Today’s chief information security officers (CISOs) are under more pressure than ever. The well-being of their organizations depends on not only protecting against and preventing cyber incidents, but also rapidly detecting, responding to, and recovering from them – and the costs prove it. The financial cost of a data breach in 2022 reached an all-time high of $4.35 million on average, according to the 2022 Cost of a Data Breach report conducted by the Ponemon Institute and sponsored and analyzed by IBM. The culprit and the savior? Data.
The nature of data – its speed, diversity, and volume – make it a challenge to defend. And at the same time, cybersecurity technologies are mostly driven by security data since many of the same tools and approaches can be used to collect incident data, process it quickly, and uncover suspicious activity. Taking this into account, how can data be better integrated and utilized? What modern cybersecurity technologies can complement an existing environment to improve detection and response?
Security data can help cyber teams solve ever-more complex security problems. Agencies now have data about breaches, threat actor techniques, timing, frequency and more. Zero trust frameworks provide a massive set of data at a granular level, produced from implementing granular controls. Protecting users at the endpoint, protecting data at the source, and enforcing zero trust access to resources, these zero trust initiatives help to identify who’s accessing what systems, when, how, and how often.
Yet there is a big challenge in preventing and containing breaches, without the proper cybersecurity tools or when the different tools do not work well together. Each tool is only a puzzle piece, not the complete picture. Connecting the data with these tools is critical to achieving actionable insight. Strategically, implementing an open, secure platform that incorporates existing third party solutions can help overcome this challenge with better detection and response.
Tools with increased use of artificial intelligence and machine learning means agencies can help find patterns in security data and automate certain responses, for example, while also conducting even deeper analysis and risk mitigation. Beyond the tools, adopting a risk-based approach is key. Identifying which human errors or threat vectors pose the highest risk to the mission helps prioritize efforts for remediation and visibility. Data metrics should feed the risk strategy.
“Becoming a data-driven organization is a never-ending journey and it will not happen overnight,” says Matt Hayden, vice president for cyber client engagement at General Dynamics Information Technology (GDIT) , “but, as agencies invest in measuring and analyzing data, they will not only able to find the proverbial needle in the haystack, they will find the microscopic insights resting inside the needle’s eye.”
Taken together with federal directives such as the January 2022 Executive Order on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems (EO 14028) and the August 2021 OMB Memorandum on Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31), there is an urgency to deploy purpose-built tools that enable teams to execute prioritized, high-fidelity visibility, detection, and response strategies. It also demands that agencies select mission partners who can help them
Available analytics platforms today can consolidate security data from multiple sources to provide visibility into agencies’ environments. This visibility helps develop greater insight, contextual understanding that enables threat detection, and, ultimately, the rapid responses to those threats. In evaluating a modern security tool, there are several key aspects to consider: its openness, contextual insights, routine response automation, and risk prioritization.
Open security platform
A key element of purpose-built tools is their openness, as an open security platform or a tool’s integration with an open security platform. That allows an organization to leverage its existing investments while leaving the existing data where it is, when it makes sense. Quickly identifying “true positives” or “the needle in the haystack” is only achievable with a platform that connects the security data, alerts and telemetry from your existing solutions. Automating and normalizing the data ingested, analyzed, prioritized, and triaged provides the foundation for meaningful risk prioritization.
Contextual understanding
Reducing the number of investigations and filtering out “false positives” through artificial intelligence (AI) designed for risk prioritization, helps cyber teams because the analysts are presented with high-fidelity detections. Current systems used may present valuable security data but fail to connect insights and prioritize the data. False positives are a necessary evil, but this can be distilled through a risk prioritization engine that identifies the “patterns” of attacker behavior.
Automating routine response components
Incident response teams benefit from automating certain routine tasks. Whether its ingestion and normalization, triage and investigation, or simple tasks and complex workflows, automation is key. Security orchestration, automation, and response (SOAR) codifies established incident response processes to guide a cyber team. The automating of routine components allows security teams to focus time on investigating incidents that pose a genuine risk to the organization.
Prioritizing risk
Circling back to risk. The goal is to protect the mission, yet human and financial resources are limited. Organizations must automate key portions of threat management with tools designed to prioritize their risk.
It’s essential that agencies have an awareness of the tools that exist for better detection and response, an understanding of how to use them, and the ability to apply them to the mission. It’s especially important that agencies and mission partners understand the interaction and integration between these tools, zero trust approaches, and existing security orchestration and response (SOAR) activities . It’s essential that a security tool can use security data effectively and efficiently, so this is a key capability to assess in any solution.
As an example, IBM Security QRadar XDR (extended detection and response) provides a single unified workflow across security tools that can be used on-prem or in the cloud. It helps security teams gain visibility to quickly detect, investigate and respond to threats, using real-time, real-world data while leaving the data where it is, to help continually enhance an agency’s cybersecurity posture.
“I’ve witnessed firsthand, the ‘walking around in the emperor wears no clothes’ situation. A belief an organization is secure since a dashboard or report tells them everything is okay, yet the organization is quite exposed. Leveraging security data and using advanced XDR capabilities to improve decision making and question-asking can make a huge difference,” said Chip Wagner, IBM security threat management leader.
Agencies have untapped intelligence in their organizations that can add value to the organization and help accomplish mission objectives. From threat-hunting to leveraging data across multiple repositories and from data interrogation to incident response, the tools at agencies’ disposal – purpose-built, open for integrations, and leveraging artificial intelligence and machine learning – are more capable than ever before and are becoming more critical in protecting networks and assets.
