Benchmarking discoverability, understanding your remediation time and retaining talent can all speak to the quality of a strategy, members of Protocol's Braintrust say.
Good afternoon! It's often very clear (and public) when a cybersecurity strategy isn't up to snuff, but for today's Braintrust edition, we asked the experts to tell us how a strategy that is working looks like internally. Questions or comments? Send us a note at firstname.lastname@example.org
SVP of Services at CrowdStrike
According to the 2022 CrowdStrike Global Threat Report, the average breakout time for adversaries — the time an adversary takes to move laterally from an initially compromised host to another host within the victim environment — is 98 minutes. Measuring your teams’ ability to detect, triage and remediate potential adversary activity immediately, before they can move about the network and cause damage, is a clear indicator of the strength and effectiveness of your strategy.
Consistently being able to adhere to the 1-10-60 rule is a signal of an effective strategy: one minute to detect, 10 minutes to investigate and 60 minutes to remediate. Security teams that strive to meet the metrics of the 1-10-60 rule can significantly minimize both the cost incurred and the damage done by attackers.
Secondly, engaging with outside Incident Response, Managed Detection and Response, Recovery and Threat Hunting teams to supplement and enhance your team’s capabilities in a cyber crisis can really have an impact. Many of these providers respond to hundreds if not thousands of threats and incidents throughout the year. They can bring the 24/7/365 expertise, tooling and response “muscle memory” to help make for an effective response experience. Red-Teaming/Blue-Teaming exercises, Adversary Emulations and other simulations/training should also be conducted to keep the teams aligned, ready and well-positioned to respond when the time comes.
Lastly, integrated threat intelligence can be like having the answers to the test before you walk into the classroom. Knowing: what are our biggest threats; do we know how those threats would look in our environment; what assets do we have that would be targeted; and being able to proactively look for signs of an intrusion using this information are invaluable in having confidence in your cybersecurity strategy.
SVP, Strategic Engagements and Threats at Darktrace
Evaluating whether a cyber strategy is successful and strong or not is one of the hardest challenges CISOs face. It's not enough to report that your organization hasn't experienced a breach. It's also not enough to note how many attacks were stopped by perimeter defenses like firewalls. The only way to benchmark a robust cybersecurity strategy is to understand your visibility, discoverability and response.
You need to be able to see and validate activity across cloud, SaaS, endpoints — wherever your data lives. Then you need discoverability, or the ability to detect previously unknown attacks or behaviors. A security program buried in false positives is as ineffective and over-worked as one that is blind to the threat entirely, so you need rich alerts. Ask: Are you catching granular activities not obvious to the naked eye? Do you understand what is happening across your entire environment?
While nuanced detection is great, alone it is not enough. Your strategy also needs a response component to prevent potential threats from escalating into full-blown crises. Your cyber strategy should focus on maintaining business continuity and ensuring no disruptions.
Today's CISOs are prioritizing hardening defenses continuously. Attack Path Modeling and attack simulation can help highlight the most accessible routes an attacker may take to reach their organizations' most critical data assets. This approach can help mitigate vulnerabilities before attackers can leverage them.
CISOs need to constantly question and adapt their strategies to meet the evolving attacker methods. A cyber strategy needs to be dynamic to work.
CEO at Absolute Software
While many security strategies remain focused on the detection of risk, what has become increasingly important is the signal that informs what risk was present and already remediated without IT intervention. Too often, we see companies measuring the effectiveness of their cyber program with metrics adapted from a matrix of required security controls and how widely they have been deployed.
While it is comforting to know that critical security controls have been purchased and installed, our data tells us that those controls degrade over time as devices fall out of compliance - making the enterprise vulnerable. The average enterprise has more than 10 security apps running on user devices at any given time, with little visibility into the true effectiveness of what is actually running. This leaves gaping holes in otherwise well-protected environments. Data shows that 60% of breaches occur as a result of a vulnerability you already knew how to remediate, and that unpatched vulnerabilities are the most consistent and primary ransomware attack vectors. So, when critical security applications go offline on an end user’s device, the challenge remains: how best to reinstate that application or service. This is difficult at the best of times but is even more complex when the end user and their device are outside of the office, working remotely.
As an industry, we are all on "high alert.” Now more than ever, organizations need to focus on ensuring they have intelligent, self-healing security solutions – ones that leverage automation to be able to detect, repair, and heal themselves when they are compromised or stop working effectively.
Chief product officer at Trellix
Cyberattacks are inevitable, but there are things you can look for to determine how well your defense might stand up against today’s sophisticated threats before impact to your brand, customer trust and your bottom line.
First, while all the tools may be in place to manage security incidents, one of the best signals you have is your people. Talk to your teams to understand how they feel about their strategy and overall preparedness to ensure that they are properly equipped with the right protocols and resources. In reality, many organizations aren’t particularly confident: We’ve found that 94% of IT professionals admitted a need to improve their organization’s overall cyber readiness. Regularly surveying your development and IT teams will help you understand how ready they feel and where they see gaps you need to manage.
Second, when an incident is detected, you must move quickly and work closely with your security team to take action, but also pay attention to how long the process takes from start to finish. The average response times for most organizations to move from the discovery of an incident to remediation is 19 hours — a lot can occur within that window, and your security team should be able to measure the impact to inform future action. From there, you can develop a tightened approach from discovery to remediation: Reducing that response time is an indicator that you are making progress.
And finally, it’s important to ensure your strategy prioritizes cyber risk management over simple compliance. If organizations are focusing only on compliance requirements, this results in a false sense of doing the right thing to meet those minimal requirements rather than working to understand risks and develop and implement required solutions. Boards of directors and company leadership need to ensure that a sound approach is in place to ensure organizations can invest in the talent and tools needed to address the most pressing threats.
EVP and general manager of Security & Collaboration at Cisco
Some of the successful outcomes for a security strategy can not only include quick incident response and overall reduction in risk, but also business-aligned objectives such as minimizing unplanned work, recruiting and retaining security talent and being able to keep systems up to date without causing unnecessary friction for users. In our annual Security Outcomes Study reports, we found that some practices had an oversized impact on all the security outcomes across the board, not just avoiding cyberattacks. For example, a modern, centralized tech stack made a huge difference in operational efficiency as well as the usual compliance and risk management.
VP of Strategy at Arctic Wolf
Contrary to popular belief, if your strategy is working you will see an increase in security incident detections and alerts — not fewer. A well-discussed issue in security is alert fatigue: too many alerts and notifications. Addressing the alert fatigue problem does not mean detecting less, it means being more effective. Improvements to your security strategy should increase this effectiveness. As your data collection and analysis capabilities improve, the detection of suspicious actions increases, and your strategic investment should support the ability to respond at scale and reduce or suppress irrelevant noise. In the same regard, your employees — particularly those outside of the IT department — should be flagging more suspicious emails or behavior. If more employees are bringing your attention to items that make them take pause, it shows that the security awareness training program is working.
Deputy CISO at Netskope
There are internal and external signals that can be useful indicators. Looking externally first, all organizations have an attack surface that includes the infrastructure we manage, the services we use and everything in between. This attack surface is always being tested by users via email, application APIs and other connections. This also includes identity and authentication systems that glue things together in our current posture. Understanding these nuances, focusing on attack surface monitoring and having a baseline closely tied with inventory management and response is also important. This means understanding what services are being consumed and exposed from shadow IT applications and services, storage buckets and development systems tooling for engineering.
Turning your focus inward, begin with internal events, then move to findings from internal assessments. Take a look at root-cause analysis and lessons learned from incidents and investigations. These, too, will start as simple bypasses and abuses and will move to more complex and technical issues where users must be more purposeful in their actions.
With an effective strategy, the business can and will leverage security as a business partner. Building a program with openness, inclusiveness, timeliness, transparency and meaningful information will result in the maturity and growth of security education from others within the organization and its partners.
Kevin McAllister ( @k__mcallister) is a Research Editor at Protocol, leading the development of Braintrust. Prior to joining the team, he was a rankings data reporter at The Wall Street Journal, where he oversaw structured data projects for the Journal's strategy team.
More from Braintrust