I have been in the security industry and helped customers with their cybersecurity business challenges for the last 15 years; therefore, I have had the opportunity to witness the evolution and modernization of attack vectors, the progressions in tactics and techniques, and the expansion in the attack surface. I often question: “Can I effectively stop bad actors when they have all the time in the world to exploit and breach my environment?” The traditional approach to securing and protecting data, applications, and digital services is at least a decade behind the advancement of these bad actors.
To comprehend the objective read the FireEye Mandiant M-Trends 2020 Report, which states that the global median dwell time, the duration between the start of a cyberintrusion and it being identified, is 56 days. Meanwhile, the average time it takes for ransomware to start encrypting the files in a PC or on a network is only 3 seconds, and t can infect thousands of PCs in a short period. The same is the case with the other forms of known cyberattacks. Now, this is very concerning. However, advancements exist in a few distinct areas but not close to what is desired and required (such as detecting the attack stage and the breach's impact using and applying modern concepts and frameworks such as the MITRE and LOKI Kill chain).
Traditional detection and response techniques are not a viable option for today’s threats. We have to go beyond the discussion of securing the perimeter and the legacy endpoint security. The modern applications and services leverage a distributed technology and infrastructure architecture with workloads and application components spread all over the internet (the extensive usage of APIs, ready-made application packages, and publicly available resource libraries). It is the future of digital applications and consumer demand. The only way to uplift the security state is by incorporating automation, big data, machine learning and artificial intelligence into our threat management capability.
Automation is the key to solving the delay in detection and response, and it must play an essential role in the assurance services. Solutions must also be capable of learning from both structured and unstructured data, and the use of security validation tools and techniques that are fast and accurate is essential.
Standardization is a crucial aspect that is often overlooked and lacks management support and commitment. Many security breaches result from a failed process due to a lack of process existence, maturity, and enforcement. Practitioners have a massive wealth of information such as the National Institute of Standards and Technology (NIST) Special Publications, Cloud Security Alliance (CSA), GDPR (General Data Protection Regulation), and the International Organization for Standardization (ISO) standards. These can be adapted to standardize technology consumption and security operations, ensure data privacy, enhance posture, perform maturity assessments and create benchmarks with industry peers.
I highly recommend NIST 800-61 (Computer Security Incident Handling), NIST 800-83 (Guide to Malware Incident Prevention and Handling for Desktops and Laptops), and NIST 800-86 (Guide to Integrating Forensic Techniques into Incident Response) for the SOC Incident handling and forensics process creation.
In the area of security technology, security orchestration, automation and response (SOAR) solutions; secure access service edge; zero trust architecture; security validation; micro-segmentation; data security; advanced access control; and endpoint detection response are all options for improvement.
Above all, security is an ongoing effort, and security leadership must stay adaptive and agile to fight the adversaries and their harmful motives.
Editor’s note: For further insights on this topic, read Farhan Imitaz’s recent Journal article, “Benefits of Using a SOAR Solution,” ISACA Journal, volume 2, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!