Enterprise security leaders are faced with a dilemma. Missing just one attack can result in a catastrophic data breach. Forced to defend their enterprise with strained resources, limited intelligence and an excess of security threats, companies need a new approach to cybersecurity that focuses on getting the most out of their available resources.
Following our webinar with guest speaker Forrester Senior Analyst, Joseph Blankenship, we asked him to address some of the questions from the audience around the challenges organizations face as they look to enhance their cybersecurity programs. Below are his responses.
Q. Our security operations center (SOC) uses Excel as its primary collaboration tool. How do we get more efficient?
Blankenship: Too often, security teams turn to tools like spreadsheets and email to collaborate and communicate. The first step is to evaluate the processes in your SOC to find the inefficiencies. Next, assess the technologies you have employed to see what workflow tools exist or will integrate with them. Many security information and event management (SIEM) and security analytics technologies now either include workflow tools or have integrations with ticketing systems. Look for ways to marry process to technology to get the most value from your current investments, reduce redundancy, and automate processes.
Q. We’ve tried moving our monitoring to a managed security services provider (MSSP), but it didn’t work for us. Now that we’re back in-house, how can we get more from our security team?
Blankenship: One of the fallacies of an MSSP is that the services provider does all the work associated with monitoring the environment while the in-house team focuses on other challenges. It’s true that MSSPs will handle monitoring and alerting, but it’s up to the in-house team to investigate the alerts and remediate issues. Now that you’ve moved back in-house, you have to get the most out of your monitoring technology to ensure that you’re focusing on high-priority, high-confidence alerts.
- Start with tuning the technology so that your team isn’t being inundated with false-positive events.
- Make sure you know which assets are high-priority assets that house valuable data, and prioritize those assets over others, so that any alerts coming in are prioritized based on risk.
- Use threat intelligence to learn more about the attack and the probability of a successful exploit.
Examine your processes and look for opportunities to automate, using built-in workflow or playbooks in your monitoring tools. Check to see if your SIEM technology integrates with your ticketing systems, so you can track and report on progress. Over time, you can refine monitoring and alerting and find opportunities to reengineer your processes.
Q. Our security team spends the majority of its time investigating and closing alerts, but we still are not able to catch up. We’re concerned that we’re missing things. How can we get caught up?
Blankenship: Security teams are drowning in data and alerts. You have to spend time to tune your alerts, so that your team is focused on the ones that can actually have an impact on your business. Make sure you align your security strategy to protect the assets that are key to your business and house your toxic data (e.g., PII, PHI, cardholder data, and IP). Proactively focus on the things that really matter first, and once you have that protected you can move on to prioritize other assets.
Q. It’s difficult to find and retain security staff. How do we find and keep good people?
Blankenship: Talent shortage is one of the most reported and talked about issues in cybersecurity. Before you start looking outside for expensive security talent, look at your current IT staff for people who exhibit a high degree of investigative and analytical skills, as they may make excellent security professionals. Work with your team to design a career path that helps them to develop skills and do challenging work. Make sure they are engaged with the business and understand how security helps make the business successful. It may not seem like it, but it’s much easier to invest in and train internal resources than it is to bring in people from the outside.
Q. Even with all of the media coverage about security threats and breaches, the board still doesn’t take security seriously. How do we convey the importance of security and get budget?
Blankenship: Executives and board members have long considered security to be a technology problem. They don’t understand the nuances of security, and many may feel embarrassed or uncomfortable trying to understand something they can’t comprehend. When they’ve had the opportunity to present to the executive team, security leaders have used statistics like vulnerabilities patched, tickets closed, incidents investigated, etc. to show what their team has accomplished — metrics that mean nothing outside of the security team.
Instead of quoting metrics only security people will understand, utilize the language of other managers in your business:
- Talk to those people and learn what criteria they’re evaluated on.
- Find out about key projects and investments the company is making.
- Quantify and locate sensitive data that could cause the company harm if it was breached.
- Make an effort to attach a dollar value to security, and validate your findings with your finance leaders.
You're not alone.
Effectively scaling SOC operations is a universal challenge. Find out how 150 IT and security leaders involved with the planning, oversight, or day-to-day operations of their organizations’ SOCs responded to a recent Forrester survey. Download the Technology Adoption Profile to review the survey results.