As I travel around the world and meet with CISOs and security teams, I continue to be amazed at the organizational disconnects around managing cyber risk. Security Operations and Identity & Access Management teams operate their own business processes with very few connection points. Security and Risk & Compliance teams have different world views of how to best address cyber challenges - they're not even speaking the same language. Many CISOs have shared their uphill battle with the C-suite and Board of Directors who think of 'cyber' as a project with a start and end date, rather than a risk to be managed such as liquidity, supply chain or vendor risk.
With so many disconnects compounding an already vexing problem, it should be no surprise that we see so many targeted attacks continuing to make headlines. It reminds me of a real-world story that played out just over 30 years ago.
On a cold January morning, every American waited in anticipation of the Space Shuttle Challenger liftoff. As the shuttle ascended, cheers and euphoria turned to shock just 73 seconds into the flight. The world watched in horror as a fireball engulfed Challenger and tore it apart in milliseconds. What none of us knew then was six months earlier a shuttle engineer warned that O-ring erosion could lead to catastrophe. The technical team - the first line of defense - knew the risk of launching on a cold day, but weren't able to convincingly answer a simple question to NASA administrators: "HOW BAD IS IT?" The technical experts tried ringing the alarm bell - but management simply didn't understand the gravity of their message. NASA couldn't connect the dots between the technical details and mission risk.
At RSA, we call this state of confusion THE GAP OF GRIEF. Too many organizations find themselves in this gap today, unable to understand the business implications from cyber risks they face. Incidents fill up the analysts' queues, but they lack the context to identify which incidents have significant business impact, versus those that can be deprioritized. At the same time, risk managers don't have methods of connecting the incidents with risks to the business or to determine their controls' effectiveness. These disconnects negatively impact organizational effectiveness in dealing with cyber risks, with decision-making opportunistic at best and haphazard at worst. Does this sound like the situation your organization finds itself in?
We can address the massive disconnects that serve as an obstacle to effective cyber risk management, despite the changing compute paradigm and exponential increase in attacks. At RSA, we've developed a strategy to tackle these challenges - business-driven security, that enables organizations to connect the dots between the security incidents and business risk. We believe that operationalizing business-driven security will make security teams and risk managers more effective, resulting in smarter and faster decisions around cyber risk management.
Business-driven security is more than a Kumbaya or Trust-Tree moment for security and risk teams with different charters and world views. When you break it down, there's real substance behind what jaded cybersecurity professionals may consider a clever marketing term. It's a blueprint that enables organizations to connect the dots by leveraging visibility, rapid insight, business context, and efficient response. Working in concert, operationalizing these four pillars will help ensure that security and risk practitioners are speaking - and taking action based on - the same language. Let me take you through each.
Full Visibility. Business-driven security starts by seeing the "cyber O-rings" in your infrastructure. If you can't spot authentication failures, fraud or lateral movement occurring, you have no chance of mitigating a cyber catastrophe. This means having a good understanding of all relevant threat vectors that could result in a compromise. While every organization can maximize the impact of their visibility by taking a risk-based approach to implement telemetry, there are some clear ways to make it even more effective. As all insider threats and many advanced attacks can be tied back to users, getting visibility into authentication and access data is essential. Looking at logs and packets for north-south and east-west traffic at a network level can help spot the ingress and egress of attackers. Additionally, getting visibility into the endpoint provides insight into whether or not attacks were successful, by spotting malicious processes at work. Through the combination of these techniques, I hope you'll see that it's critical to start with great visibility - without it you'll have no hope of detecting threats. However, the downside of having so much data available is that spotting the "cyber O-rings" becomes challenging as your visibility improves. That's where analytics come in to provide insight.
Rapid Insight. By applying the right set of analytic methods, security teams can gain early insight into stealthy cyber-attacks that would otherwise go by undetected for weeks or months. Several years ago, I met with a large governmental institution using a packet capture technology for network forensics. Based on calls they received from law enforcement, the organization was certain foreign governments had ensconced themselves within the infrastructure and were syphoning sensitive information. They had a great visibility program in place, but were unable to effectively turn all of their data collection rapidly into insights. As many organizations already collect logs, packets, and endpoint data, applying a battery of analytics can enable them to quickly spot intruders in their environments. This would enable security teams to spot the signal in the noise, and find hackers and insider threats faster, before finding out from a third party that they've been compromised. If implemented well, this becomes a "resilient analytics model" where hackers have to sidestep a variety of cyber pressure plates, tripwires and cameras to avoid detection. While intruders may be able to sneak past some of the analytics methods, they can't avoid them all. Then, it's just a matter of helping security teams understand which are most impactful to the business - prioritizing more rapidly for remediation.
Business Context. Business context - such as which assets are tied to critical business processes - can help determine the risk associated with a cyber incident. As the number of stealthy attackers grow, effective security teams use analytics to spot some facet of a compromise. However, there can still be an overwhelming number of incidents security teams needs to prioritize. This is where business context comes in to improve analyst effectiveness. Whether it's through initial incident detection, or through the compromise scoping process, business context enables the analyst to determine the risk to the business - and thereby determine the urgency with which the incident needs to be acted upon. Business context not only makes security teams more effective, it also serves the needs of the risk and compliance teams. For example, if incidents are commonly occurring in the payment card environment, it not only points to a set of issues that need to be mitigated for compliance reasons, it also points to gaps in control effectiveness. In that way, business context becomes a bridge to cross the gap of grief, enabling the right actions to be driven by both the security and risk teams.
Orchestration and Response Automation. Without efficient workflow orchestration complemented by automated response, security teams will increasingly become unable to meet the risks the organization face in a cost-effective manner. Years ago, I remember meeting with a security startup in the days of the dot com boom that said they were building the silver bullet product that would automate controls to block security attacks. I thought to myself "good luck with that"! You see, back in the late 1990s cybersecurity wasn't perceived as large of a risk to business, and a security practitioner that inadvertently impacted business traffic soon found themselves on the unemployment line. How times have changed. At some point, the economics don't justify adding the next security analyst - automation to drive analyst efficiency and drive the right actions is inevitable. What does this look like? Workflow orchestration enables analysts to pull the right data from other systems to build context (asset attributes, identities, etc.), and streamline their workflow by providing pre-established playbooks to ensure remediation activities happen quickly. The next natural advance from orchestration is response automation, which enables the security team to drive remedial actions to the infrastructure components that can block attacks - with or without a human in the loop. One of the most intriguing ideas is to enable the SIEM to create a cyber "no fly list" of suspicious users based on detected activity. By providing this list of risky users to the IAM systems we drive a step-up authentication to prove that the user is who they claim to be - providing a higher degree of identity assurance.
At RSA, we believe that leveraging these four pillars will connect the disparate technologies and processes of various security teams. This not only increases effectiveness of the CISO's limited resources, it also makes the enterprise more secure based on better visibility and insight, and fewer gut calls. It improves conversations and better informs the board. You'll be hearing more from us on how implementing business-driven security in your enterprise reduces your risk and increases your security.
Author: Grant Geyer
Category: RSA Point of View
Keywords: Business Context, Business Driven Security, CISO, Cybersecurity, Insight, Response, Risk, Security, Security Operations, Visibility