As the world watches the conflict with Russia unfold, cybersecurity defenders are working overtime. Defenders are being asked by key stakeholders, boards, and even CISA for transparency on how their organization is faring against cyberattacks.
SOCs under strain
Security operations (SecOps) teams are spending their days looking for known vulnerabilities and watching for new threats. Combine these daily tasks with the incoming changes to regulations and compliance rules, and priorities for SecOps are competing to the point of breaking.
Leading a team that effectively prioritizes cyberthreats to prevent loss means the team needs to understand the points of exposure that exist across all their attack surfaces. To determine what and where to defend first, they also need visibility into where critical assets are located and maintained. Especially for large organizations with both IT and OT security requirements, the prioritization of threats starts with a solid understanding of internal business operations, and the platforms and physical and digital systems deployed to support those operations. Once compiled, SecOps can begin to assess security gaps and risks to those operations and combine that with their knowledge of adversaries targeting their company or industry.
The intersection of these two points allows cyber defenders to determine which threats are a higher priority and how well they can mitigate or detect a particular malicious action. With potential threats identified, they can operate and prioritize via a threat matrix such as MITRE ATT&CK or other kill-chain frameworks, to eliminate those vulnerabilities. The matrix foundation enables security leaders to establish measures of success for their cyber defense program and report out to key organizational stakeholders.
Operationalizing cybersecurity via frameworks
Achieving success in this education starts with understanding the key stakeholders’ priorities as they relate to the business and its security. By adopting a security threat and risk framework that is in alignment with those priorities, organizations can effectively prioritize and show the coverage or gaps within their security posture.
Although this is historically not an easy feat, operationalizing cybersecurity via frameworks allows organizations to effectively track their posture as new threats emerge and show improvements against the key KPIs that interested parties need to assess.
The biggest challenge most organizations face when operationalizing these frameworks is the fact that the data/information they need is siloed across multiple data systems and cybersecurity tools.
Security data lives in multiple places, with organizations using a variety of data logging systems like Splunk, Snowflake, or other data lakes as the foundation for threat hunting and research. The security operations center (SOC) will layer on platforms for Security Information and Event Management (SIEM), Extended Detection and Response (XDR), and other tools on top of these data lakes to help analyze data and correlate events (e.g., Crowdstrike Falcon Data Replicator or email security systems, such as Proofpoint or Tessian).
Security analysts can spend hours exporting data from these systems, tagging and normalizing the information, and ingesting that data into their SIEMs and SOARs before they can begin to detect, hunt, triage, and respond to threats.
But next-gen tools are being developed that address this exact issue with automation and machine-learning. Organizations now have a better way to integrate and ingest alerts from across their data stacks and have a single source of truth from which they can run advanced correlations, more accurate detections, and maintain a complete picture of their coverage and threat landscape. Modern SOC platforms enable security analysts to automatically query data where it lives, whether it’s in the cloud or on premise, ingest and integrate alerts from their security tech stack to quickly correlate relevant information into accurate detections.
The importance of full visibility into their coverage and understanding what’s really happening across environments is critical to the success of SecOps teams. The most effective SOC teams are heavily involved in the security community and are assessing their security posture from a detective and preventive perspective in real-time. SecOps teams that pull security information from a variety of trusted researchers and sources to guide their own security posture, and share that with the community, are critical to the combined success of the community.
It’s hard to get the C-level, board, and others to align if they are questioning if you have a clear and continuous process to monitor security across the systems the organization depends on. By leveraging a modern approach to security operations and focusing on detection coverage and automating manual detection tasks, leading organizations can deliver better security outcomes, and SOC teams can stop drowning in a sea of alerts.