“The reality of today is that some of the top people predict that the next big war will be fought on cyber security.” Tim Cook, CEO – Apple
John the CISO of a mid-sized enterprise is a troubled man these days. With data breaches making big headlines all over, he gets repeatedly asked by his CEO about the security of data in the enterprise. While researching online, he came across the Forrester survey, which reports that 51% of firms surveyed were breached in the past 12 months. An alarming 48% of these firms were breached more than once during that period, and this is adding to John’s restlessness. There are some important reasons for John’s increasing anxiety as he is not sure if he has adequately secured his enterprise in this fast changing technology landscape. Some of these reasons are listed below:
IoT, digitization, mobile computing and cloud: The coming together of all these has increased the inter-dependencies of distributed IT business processes in the enterprise. It has greatly increased the need to constantly monitor, manage and mitigate security threats and vulnerabilities to the IT surface area (increased number of connected devices, networks and amount of data).
Complexity of security operations: The enterprise is dealing with the complexity of security operations brought about by running a data center, networks, using a third-party cloud and adhering to privacy laws (like GDPR in Europe). The several tools in place, have generated data which is incompatible with data from other streams, making it difficult to define the security posture of the enterprise. The use of multiple tools has been counter-productive, resulting in more alerts to manage and less control.
Traditional security monitoring methods: They do not guarantee detection of all frauds that may lead to subsequent cyber-attacks. This has made the Security Operations Center (SOC) invest more time in responding to alerts, and thereby falling short on time and resources to identify vulnerabilities and follow remediation guidelines to secure the enterprise IT landscape. As IT security is business security, a SOC is only as good as its ability to match the pace of change in the IT landscape of the enterprise.
Cybersecurity talent shortage: Many IT security leaders are in a difficult spot when it comes to finding and hiring cybersecurity professionals. There are very few professionals who possess the skills needed to successfully implement effective security programs and those who do are expensive to hire. Cross-training the existing IT employees may be a workaround, but that comes with a steep learning curve resulting in delayed outcomes.
The solution to these new-age problems (more like necessities) is to turn around the security operations. The buzz words that are doing the rounds in the security landscape are ‘Transformation’ and ‘Intelligence’.
What is fueling the SOC transformation?
Just as business intelligence has changed the game in predicting trends and preferences, it is poised to transform the functioning of a SOC.
The need for a SOC transformation or a move to a Security Intelligence Center is fueled by:
- The emergence of Security Operations Analytics and Reporting (SOAR) applications, for security operations
- The aggregation of security technology capabilities such as next-generation firewalls
- Mergers & Acquisitions in the cyber security space, creating virtual platforms
A transformed SOC with its intelligent monitoring and analysis capabilities is a business enabler that helps enterprises confidently embark on a secure journey.
What is a transformed SOC or Security Intelligence Center?
John is seriously looking at alternatives and a transformed SOC or Security Intelligence Center (SIC) comes up on top, as the alternative of choice. A SIC is proactive and views an incident as an opportunity to learn from the attributes of the attack, to build a more defensive and resilient system. The focus is on knowledge management and the ability to distill the key metadata of each stage of the attack into a rapidly searchable, meaningful database of information. It is complimented by an automated system of defenses and the knowledge of where to plug back that information. It is security intelligence in action! The move from operations to intelligence is the primary focus. The analyst in a SIC is inquisitive, likes to solve problems, thinks through what is happening and helps develop a defensive architecture.
Security teams in a SIC proactively hunt for threats in the IT environment by applying threat intelligence to what they see, monitor and analyze. Security teams can make better sense of what they see when they have better context into the alerts they monitor. Security analytics tools assign an ‘attack confidence score’ based on the probability of the threat, after analyzing all incoming IT data. Based on the score and with the help of automation, only high score alerts are assigned to analysts for intervention and remediation. Increased visibility, deeper security context, improved workflows and automation coupled with security analytics help make meaningful and quick decisions. We will take a look at each of the important aspects of an evolving SOC to understand why this transformation to a SIC is imperative for John.
Cornerstones of a Security Intelligence Center (SIC)
Automation: Automation and orchestration tools speed up alert triggers, context gathering, containment and remediation. To enable automation, security teams need to understand how and when to protect sensitive data and build policies based on data risk. Security automation allows visibility across networks and endpoints, making it easy to decide which alerts can be solved by a security tool, understand the time taken to detect and respond to an attack and decide when a manual approach is needed, thereby sparing the analyst’s time for issues up the value chain.
Threat Intelligence: A SANS Institute survey, of 326 qualified respondents reports that 69% of them implemented cyber threat intelligence to some extent and 64% have a dedicated team, person or services organization assigned to implement and monitor intelligence. Intelligent SOCs combine threat intelligence, big data analytics and machine learning to study previous threats and orchestrate automated responses in real-time. They reduce detection and response times drastically and eliminate fragmented, time-consuming manual responses. Enriching internal data analysis with external threat intelligence enables the rapid detection of advanced malware and breaches, and drastically improves incident response time.
Analytics: Big data analytics, where business intelligence algorithms are used for large-scale data processing, have become commoditized. Prescriptive security analytics transforms data (structured and unstructured data from IT, OT and IoT) into intelligence with deep packet analysis, pattern recognition and weak signal detection. Apache Hadoop frameworks, various correlation algorithms and inexpensive hardware are used to collect, store and analyze large amounts of real-time contextual data and external threat intelligence to detect anomalies and identify possible malicious activities. Big data analytics helps predict attacks and identify prospective attackers before they strike by analyzing the digital trail left by all digital activity.
Benefits of a Managed Security Intelligence Center
John is trying to convince his CEO and top management on the benefits of a Transformed SOC or more aptly referred to now as the Security Intelligence Center (SIC). With the scarcity of security professionals with deep expertise, recruiting them on the rolls and setting up a SIC in-house is a very expensive proposition. In this scenarios, John sees a Managed Security Intelligence Center as the answer to a lot of his enterprise’s security challenges. He wants his enterprise to reap the following benefits from a Managed Security Intelligence Center.
Cyber Security top mindshare: Effective threat intelligence delivers timely protection. Threat intelligence accelerates investigation time by 42 percent and cuts down time to discover threats in half. Managed SIC teams alert you on cyber threats early on, helping you steer clear of any possible intrusions.
Compliance: Managed SICs allow enterprises to remain up-to-date with the latest security and compliance guidelines. They ensure full compliance with corporate policies and regulatory standards. An additional benefit is the provision of audit ready reports.
Customer trust and edge over competition: Customers and investors will appreciate your attention to security, especially in this digital age when they invariably need to share their information during their interactions with you. High-performance, scalable data center protection with intelligent service chaining helps build trust, which leads to more business.
Peace of mind 24x7x365: Managed SICs provide real-time visibility into all networks, security devices, end-points, clouds, servers, databases and high-value assets, providing continuous 24x7x365 monitoring and analysis of data activity which improves security incident detection.
Reduced Costs: Managed SICs eliminate the need for hiring expensive resources through the use of their skilled staff. They eliminate unpredictable costs stemming from the loss of critical data and infrastructure through round-the-clock monitoring support. By providing services at fixed and pocket-friendly budgets they save your time and money.
Security expertise: A Managed SIC has security professionals with diverse skill sets to deliver personalized services that are rapid and timely. Centralized management of firewall policies coupled with easy application of threat intelligence feeds results in flexible, highly customized firewall policies, reducing operational burden and reporting.
How a Managed Security Intelligence Center meets John’s requirements?
A Managed SIC has the right blend of people, processes, tools and technologies to prevent, detect, analyze and respond to cyber incidents. Sandboxing, threat intelligence and analytics technologies considerably reduce response time to mere seconds and recovery time to a matter of minutes. They take a flexible and tiered approach to meet specific security needs of your enterprise and are highly effective at low TCO.
It will not be very difficult for John’s CEO and top management to see the merit in moving to a Managed Security Intelligence Center. Let’s wish John the very best in his move towards better security.