One of the more difficult questions a CISO has to answer is: “Based on my current maturity and business / technology factors, what do I spend on to get the best balance of capability to predict, prevent, detect and respond to threats?”
Security teams have a lots of controls to chose from that can manage risk and mitigate impacts the business cares about – and there are several useful frameworks that offer menus of controls and capabilities. However, teams rarely have the situational awareness they need to know what control will deliver the best value for money. Specifically, teams struggle to understand what their digital environment looks like and what the operational status of baseline controls is. This makes the decision about ‘where to invest next' really hard.
The reality for most security teams looks like this: they have a plethora of preventative technologies across their environment, but they don't have a continuous and accurate picture of coverage (are controls implemented where they should be?), operational performance (are controls doing what they were put in place to do?), and performance consistency (where are controls ‘repeat offenders' for operational failure, vs occasionally slipping out of policy expectations).
Because there is no trusted, assured baseline for preventative capability, detection controls have to pick up the slack. However, these end up needing to detect everywhere, which generates vast amounts of alerts. Teams of people then need to sift through these to establish if the alerts are malicious, suspicious or benign.
Today, the message from all corners of the security community (CISOs, intelligence agencies, penetration testing firms, analyst firms) is ‘We need to get the basics right'. This is because failures in foundational controls like Asset Management, Vulnerability Management, Access Management and Malware Defence are known to give threats the upper hand over defenders. In turn, this makes it hard for defenders to narrow the focus of detective controls, for example to specific groups of critical systems or users.
However, the basics aren't easy. Here are two examples to illustrate this:
1. Asset Management is dependent on IT Operations maintaining a CMDB (configuration management database) that is up to date and authoritative. Most security professionals grin wryly when you say this, because they know its rarely the case. And often, if it is maintained, this is not done in a way that meets the needs of various security stakeholders who may need to call on it.
2. Installing and managing security technologies is often the responsibility of multiple IT teams. You might assume it's easy to get a picture for Anti-Virus of its coverage, whether it's updating and scanning to policy, and where it might have been turned off. Pretty much anyone who's worked in a SOC (security operations centre) for a business that has multiple divisions scattered across the globe can tell you what assume makes out of you and me.
As these examples show, security depends on other stakeholders not only to manage risks and get value from security investments, but provide the information that gives security the situational awareness to know their best next move.
Without sufficient situational awareness of the digital environment and visibility into how baseline controls are performing, security teams struggle to apply further controls with the precision that budgets and resource constraints require. They also don't have a view of their terrain from a threat's perspective. They can't see the connections and dependencies that threats can exploit to go under, over or around controls. Efforts to try and build this picture are usually manual and laborious – and generally last around six months before other priorities take over.
To address this, many teams are starting to look at how data analytics can be applied to telemetry from the operating environment to answer questions that are foundational, but complicated at scale. An example: starting with the CMDB: What assets do security data sources like AV and Vulnerability scans identify, that are not in the CMDB? What assets in the CMDB never appear in AV and Vulnerability data sets? Where are there assets in the AV data set that are not in the vulnerability data set? What does that indicate about control coverage? Where are there assets with high severity vulnerabilities where AV is updating but not scanning? With answers to these questions, security can drive performance improvement where it matters most.
Security teams know they need to apply controls to the risks their organisation faces, and adapt those over time as the threat, business and technology landscape changes. Situational awareness isn't just a critical starting point – it's a continuous dependency. By using telemetry from the operating environment to get meaningful, timely and accurate insights into how they're doing with ‘the basics', security teams can get the picture they need to focus their efforts and budgets for best effect.
Contributed by Nik Whitfield, CEO, Panaseer