the problem. It's impossible to separate the signal from the noise, and alert fatigue sets in, leading to inaction when time is of the essence in dealing with a potential compromise.
Finally, more technology means more alerts, but no priority; every alert is potentially treated the same. Without context, we can't determine if anomalous activity is malicious or benign, we can't connect a seemingly disparate series of alerts into a single attack campaign, and we can't focus right away on those alerts that may have the biggest impact on the business. Worse, alerts without context or priority means more to investigate, which requires more advanced analysts which the industry just doesn't have.
What we've built makes for a lot of complexity, no business context across these islands, and ultimately, an inability to understand if you have a security strategy that is truly having meaningful impact.
But there's a way out of the gap. At RSA, we understand these challenges, and can help you with business-driven security solutions that:
- Show the right picture end to end, with visibility through analytics and intelligence.
- Provide the fastest, most comprehensive insights, automating things that only humans could once do, making your team smarter and more effective.
- Deliver proper business context based on what is most important to your business so you are protecting what matters most.
- Enable you to take the right actions to respond, not just reacting to every alert or problem and inadvertently making threat actors smarter.
With a business-driven security strategy, organizations of all sizes can close the gap of grief and take command of their evolving security posture in this uncertain, high risk world.
Category: RSA Point of View, Blog Post
Keywords: CISO, Cybersecurity, Gap of Grief, Information Security, People Process Technology