Protect. Detect. Respond?

The classic cybersecurity framework was designed to help organizations improve their cyber resilience. From next generation firewalls to data lakes full of events, we have seen a tidal wave of innovation and investment around the Protect and Detect functions.  On average, a company has dozens and dozens of security products that funnel more signal than ever before on to the desk of the security professional.  So, we’re doing better, right?

Clearly, we’re not. As an industry, we struggle to quickly identify malicious behavior and validate alerts and threats. Most organizations have been using spreadsheets and email to manage reacting to the signal created by the Protect and Detect functions. The sheer volume of alerts results in security teams spending too much time researching incidents to determine whether they are worth a response. Our ability to respond is not keeping pace because we have not witnessed the same level of investment and innovation around security response. As one of my colleagues likes to say, “For Response, we need a new vision, not a new version.”

I recently had the good fortune to sit down with Jon Oltsik, principal analyst with the Enterprise Strategy Group to discuss where security teams are running into challenges and how security orchestration and automation can help. Our conversation was recorded and you can view it in two parts here and here.

There are three signs your organization would benefit from taking a closer look at your Respond function.

If you can’t measure progress

The most surprising thing I hear when I talk to security teams is that their state of the art is still based in Excel. The first step to improving an organization’s response efforts is to gain a holistic understanding of how a team is performing and if things are getting better or worse. The potential impact of this step alone is transformational because visibility – including applying risk factors and SLAs and thinking about security in business terms – is essential in order to determine gaps.

 If you have a process problem

In the aftermath of a recent breach, one CEO blamed the entire incident on a single individual not patching an asset. If your process is so fragile that somebody can forget to apply a patch and ruin the effectiveness of your entire security program, you have a process problem. An Enterprise Strategy Group study found that an astounding 93% of cybersecurity professionals agreed that their efficiency is limited by manual processes. Fundamentally, we need a better way to keep up with the volume of security alerts because process bottlenecks are preventing large organizations from scaling security incident and vulnerability response.

 If you need a common language with IT

Security response depends upon strong collaboration between cybersecurity and IT operations teams. If a CISO approaches a CIO with a Sev 1 vulnerability on a business-critical service, what is the standard agreement for how fast that patch will be applied? Is it a matter of hours? Days? Weeks? Do you even know if the patch was applied and the vulnerability fixed? You have to be able to have an agreed upon SLA. All parties should be able to measure and trend performance over time. You then have a frame of reference to make decisions about additional investments and areas to improve.

Whenever I hear about a new breach, I feel sympathy for the responsible security team as they face scrutiny in the public’s eye. Almost every organization faces internal challenges to progressing their security programs. As an industry, we need to acknowledge that the way forward isn’t a better version of what we do today. We need a better approach.