The constantly evolving cyber threat landscape is resulting in new challenges and approaches for today’s security analyst teams.
In the past, companies looked at the importance of hiring talented and experienced CISOs to lead the establishment of security and incident-response teams. Now, emerging threats posed by advanced cybercriminals and the possible damage of a sophisticated rogue insider are changing that trend as companies move beyond traditional security methods and adopt new strategies such as profiling user behavior and leveraging big data analytics. As a result, more companies are shifting towards understanding the importance of hiring diverse teams of talented individuals to develop and then implement these new methods and technologies to secure the cyber front.
That in mind, the institutionalization of domestic security and incident-response into a distinct profession have formed three major challenges for large enterprises:
1. Regulations – The fact that attacks are becoming more common has created a beast. Companies nationwide are constantly learning from each other’s mistakes and are forming an ever-extending list of internal regulations aimed at preventing yesterday’s attack form. While no company wants to be the next Target, or to discover the next Ed Snowden, strict security regulations are demanding growing attention from the exact people who are supposed to always be on the highest alert.
2. Routine – Sets of regulations are usually accompanied by a strict response protocol and create every analyst’s nightmare. Endless sheets of potential cases and responses are carefully drafted to make sure no analyst will miss a curtail step when dealing with an incoming alert. While no two incidents are the same, one of the toughest challenges analysts face is to keep treating every alert like it’s their first. Eventually, and usually in later hours of the day, routine becomes a key factor.
3. Abundance – Data sources and analytical tools are flooding security teams these days. The ability to correlate events from every part of the company’s network has become a prime order. Instead of looking where attackers and rogue insiders may be doing their harm, we often flood ourselves with information that has the dangerous potential of causing us to look away from where threats are most often found.
So how does a security team go about prioritizing different possible risk factors? While there are no simple answers, a small shift in approach is in many cases the first step in the right direction. We offer these suggestions to struggling and successful security teams as one:
1. Gain visibility – Security services are now sold in bulk, in separate and sometimes even two for the price of one. One thing you can be sure of is that new technologies and services now come in great packaging, bright colors, big buttons and cleaner interfaces. Security teams should look to tools that provide immediate value and offer to better project the events that usually go undetected. In an era of stealthier attackers and rogue insiders, better visibility is the first key to mitigating today’s threats.
2. Beware of false-positives – With security practices becoming more strict and prone to protocol, new technologies and services hold the biggest promise to emancipate security analysts from the routine of day-to-day practices. Beware services offering to decrease treatment time, but hide the risk of having high false-positive rates. Look not only for the most efficient platform, but the one that provides better end-results.
3. Live the context – You may find this hard to believe, but one of the best technologies used to solve difficult problems are standard white boards and color markers. By writing down, sketching, and even drawing, ideas soon become simplified and understandable. Putting threats, alerts and anomalies in context mean conducting routine debates and discussions regarding policy, regulations and technology and lead to a better understanding of the theoretical terms and notions that compile a complex security issue.
4. Show consistency – Not even the best user manuals can describe how to get excellent daily results from your team. Diligence and talent are a good place to start, but if you really want to make a lasting increase in performance, consider adopting a “No Incident Left Behind” policy. Basically it means if you can’t find a good explanation as to why something has happened, you can’t dismiss it. If we demand this from our developers all the time, then why not require the same attitude from our security teams? This approach has proved over time to trigger better in-team discussions and more fruitful lines of inquiry.
5. Make sure to win – What does a winning security team have to show for it? The answer could get complicated. While security teams may wish to have a minimal incident count, we wish our associated security teams to encounter as many difficult incidents as possible. A successful security team is one that gains both the technical expertise and the mileage and experience needed to resolve the upcoming challenges that lie ahead on the cyber front.