Cybersecurity is still a relatively young competency as a core function of business.
Talk with business leaders of any organization, and they’ll probably tell you that they take cybersecurity seriously. Their goal is ensuring their organization is safe, but it feels like cybersecurity changes by the week. It is a constant effort to know whether they are “doing enough.”
The answer to the question, “Am I doing enough?” is what allows business leaders to sleep at night. They know who’s attacking their peers, who is attacking them, and how well (or not so well) their cybersecurity program is working against those threats. Their risks have been quantified. They know where they’ve invested successfully, and where to invest further based on those risks. “Safe” is now defined and quantified, arming leadership with the ability to make informed decisions, just like they do for other areas of their business.
At a high level, achieving this milestone for a cybersecurity program typically involves the organization sequentially moving through three different phases of cybersecurity maturity: Detections Phase, Collections Phase, and Integrations Phase.
What follows are the details to identifying the phases and insights into how an organization can catapult itself towards its ultimate operating state.
Detections phase: active perimeter defense
A few things a business in the Detections phase might say are:
- “We bought highly regarded tools by reputable vendors for IDS, firewall, email, and endpoint”
- “The auditors did a black box test and we passed easily”
- “We scan regularly, no issues”
The business has accumulated tools from well-known IT companies that monitor activity, such as: managed firewall, endpoint detection/EDR, antivirus, email with malware protection and a basic log collection tool. These tools are in place, and they are expected to work. They scan for vulnerabilities regularly. Auditors and regulators have offered little, if any, pushback. Attacks seem to be stopped as there haven’t been any serious problems…and then something happens.
There is a struggle to get answers as the detections tools are operating in silos. “What did the attackers see? What did they take? How did they get by our defenses? Each of my vendors says it wasn’t them.” There is no efficient way to know what the coverage should be for this attack or future attacks the organization will face. The organization typically realizes it only has defenses for a given attack from one of its tools or vendor — and only for the part of infrastructure where the attack typically originates, not where it will advance to if successful.
To get answers, they look to figure out a more active process for reviewing data and taking actions, and thus progress to the Collections phase.
Collections phase: centralization of data
- “Our vendor tools are good, but they’re not interacting with each other”
- “Alerts are still high volume, and we don’t have the process to cut them down”
- “We have to log in to 6 different systems to address a problem”
The team overseeing security gets more active in reviewing data collected from across the infrastructure. They want greater visibility and to address gaps.
The ensuing volume of visible activity produces an overwhelming number of alerts and data to discern. There is a bottleneck between feedback from vendors and actionable response to take. Without an efficient process aggregating the tools, logs, and external threat data, the team isn’t able to figure out which of these alerts are real and if they are a threat now. And that doesn’t factor in obtaining 24/7 coverage.
For those threats that they determine are real, is there protection in place for that specific attack? If not, how can the right controls be created or put in place? “Sharing communities” and search engines become the team’s best friend, but over time they’re slowly falling behind.
In thinking through what to do about it, the detection tools are not the problem. The problem is that they can’t make it all work together and prioritize threats. Thus, the team explores a subsequent investment into a SIEM tool or finding an MSSP/MDR vendor.
Integrations phase: coordinated system of constant maturity
- “For active threats, our coverage needs to extend beyond just the perimeter”
- “When a threat is active, we want to confirm which of our controls are working, and more importantly which controls aren’t working or haven’t fired off recently so we can focus our efforts.”
- “Our aim is to be attacker-agnostic. It would be nice to get that attribution, but it’s more important to identify the tactics being used and control for that.”
A system is not the sum, but the product of its parts. The hurdle to functioning at this level is the precision of integration — in particular, the consistency of which tools are a part of the toolset. All tools have nuance, and security experts need to be experts with them. Aligning those enables the team to turn their own data and intelligence into protections. Now, when threats are active the response can be swift and targeted.
The team can do this because it has a centralized single pane of glass. Whether the primary roles of the team members are signals operations, policy and procedures, control writing, threat hunting, etc., each team member focuses their efforts to pull in the same direction. There is visibility into past threats, current threats, and expected threats. The historical success, current success, and expected success (or failure) of their security program against those threats is known.
The security program has moved beyond just using indicators of compromise like IP addresses, domain names, and hashes — instead the defenses target the tactics, techniques, and procedures of the attackers. Operating at this level has injected leverage into the process with an infinite feedback loop of information from internal data sources and external threat information. Control writing is deployed across the infrastructure, at each phase of an attack, and tested for effectiveness — enabling true defense in depth. And with that, risk is quantified for business decisions.
At this level, this is how the cyber program can deliver to the business the answer to the question "Are we doing enough?"
Cybersecurity has evolved to a multi-vector problem to solve. Guarding the perimeter is important. Multiple tools are better. Creating defense in depth — by writing controls for specific threats across and throughout the infrastructure — is excellent.
Getting into the integrations phase isn’t a tactical decision, such as assessing things like talent, time, and budget. Integrations is a strategic decision — assessing the security program as it is currently constructed, and whether a leap forward involves a deliberate step backwards. Cybersecurity has changed quickly, and we are still young in the process of adapting. When evaluating the next phase of your program, is the decision at hand just ultimately another tool for the toolset?