“Why Don’t My Security Tools Work?” A Unified Cyber Defense Battle Plan
Threat actors are getting better, faster, and more efficient at compromising networks, taking only minutes or less to breach systems. Unfortunately, organizations are taking weeks, if not longer, to discover these breaches. In fact, over the last decade the “detection deficit” – the time it takes adversaries to compromise networks vs. the time it takes those organizations to discover the attack – has grown.
This leaves many CEOs wondering, “Why are my current security tools not helping? And what actions can we take to minimize this gap?” While there is no single answer to that question, fragmentation of information and resources play a major role in worsening the detection deficit.
Look at it this way: when organizations face a cyber threat, they are involved in a battle that shares many similarities to a war fought between armies. To defend itself, your army will need to know which foe it is facing, their unique capabilities, and what they are after. And like armies in battle, organizations that have a fragmented, uncoordinated deployment of their team and resources will struggle to be successful in their defense.
The Fragmented Defense
Cyber threats move quickly, happen simultaneously, and take many forms – malware, phishing, authentication attacks, application attacks, ransomware. To deflect the onslaught of attacks, organizations often have an army of defenders in place. But as these soldiers use different weapons to detect, study, respond and mitigate the threats, their efforts are often disconnected and lack coordination. This creates fragmentation, leaving vulnerabilities exposed. Breaches occur not because a tool does not work, but because hackers find ways to penetrate networks between the very tools and teams put in place to keep them out.
Today’s organizations are suffering from inefficiency. They’re deploying the best technology available and assembling an army of defenders, but struggling to make them work optimally. The biggest challenge security teams face is managing the complexity of security itself. Dealing with the outcome of fragmentation – the silos between teams and the lack of communication between tools – is more difficult than managing threats. How can an organization break the pattern?
Defragmenting cybersecurity requires organizations to leverage a platform that unites all of its people, processes, and technologies in one place. The answer is a unified cybersecurity platform that provides visibility across high volumes of security data, helps determine the relevance and reliability of that data and creates clear processes in detecting, triaging and remediating that data.
In tandem with a threat management system, there are additional steps organizations can take to defragment, such as:
- Develop and utilize a process for data analysis and workflows within a cybersecurity platform, which may also provide built-in workflow features and integrations with other security products to build automated cyber threat analysis and response processes.
- Find the right mix of sources to correlate the best threat data for the organization. The best data is a combination of intel feeds – open and paid sources – that suit that organization’s particular issues, industry, infrastructure and security posture combined with their own internal threat data. Then all of that data is normalized and analyzed to create relevant threat intelligence.
- Narrow down the threat environment by grouping threats into buckets. By introducing categorization, classification, and taxonomies to the vast array of threats, organizations can then map assets to these and assess risk, vulnerability, and prioritize actions.
- Defragment the team by creating clear roles and responsibilities, as well as a centralized workflow. Breaches happen in-between tools and teams, so ensure interactions between team members is smooth.
- Eliminate the ineffectiveness of silos by building and sharing knowledge across technologies. For example, add to knowledge gained at the endpoint, translate it to the network layer to take an action, and so on.
Just as in battle, the best way to develop a cohesive strategy is to identify and implement a process, choose the best intelligence sources, connect intelligence to vulnerabilities, controls and risk, organize knowledge, improve its visibility, and distribute the knowledge across systems. A cohesive, intelligent defense that unites technologies, people, and processes protects an organization’s assets, and narrows the detection deficit.
Adam Vincent is CEO of ThreatConnect.