Preventing a cyber attack today is nearly impossible. The threat landscape is too vast and fast-changing, and methods are too complex, to be able to prevent them all. This isn’t a new revelation, but it does reflect a change in perspective, in the sense that organizations are taking a more risk-driven approach to cybersecurity.
The Gartner Top Security and Risk Management Trends1 research note states that “Gartner has been documenting a clear shift in security investments, from threat prevention to threat detection and response.” At the same time, the industry is experiencing an immense shortfall in cybersecurity personnel to manage cyber threats. Gartner states specifically that “the number of unfilled cybersecurity roles is expected to grow from 1 million in 2018 to 1.5 million by the end of 2020.”
Given that organizations are moving toward a threat detection and response posture while they are experiencing understaffing, RSA believes that it will become critical for SOC staffs to take a risk-based approach in order to prioritize the threats that matter most.
There is a critical question informing our perspective: How quickly can you detect and respond to the threats that matter? Adding advanced capabilities inside the SOC, such as user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR), is one way to improve the organization’s ability to detect and respond effectively and efficiently to the growing cyber threats.
According to the same Gartner report1, “by 2022, 50% of all SOCs will transform into modern SOCs with integrated incident response, threat intelligence and threat hunting capabilities, up from less than 10% in 2015.” From the RSA perspective, we believe this approach is greatly needed. We also believe that in addition to advanced tools for detect and respond operations, organizations must incorporate business risk and impact context within the SOC to help analysts understand and prioritize the impact of the myriad of alerts coming in. Without this context, an overtaxed analyst does not have a way to ensure they are working on the threats that pose the most risk. And we believe that once an incident is declared, response capabilities must be linked with integrated risk management and business teams to ensure that the response is coordinated inside and outside the SOC to mitigate the business impact.
So what does this look like in practice?
Consider a security analyst we’ll call “Sam,” who works at a global financial-services enterprise. Sam is relatively new to his position and is charged with investigating security alerts across a global infrastructure for consumer banking. Sam can see and triage nearly 10,000 alerts per day. Roughly half of these alerts are false positives or of low importance, meaning he is spending half his time each day on alerts that aren’t impactful. Prioritization is a challenge. If Sam had additional context—user privilege, entitlement and role, as well as asset criticality and business impact (i.e. this system stores all account number, personal data and password information)—he could prioritize items on the laundry list of alerts to focus on those that have the biggest potential business impact.
To provide the context that Sam needs, his SOC deploys a security platform with an evolved SIEM that provides wide visibility across the entire environment and that is also connected to UEBA and SOAR capabilities, along with integrated AI and machine learning to identify threats. This security platform is connected to the organization’s integrated risk management (IRM) solution to exchange data bilaterally, putting business context on asset criticality at Sam’s fingertips and allowing him at the push of a button to alert the IRM team once an incident is declared. This then allows for SOAR playbooks to be invoked to implement the technical response to the incident, and also allows the business teams to coordinate their actions to manage the business concerns related to the incident—such as legal and regulatory concerns, customer communication, and possible business outage and downtime.
1 Gartner Top Security and Risk Management Trends, Peter Firstbrook, Brian Reed, Sam Olyaei, Gorka Sadowski, David Mahdi, Prateek Bhajanka, Earl Perkins, Published 21 January 2019
# # #
For more RSA perspectives on top trends in security and risk management, register for a webinar June 13, when Ben Desjardins, vice president of product marketing for RSA, and a panel of expert guests will present their perspectives on the Gartner Top Security and Risk Management Trends research note
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity