We’ve previously explored why a broken security industry is pushing businesses to spend more on technology and people while still allowing the number of breaches to go on rising. We clearly need to move from doing “more” to doing “better”.
As a CISO working in a single organisation, you can’t fix the whole industry on your own. But there are some steps you can take to help your own organisation operate more securely without driving up your security budget.
1. Fix the (real) root causes of incidents
If an attacker takes advantage of an unpatched security loophole in the OS on one of your servers, it’s all too easy to think that the cause is the unpatched OS — and that the fix is an easy one: apply the patch to the server. But if you’re seeing multiple incidents every week caused by unpatched servers, then it’s not really a single missing patch that’s the source of the problem. The real root cause is that your process for applying patches is failing.
The security industry’s response to this situation is to push you towards implementing solutions that let you handle more incidents more quickly or that see you employing more analysts so they can sell more licences or contractor hours. Instead, you need take a step back and create a process to spot common patterns in incidents and identify and fix the real root causes. For example, fix the patching process, so that patches are applied within hours of being released, and you’ll both cut down on the number of incidents you have to handle and make your systems inherently more secure.
Carving out time to address root causes will pay dividends over the long term as your experience fewer incidents and cut down on what you spend on incident response, while your analysts will appreciate being freed from repetitive and demoralising busy work.
2. Develop stronger relationships with other areas of the business
It should be obvious from the previous point that not all root causes lie within the security team’s sphere of influence. By developing stronger relationships across the business, you’ll be better placed to have those difficult conversations about why things need to change and you’ll have developed the mutual goodwill and understanding needed to find a fix that works for everyone.
Every interaction will also be an opportunity to help everyone to become more cyber-savvy, so they’re less likely to behave in risky ways and more likely to think about security from the start when considering digital transformation projects or other changes to how the business.
Finally, developing closer relationships with the business will help you to uncover the shadow IT that the business is depending on, but which hasn’t made it on to your organisation’s formal asset register and into your cybersecurity plans. A global survey by Forbes Insights in 2018 found that 60% of organisations weren’t including this shadow IT in their threat assessment and 20% of them had experienced cyber events due to shadow IT.
Simply talking to the rest of the business to figure out what their pain points are and why working in secure ways is a challenge for them — and what changes you can make in the security team to help — will almost certainly take you far further than splashing out on the security industry’s current flavour of the month in breach prevention tools.
3. Adopt a threat-informed approach
The security industry can often give the impression that every organisation needs every available security tool and is at risk from whatever hack is currently making the news headlines, but that simply isn’t true. Each organisation faces its own specific set of risks, based on factors such its vertical sector, technical infrastructure and business practices.
Adopting a threat-informed approach will help you to understand how your own organisation is most likely to be attacked, which of your systems, data and activities are the most critical and sensitive, and how current processes and practices in every area of your organisation affect your exposure. It will also help you evaluate how effectively your current mix of people, process and technology is addressing those threats and risks — and where there’s duplication as well as gaps. You can then prioritise your security resources where they’ll have the greatest impact.
Frameworks such as MITRE ATT&CK give you a structured way to understand malicious actors’ tactics, techniques and procedures as you work through the steps needed to implement and use a threat-informed approach. MITRE ATT&CK provides a model for hacker behaviour that reflects the phases of a hacker’s general attack lifecycle and the areas they’re specifically known to target. You can use it to determine what defensive measures you should have in place and create scenarios to test how well those defensive measures are performing.
4. Shift to “purple teaming”
A “purple team” brings together the attackers of a traditional red team, who try to break your defences using real-world techniques, with the defenders of a traditional blue team, who spend their time looking for vulnerabilities and fixing them, and evaluating the effectiveness of current security tools and policies. While both red and blue teams aim to improve the security of the organisation, the relationship between them is often adversarial, with neither side willing to share their secrets of how attacks were mounted or detected and stopped. It can also be pretty demoralising if the members of the in-house blue team feel like every testing exercise simply highlights how they “failed” rather than what they’re getting right.
In a purple team, everyone shares their knowledge and works together to improve the effectiveness of the organisation’s security measures. This allows the attackers in the team to concentrate their efforts on testing the most important systems and data, while the defenders can use insights about how attacks are mounted to develop new and better security strategies. All this helps you to improve your security posture more quickly, while providing a more enjoyable and rewarding experience for your security team.
5. Close the feedback loop on performance
Even with its effectiveness boosted by purple teaming, scenario-based penetration testing only provides you with snapshots of how your security programme is performing. You should also be continuously validating that each of your individual controls is working as intended. Continuous automated security validation (CASV) not only takes the drudgery out of validating controls but also mimics the behaviour of persistent hackers who will probe your systems again and again until they find an opening.
CASV tools help your security team to:
• identify failing controls sooner
• prioritise, schedule and track the work needed to remediate any specific defects in your controls
• identify broken processes that are generating multiple incidents of the same kind, such as failure to apply patches quickly enough (or at all), supporting your efforts to identify and fix root causes
• operationalise frameworks such as MITRE ATT&CK, by allowing them to set up and run tests based around the attack scenarios identified through your framework and aligning all results with the framework
• develop their understanding and skills in both attack and defence
• run penetration testing in house, as part of a move to purple teaming, reducing the need for expensive external testing services
• provide role-based views into your security operations for IT auditors or business leader as well as security analysts, supporting your efforts to strengthen your relationship with others in the organisation.
You can also use the data provided by CASV tools to inform future investment decisions, targeting your resources and people where they’ll have the greatest impact, rather than where industry hype and vendor marketing are urging you to invest. The result will be better security and a better ROI for your security spend.
6. Work with a security partner that’s focused on optimisation
To optimise your security operations, you need to align your security spend with your business outcomes. You should look for a security partner that takes the time to understand the specific threats and risks to your business and then helps you create and execute a plan that will maximise your cyber resilience for the budget you have available.
A partner who truly has your interests at heart will consider an engagement where they’re only suggesting relatively simple changes to your existing technology and processes — or how people in your organisation think about cyber security — to be as just as much of a success, if not more, as one where they advise you to add more technology or services.
Taking any of these 6 steps on its own can help you shift the effectiveness and cost base of your security operations in the right direction. However, true security optimisation comes from using all of them together, so that the effects of each approach amplify the benefits generated by all the others.
Here at Bright Cyber, our focus is on this kind of optimisation. We specialise in helping organisations like yours to optimise their security operations by bringing your people, process and technology together in a sustainable and scalable cybersecurity program that protects your organization in the ways that matter. In our next blog post, we’ll talk about how we work with you to make that happen. But if you’d like to find out more right now about how we do it and what we could do for your cyber security team, download our Security Optimisation Overview or get in touch with us for an initial consultation.
