Browsing category

Security Operations Center (SOC)

IBM Security, Security Analytics, Security Information and Event Management (SIEM), Security Intelligence, Security Intelligence & Analytics, Security Leaders, Security Leadership, Security Operations Center (SOC), Security Professionals, Threat Detection, Threat Intelligence,

Follow the Leaders: 7 Tried-and-True Tips to Get the Most Out of Your Security Analytics

The practice of analyzing security data for detection and response — otherwise known as security analytics (SA) — comes in many forms and flavors. Consumed data varies from organization to organization, analytic processes span a plethora of algorithms and outputs can serve many use cases within a security team.

In early 2019, IBM Security commissioned a survey to better understand how companies currently use security analytics, identify key drivers and uncover some of the net benefits security decision-makers have experienced. The findings were drawn from more than 250 interviews with information security decision-makers around the globe.

7 Lessons From Top Performers in Security Analytics

Encouragingly, the study revealed rising levels of maturity when it comes to security analytics. Roughly 15 percent of all interviewees scored as high performers, meaning their investigation processes are well-defined and they continuously measure the effectiveness of the output. These respondents are especially strong in terms of volume of investigations (five to 10 times more investigations than the average) and false positives (approximately 30 percent below average). Meanwhile, 97 percent of these leaders successfully built a 24/7 security operations center (SOC) with a total staffing headcount between 25 and 50.

What lessons can organizations with lower levels of SA maturity take away from this shining example? Below are seven key lessons security teams can learn from the top performers identified in the survey:

  1. Top SA performers have a knack for integrating security data. While many mid-performing organizations struggle with this integration and consider the task an obstacle to effective security analytics, leaders identified in the survey have streamlined the process, freeing them to focus on use case and content development.
  2. Nine in 10 high performers have an accurate inventory of users and assets — in other words, they understand the enterprise’s boundaries and potential attack surfaces and continuously update their inventory. This is likely a result of effective, automated discovery using a combination of collected security data and active scanning. By comparison, less than 30 percent of low-performing security teams practice this approach.
  3. A robust detection arsenal contains an equal mix of rule-based matching (i.e., indicators of compromise), statistical modeling (i.e., baselining) and machine learning. In stark contrast, intermediate performers rely more on existing threat intelligence as a primary detection method.
  4. Top performers use content provided by their security analytics vendors. In fact, 80 percent of respondents in this category indicated that the vendor-provided content is sufficient, whether sourced out of the box or via services engagements.
  5. Compared to middling performers, top performers dedicate between two and three times more resources to tuning detection tools and algorithms. To be exact, 41 percent of high performers spend 40 hours or more per week on detection tuning.
  6. High-performing security teams automate the output of the analytics and prioritize alerts based on asset and threat criticality. They also have automated investigation playbooks linked to specific alerts.
  7. Finally, organizations with a high level of SA maturity continuously measure their output and understand the importance of time. Approximately 70 percent of top performers keep track of monthly metrics such as time to respond and time spent on investigation. Low-performing organizations, on the other hand, measure the volume of alerts, and their use of time-based metrics is 60 to 70 percent lower than that of high performers.

Build a Faster, More Proactive and More Transparent SOC

So what do the high performers identified in the survey have to show for their security analytics success? For one thing, they all enjoy superb visibility into the performance of their SOC. While many companies are improving, particularly in the areas of cloud and endpoint visibility, 41 percent of leaders in security analytics claim to have full SOC visibility, compared to 13 percent of intermediate and low performers.

In addition, while lower-performing organizations leverage security analytics to investigate and respond — i.e., react — to threats, high performers use SA to stay ahead of threats proactively. Finally, the leaders identified in the study generate their own threat intelligence and are experts in analyzing security data.

The key takeaway here is that security is a race against time — specifically, to outpace cyber adversaries. Leading security teams know this, which is why they continuously challenge themselves by integrating new data, extracting new insights, implementing smart automation, and, most importantly, measuring the time to detect, investigate and respond.

The post Follow the Leaders: 7 Tried-and-True Tips to Get the Most Out of Your Security Analytics appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bart Lenaerts

Chief Information Security Officer (CISO), Collaboration, Connected Devices, Endpoint Security, Energy & Utility, Identity Management, Industrial Control Systems (ICS), Infrastructure Security, Internet of Things (IoT), IT Infrastructure, Patch Management, Risk Assessment, Security Controls, Security Framework, Security Operations Center (SOC), Threat Prevention,

To Improve Critical Infrastructure Security, Bring IT and OT Together

As connectivity in the industrial internet of things (IIoT) continues to accelerate, efforts to secure industrial control systems (ICSs) struggle to keep pace. While many ICS security conversations have involved endpoint security, improving the state of ICS security demands attention to more than just endpoints.

Attacks on critical infrastructure systems are proliferating. Nearly half (41.2 percent) of ICS computers suffered a malicious software attack in H1 2018, according to Kaspersky Lab. Despite growing security concerns, traditionally air-gapped operational technology (OT) is increasingly being tasked with using internet-connected devices to improve operational processes, reduce costs and minimize downtime.

Until security becomes a priority, industrial organizations will remain soft targets for threat actors.

Are ICS Environments Too Trusting?

Data from CyberX’s recent “2019 Global ICS & IIoT Risk Report,” which analyzed network traffic data from 850-plus production OT networks worldwide, confirmed that ICSs continue to be easy targets for adversaries, with security gaps in key areas. These areas included the use of plain-text passwords (69 percent of sites), direct connections to the internet (40 percent), weak antivirus protections (57 percent) and legacy Windows systems such as XP that no longer receive patches from Microsoft (53 percent).

According to Andy Jones, a research specialist with the Information Security Forum, one of the most concerning risks to critical infrastructure stemming from emerging internet-connected technologies is that many ICS environments were designed with safety, rather than security, in mind. As a result, they are inherently trusting environments. They trust that instructions received are bona fide and will execute them without verification or validation.

“ICS environments were designed in an unconnected world, so where else would an instruction have come from if not a trusted peer environment?” Jones said. “However, these systems are now often internet-connected, exposing their operations to new threats. In addition, they move, which poses physical dangers.”

Beyond Identity and Patch Management

While identity and patch management may be the biggest obstacles to securing ICS environments in some cases, there is often a broader inadequacy, according to Sandy Carielli, director of security technologies at Entrust Datacard.

Because IT security leaders are still learning about the differences in their practices and priorities from those of OT and operational leaders, there are gaps in understanding and communication that make even something like patch management problematic. For example, it’s one thing to say a server must be taken offline once a week to apply patches, but in reality, many ICSs may not allow for that kind of downtime.

“Without all stakeholders understanding and accepting the realities of ICS requirements, security owners will develop policies and security road maps that are not adequate. That will trickle down to individual security practices like patching,” Carielli said.

Aspects of Current ICS Security That Need to Change

Before the IIoT started complicating the security of ICSs, systems ran safely and securely for many decades. As the world of technology has changed around these legacy systems, however, innovations that promise enhancements and efficiency have introduced risks, such as the dangers from remote hacking, malware and other attacks that simply were not part of original design briefs.

Now that connected ICSs face many of the same threats as IT systems, security needs to be a priority item for ICS designers and suppliers.

“The complicating factor is that many of these complex systems are part built and part assembled from common components, which may be sourced from multiple suppliers on the basis of lowest price,” said Jones. “If these core components are not secured, then anything built from them may remain vulnerable.”

Also problematic is the device manufacturing process. Rishi Bhargava, co-founder at Demisto, said the problem is tantamount to trying to fit a square peg in a round hole. Because manufacturers typically have outdated operating system (OS) and patching features on their products (if at all), are lax with password protection and changes, and have no regular software update mechanisms to communicate with their customers, things don’t always fit together in these complex environments.

“We need a better alternative to network segmentation and air-gapping IT and OT environments,” Bhargava said. “The potential upside to connected devices is massive and the better alternative going forward is to find a way to ‘stay connected and stay secure’ rather than isolating different infrastructures.”

Improving the Security of Critical Infrastructure Systems

It’s hard to say how to improve something if you don’t know who is responsible for making those improvements. That’s why defining who is responsible for OT security is a necessary first step toward improving the security of critical infrastructure systems.

“The sophistication of recent cyberattacks has demonstrated the need to leverage the skills of existing security operations center (SOC) personnel to combat threats that often cross IT and OT boundaries,” said Phil Neray, vice president of industrial cybersecurity at CyberX. “From a governance point of view, it also makes more sense to have a single C-level executive — typically the chief information security officer (CISO) — be responsible and accountable for all of the digital risk in your organization, regardless of whether it affects IT or OT networks.”

One of the greatest challenges with ICS environments is limited visibility, which is why the next step in ICS security is conducting a thorough risk assessment. It’s critical to know and document what ICS environments exist and identify their criticality to the organization. Jones noted that this is a nontrivial undertaking for complex and global organizations.

“Once this is complete, the focus should be on identifying which of these environments are connected and which of them would be vulnerable to attack,” he advised. “This can very quickly give a focal point for remediation activity.”

It’s also smart to leverage security frameworks that address both IT and OT, such as the white paper on a new security maturity model published last year by the Industrial Internet Consortium. According to Carielli, “Such frameworks will help [organizations] focus on their goals, understand the impact of industry regulations and practices, clarify the resulting security requirements, and prioritize their investment accordingly.”

Bring IT and OT Together

Strong collaboration between IT and OT is a critical step toward improving the security of critical infrastructure systems. When organizations encourage communication between and among their IT, OT and security stakeholders, these different groups can better understand each other’s constraints and work together to meet common goals.

The post To Improve Critical Infrastructure Security, Bring IT and OT Together appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kacy Zurkus

Cyberthreats, Incident Response (IR), orchestration, Security Operations Center (SOC), Threat Detection, threat hunting, Threat Intelligence, Threat Management, Threat Monitoring, Threat Prevention, Threat Response, Threat Sharing,

It’s Time to Modernize Traditional Threat Intelligence Models for Cyber Warfare

When a client asked me to help build a cyberthreat intelligence program recently, I jumped at the opportunity to try something new and challenging. To begin, I set about looking for some rudimentary templates with a good outline for building a threat intelligence process, a few solid platforms that are user-friendly, the basic models for cyber intelligence collection and a good website for describing various threats an enterprise might face. This is what I found:

  1. There are a handful of rudimentary templates for building a good cyberthreat intelligence program available for free online. All of these templates leave out key pieces of information that any novice to the cyberthreat intelligence field would be required to know. Most likely, this is done to entice organizations into spending copious amounts of money on a specialist.
  2. The number of companies that specialize in the collection of cyberthreat intelligence is growing at a ludicrous rate, and they all offer something that is different, unique to certain industries, proprietary, automated via artificial intelligence (AI) and machine learning, based on pattern recognition, or equipped with behavioral analytics.
  3. The basis for all threat intelligence is heavily rooted in one of three basic models: Lockheed Martin’s Cyber Kill Chain, MITRE’s ATT&CK knowledge base and The Diamond Model of Intrusion Analysis.
  4. A small number of vendors working on cyberthreat intelligence programs or processes published a complete list of cyberthreats, primary indicators, primary actors, primary targets, typical attack vectors and potential mitigation techniques. Of that small number, very few were honest when there was no useful mitigation or defensive strategy against a particular tactic.
  5. All of the cyberthreat intelligence models in use today have gaps that organizations will need to overcome.
  6. A search within an article content engine for helpful articles with the keyword “threat intelligence” produced more than 3,000 results, and a Google search produces almost a quarter of a million. This is completely ridiculous. Considering how many organizations struggle to find experienced cyberthreat intelligence specialists to join their teams — and that cyberthreats grow by the day while mitigation strategies do not — it is not possible that there are tens of thousands of professionals or experts in this field.

It’s no wonder why organizations of all sizes in a variety of industries are struggling to build a useful cyberthreat intelligence process. For companies that are just beginning their cyberthreat intelligence journey, it can be especially difficult to sort through all these moving parts. So where do they begin, and what can the cybersecurity industry do to adapt traditional threat intelligence models to the cyber battlefield?

How to Think About Thinking

A robust threat intelligence process serves as the basis for any cyberthreat intelligence program. Here is some practical advice to help organizations plan, build and execute their program:

  1. Stop and think about the type(s) of cyberthreat intelligence data the organization needs to collect. For example, if a company manufactures athletic apparel for men and women, it is unnecessary to collect signals, geospatial data or human intelligence.
  2. How much budget is available to collect the necessary cyberthreat intelligence? For example, does the organization have the budget to hire threat hunters and build a cyberthreat intelligence program uniquely its own? What about purchasing threat intelligence as a service? Perhaps the organization should hire threat hunters and purchase a threat intelligence platform for them to use? Each of these options has a very different cost model for short- and long-term costs.
  3. Determine where cyberthreat intelligence data should be stored once it is obtained. Does the organization plan to build a database or data lake? Does it intend to store collected threat intelligence data in the cloud? If that is indeed the intention, pause here and reread step one. Cloud providers have very different ideas about who owns data, and who is ultimately responsible for securing that data. In addition, cloud providers have a wide range of security controls — from the very robust to a complete lack thereof.
  4. How does the organization plan to use collected cyberthreat intelligence data? It can be used for strategic purposes, tactical purposes or both within an organization.
  5. Does the organization intend to share any threat intelligence data with others? If yes, then you can take the old cybersecurity industry adage “trust but verify” and throw it out. The new industry adage should be “verify and then trust.” Never assume that an ally will always be an ally.
  6. Does the organization have enough staff to spread the workload evenly, and does the organization plan to include other teams in the threat intelligence process? Organizations may find it very helpful to include other teams, either as strategic partners, such as vulnerability management, application security, infrastructure and networking, and risk management teams, or as tactical partners, such as red, blue and purple teams.

How Can We Adapt Threat Intelligence Models to the Cyber Battlefield?

As mentioned above, the threat intelligence models in use today were not designed for cyber warfare. They are typically linear models, loosely based on Carl Von Clausewitz’s military strategy and tailored for warfare on a physical battlefield. It’s time for the cyberthreat intelligence community to define a new model, perhaps one that is three-dimensional, nonlinear, rooted in elementary number theory and that applies vector calculus.

Much like game theory, The Diamond Model of Intrusion Analysis is sufficient if there are two players (the victim and the adversary), but it tends to fall apart if the adversary is motivated by anything other than sociopolitical or socioeconomic payoff, if there are three or more players (e.g., where collusion, cooperation and defection of classic game theory come into play), or if the adversary is artificially intelligent. In addition, The Diamond Model of Intrusion Analysis attempts to show a stochastic model diagram but none of the complex equations behind the model — probably because that was someone’s 300-page Ph.D. thesis in applied mathematics. This is not much help to the average reader or a newcomer to the threat intelligence field.

Nearly all models published thus far are focused on either external actors or insider threats, as though a threat actor must be one or the other. None of the widely accepted models account for, or include, physical security.

While there are many good articles about reducing alert fatigue in the security operations center (SOC), orchestrating security defenses, optimizing the SOC with behavioral analysis and so on, these articles assume that the reader knows what any of these things mean and what to do about any of it. A veteran in the cyberthreat intelligence field would have doubts that behavioral analysis and pattern recognition are magic bullets for automated threat hunting, for example, since there will always be threat actors that don’t fit the pattern and whose behavior is unpredictable. Those are two of the many reasons why the fields of forensic psychology and criminal profiling were created.

Furthermore, when it comes to the collection of threat intelligence, very few articles provide insight on what exactly constitutes “useful data,” how long to store it and which types of data analysis would provide the best insight.

It would be a good idea to get the major players in the cyberthreat intelligence sector together to develop at least one new model — but preferably more than one. It’s time for industry leaders to develop new ways of classifying threats and threat actors, share what has and has not worked for them, and build more boundary connections than the typical socioeconomic or sociopolitical ones. The sector could also benefit from looking ahead at what might happen if threat actors choose to augment their crimes with algorithms and AI.

The post It’s Time to Modernize Traditional Threat Intelligence Models for Cyber Warfare appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kelly Ryver

Artificial intelligence, Artificial Intelligence (AI), Chief Information Security Officer (CISO), CISO, Cloud Security, Cognitive Security, Internet of Things (IoT), Machine Learning, Penetration Testing, Security Intelligence & Analytics, Security Leaders, Security Leadership, Security Operations Center (SOC), Security Solutions,

Break Through Cybersecurity Complexity With New Rules, Not More Tools

Let’s be frank: Chief information security officers (CISOs) and security professionals all know cybersecurity complexity is a major challenge in today’s threat landscape. Other folks in the security industry know this too — although some don’t want to admit it. The problem is that amid increasing danger and a growing skills shortage, security teams are overwhelmed by alerts and the growing number of complex tools they have to manage. We need to change that, but how? By completely rethinking our assumptions.

The basic assumption of security up until now is that new threats require new tools. After 12 years at IBM Security, leading marketing teams and making continuous contact with our clients — and, most recently, as VP of product marketing — I’ve seen a lot of promising new technology. But in our rapidly diversifying industry, there are more specialized products to face every kind of threat in an expanding universe of attack vectors. Complexity is a hidden cost of all these marvelous products.

It’s not just security products that contribute to the cybersecurity complexity conundrum; digitization, mobility, cloud and the internet of things (IoT) all contribute to the complexity of IT environments, making security an uphill battle for underresourced security teams. According to Forrester’s “Global Business Technographics Security Survey 2018,” 31 percent of business and IT decision-makers ranked the complexity of the IT environment among the biggest security challenges they face, tied with the changing nature of threats as the most-cited challenge.

I’ll give you one more mind-boggling statistic to demonstrate why complexity is the enemy of security: According to IBM estimates, enterprises use as many as 80 different security products from 40 vendors. Imagine trying to build a clear picture with pieces from 80 separate puzzles. That’s what CISOs and security operations teams are being asked to do.

7 Rules to Help CISOs Reduce Cybersecurity Complexity

The sum of the parts is not greater than the whole. So, we need to escape the best-of-breed trap to handle the problem of complexity. Cybersecurity doesn’t need more tools; it needs new rules.

Complexity requires us as security professionals and industry partners to turn the old ways of thinking inside out and bring in fresh perspectives.

Below are seven rules to help us think in new ways about the complex, evolving challenges that CISOs, security teams and their organizations face today.

1. Open Equals Closed

You can’t prevent security threats by piling on more tools that don’t talk to each other and create more noise for overwhelmed analysts. Security products need to work in concert, and that requires integration and collaboration. An open, connected, cloud-based security platform that brings security products together closes the gaps that point products leave in your defenses.

2. See More When You See Less

Security operations centers (SOCs) see thousands of security events every day — a 2018 survey of 179 IT professionals found that 55 percent of respondents handle more than 10,000 alerts per day, and 27 percent handle more than 1 million events per day. SOC analysts can’t handle that volume.

According to the same survey, one-third of IT professionals simply ignore certain categories of alerts or turn them off altogether. A smarter approach to the overwhelming volume of alerts leverages analytics and artificial intelligence (AI) so SOC analysts can focus on the most crucial threats first, rather than chase every security event they see.

3. An Hour Takes a Minute

When you find a security incident that requires deeper investigation, time is of the essence. Analysts can’t afford to get bogged down in searching for information in a sea of threats.

Human intelligence augmented by AI — what IBM calls cognitive security — allows SOC analysts to respond to threats up to 60 times faster. An advanced AI can understand, reason and learn from structured and unstructured data, such as news articles, blogs and research papers, in seconds. By automating mundane tasks, analysts are freed to make critical decisions for faster response and mitigation.

4. A Skills Shortage Is an Abundance

It’s no secret that greater demand for cybersecurity professionals and an inadequate pipeline of traditionally trained candidates has led to a growing skills gap. Meanwhile, cybercriminals have grown increasingly collaborative, but those who work to defend against them remain largely siloed. Collaboration platforms for security teams and shared threat intelligence between vendors are force multipliers for your team.

5. Getting Hacked Is an Advantage

If you’re not seeking out and patching vulnerabilities in your network and applications, you’re making an assumption that what you don’t know can’t hurt you. Ethical hacking and penetration testing turns hacking into an advantage, helping you find your vulnerabilities before adversaries do.

6. Compliance Is Liberating

More and more consumers say they will refuse to buy products from companies that they don’t trust to protect their data, no matter how great the products are. By creating a culture of proactive data compliance, you can exchange the checkbox mentality for continuous compliance, turning security into a competitive advantage.

7. Rigidity Is Breakthrough

The success of your business depends not only on customer loyalty, but also employee productivity. Balance security with productivity by practicing strong security hygiene. Run rigid but silent security processes in the background to stay out of the way of productivity.

What’s the bottom line here? Times are changing, and the current trend toward complexity will slow the business down, cost too much and fail to reduce cyber risk. It’s time to break through cybersecurity complexity and write new rules for a new era.

https://youtu.be/tgb-hpIrSbo

The post Break Through Cybersecurity Complexity With New Rules, Not More Tools appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Wangui McKelvey

Access Management, Identity and Access Management (IAM), Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Solutions, Threat Detection,

Bring Order to Chaos By Building SIEM Use Cases, Standards, Baselining and Naming Conventions

Security operations centers (SOCs) are struggling to create automated detection and response capabilities. While custom security information and event management (SIEM) use cases can allow businesses to improve automation, creating use cases requires clear business logic. Many security organizations lack efficient, accurate methods to distinguish between authorized and unauthorized activity patterns across components of the enterprise network.

Even the most intelligent SIEM can fail to deliver value when it’s not optimized for use cases, or if rules are created according to incorrect parameters. Creating a framework that can accurately detect suspicious activity requires baselines, naming conventions and effective policies.

Defining Parameters for SIEM Use Cases Is a Barrier to SOC Success

Over the past few years, I’ve consulted with many enterprise SOCs to improve threat detection and incident response capabilities. Regardless of SOC maturity, most organizations struggle to accurately define the difference between authorized and suspicious patterns of activity, including users, admins, access patterns and scripts. Countless SOC leaders are stumped when they’re asked to define authorized patterns of activity for mission-critical systems.

SIEM rules can be used to automate detection and response capabilities for common threats such as distributed denial-of-service (DDoS), authentication failures and malware. However, these rules must be built on clear business logic for accurate detection and response capabilities. Baseline business logic is necessary to accurately define risky behavior in SIEM use cases.

Building a Baseline for Cyber Hygiene

Cyber hygiene is defined as the consistent execution of activities necessary to protect the integrity and security of enterprise networks, including users, data assets and endpoints. A hygiene framework should offer clear parameters for threat response and acceptable use based on policies for user governance, network access and admin activities. Without an understanding of what defines typical, secure operations, it’s impossible to create an effective strategy for security maintenance.

A comprehensive framework for cybersecurity hygiene can simplify security operations and create guidelines for SIEM use cases. However, capturing an effective baseline for systems can strengthen security frameworks and create order in chaos. To empower better hygiene and threat detection capabilities based on business logic, established standards such as a naming convention can create clear parameters.

VLAN Network Categories

For the purpose of simplified illustration, imagine that your virtual local area networks (VLANs) are categorized among five criticality groups — named A, B, C, D and E — with the mission-critical VLAN falling into the A category (_A).

A policy may be created to dictate that A-category VLAN systems can communicate directly with any other category without compromising data security. However, communication with the A-category VLAN from B, C, D or E networks is not allowed. Authentication to a jump host can accommodate authorized exceptions to this standard, such as when E-category users need access to an A-category server.

Creating a naming convention and policy for VLAN network categories can help you develop simple SIEM use cases to prevent unauthorized access to A resources and automatically detect suspicious access attempts.

Directory Services and Shared Resources

You can also use naming convention frameworks to create a policy for managing groups of user accounts according to access level in directory services, such as Lightweight Directory Access Protocol (LDAP) or Active Directory (AD). A standardized naming convention for directory services provides a clear framework for acceptable user access to shared folders and resources. AD users categorized within the D category may not have access to A-category folders or _A.

Creating effective SIEM rules based on these use cases is a bit more complex than VLAN business logic since it involves two distinct technologies and potentially complex policies for resource access. However, creating standards that connect user access to resources establishes clear parameters for strict, contextual monitoring. Directory users with A-category access may require stricter change monitoring due to the potential for abuse of admin capabilities. You can create SIEM use cases to detect other configuration mistakes, such as a C-category user who is suddenly escalated to A-category.

Username Creation

Many businesses are already applying some logic to standardize username creation for employees. A policy may dictate that users create a seven-character alias that involves three last-name characters, two first-name characters and two digits. Someone named Janet Doe could have the username DoeJa01, for example. Even relatively simple username conventions can support SIEM use cases for detecting suspicious behavior. When eight or more characters are entered into a username field, an event could be triggered to lock the account until a new password is created.

The potential SIEM use cases increase with more complex approaches to username creation, such as 12-character usernames that combine last- and first-name characters with the employee’s unique HR-issued identification. A user named Jonathan Doerty, for instance, could receive an automatically generated username of doertjo_4682. Complex usernames can create friction for legitimate end users, but some minor friction can be justified if it provides greater safeguards for privileged users and critical systems.

An external threat actor may be able to extrapolate simple usernames from social engineering activities, but they’re unlikely to guess an employee’s internal identification number. SIEM rules can quickly detect suspicious access attempts based on username field entries that lack the required username components. Requiring unique identification numbers from HR systems can also significantly lower the risk of admins creating fake user credentials to conceal malicious activity.

Unauthorized Code and Script Locations

Advanced persistent threats can evade detection by creating backdoor access to deploy a carefully disguised malicious code. Standard naming conventions provide a cost-effective way to create logic to detects malware risks. A simple model for script names could leverage several data components, such as department name, script name and script author, resulting in authorized names like HR_WellnessLogins_DoexxJo. Creating SIEM parameters for acceptable script names can automate the detection of malware.

Creating baseline standards for script locations such as /var/opt/scripts and C:Program Files can improve investigation capabilities when code is detected that doesn’t comply with the naming convention or storage parameters. Even the most sophisticated threat actors are unlikely to perform reconnaissance on enterprise naming convention baselines before creating a backdoor and hiding a script. SIEM rules can trigger a response from the moment a suspiciously named script begins to run or a code file is moved into an unauthorized storage location.

Scaling Security Response With Standards

Meaningful threats to enterprise data security often fly under the radar of even the most sophisticated threat detection solutions when there’s no baseline to define acceptable activity. SOC analysts have more technological capabilities than ever, but many are struggling to optimize detection and response with effective SIEM use cases.

Clear, scalable systems to define policies for acceptable activity create order in chaos. The smartest approach to creating effective SIEM use cases relies on standards, a strong naming convention and sound policy. It’s impossible to accurately understand risks without a clear framework for authorized activities. Standards, baselines and naming conventions can remove barriers to effective threat detection and response.

The post Bring Order to Chaos By Building SIEM Use Cases, Standards, Baselining and Naming Conventions appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Ludek Subrt

CISO, Incident Response, Incident Response (IR), Incident Response Plan, Security Intelligence, Security Intelligence & Analytics, Security Operations Center (SOC), Security Professionals, Skills Gap, Threat Intelligence, Threat Sharing,

Need a Sounding Board for Your Incident Response Plan? Join a Security Community

Incident response teams face myriad uphill battles, such as the cybersecurity skills shortage, floods of security alerts and increasing IT complexity, to name just a few. These challenges often overwhelm security teams and leave security operations center (SOC) directors searching for strategies to maximize the productivity of their current team and technologies to build a capable incident response plan.

One emerging solution is a familiar one: an ecosystem of developer and expert communities. Collaborative online forums have always been a critical part of the cybersecurity industry, and communities dedicated to incident response are growing more robust than ever.

How to Get Involved in a Developer Community

Incident response communities can be a crucial resource to give security analysts access to hands-on, battle-tested experience. They can deliver highly valuable, lightweight, easy-to-use integrations that can be deployed quickly. Community-driven security can also provide playbooks, standard operating procedures (SOPs), best practices and troubleshooting tips. Most importantly, they can help foster innovation by serving as a sounding board for your team’s ideas and introduce you to new strategies and techniques.

That all sounds great, but how do you know what community can best address your incident response needs? Where do you begin? Below are a few steps to help you get started.

1. Find the Communities That Are Most Relevant to You

To combat new threats that are being coordinated in real time, more and more vendors and services are fostering their own communities. Identify which ones are most relevant to your industry and business goals.

To start, narrow down your search based on the security products you use every day. In all likelihood, you’ll find users in these product-based communities who have faced similar challenges or have run into the same issues as your team.

Once you’ve selected the most relevant communities, make sure you sign up for constant updates. Join discussion forums, opt in to regular updates, and check back frequently for new blogs and other content. By keeping close tabs on these conversations, you can continuously review whether the communities you’ve joined are still relevant and valuable to your business.

2. Identify Existing Gaps in Your Security Processes

Communities are disparate and wide-ranging. Establishing your needs first will save you time and make communities more valuable to you. By identifying what type of intelligence you need to enhance your security strategy and incident response plan ahead of time, you can be confident that you’re joining the right channels and interacting with like-minded users.

Discussion forums are full of valuable information from other users who have probably had to patch up many of the same security gaps that affect your business. These forums also provide a window into the wider purpose of the community; aligning your identified gaps with this mission will help you maximize the value of your interactions.

3. Contribute to the Conversation

By taking part in these conversations, you can uncover unexpected benefits and give your team a sounding board among other users. As a security practitioner, it should be a priority to contribute direct and honest information to the community and perpetuate an industrywide culture of information sharing. Real-time, responsive feedback is a great tool to help you build a better security strategy and align a response plan to the current threat landscape.

Contributing to a community can take various forms. Community-based forums and Slack channels give developers a voice across the organization. By leveraging this mode of communication, you can bring important intelligence to the surface that might otherwise go under the radar. Forum discussions can also expose you to new perspectives from a diverse range of sources.

A Successful Incident Response Plan Starts With Collaboration

For its part, IBM Security gathers insights from experienced users across all its products in the IBM Security Community portal. Through this initiative, IBM has expanded its global network to connect like-minded people in cybersecurity. This collaborative network allows us to adapt to new developments as rapidly as threats evolve.

Collaboration has always been cybercriminals’ greatest weapon. It creates massive challenges for the cybersecurity industry and requires us to fight back with a united front of our own. With the support of an entire security community behind you, incident response tasks won’t seem so overwhelming and your resource-strapped SOC will have all the threat data it needs to protect your business.

The post Need a Sounding Board for Your Incident Response Plan? Join a Security Community appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Ted Julian

Artificial Intelligence (AI), Automation, Cognitive Security, Data Protection, Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), threat hunting, Threat Intelligence,

Maturing Your Security Operations Center With the Art and Science of Threat Hunting

Your organization has fallen prey to an advanced persistent threat (APT) after being targeted by a state-sponsored crime collective. Six million records were lost over 18 months of undetected presence on your network. While your security operations center (SOC) is fully staffed with analysts, your threat hunting capabilities failed to detect the subtle signs of threat actors moving laterally through your network and slowly exfiltrating customer data.

How did this happen?

It all started with a highly targeted spear phishing attack on your director of communications. He failed to notice the carefully disguised symbols in an email he thought was sent by the IT department and logged in to a spoofed domain. This credential theft resulted in the spread of zero-day malware and slowly escalated account privileges. While some of the criminals’ behavior triggered alerts in the SOC, your analysts categorized the incidents as benign positives. Your organization is now facing a multimillion-dollar cleanup and a serious loss of customer trust.

Why you need to master threat hunting

Why You Should Hunt Advanced Threats Before They Strike

Situations like the one described above are all too common in our industry. The majority of successful exploits attributed to human error fit a small series of predictable patterns that exploit known vulnerabilities in an organization’s network. As a result, many data breaches can be prevented with effective cyber hygiene tactics.

Advanced threats are a smaller proportion of incidents, but they are typically undetected and cause the most damage. In addition, the rise in state-sponsored crime and criminal activity on the dark web has created an ecosystem that fosters open exchange between the world’s most sophisticated and skilled criminals.

The cost of a serious breach is also trending upward. According to Ponemon, the average cost of a megabreach that results in the loss of more than 1 million customer records is $40 million. And more than 60 percent of data breaches have links to either state actors or advanced, organized crime groups, according to Verizon. APTs that evade detection can result in dwell times that range from three to 24 months, further increasing the total cleanup cost for a data breach.

How can security teams fight these kinds of threats? The majority of enterprise SOCs are now at least three years old, according to a recent study from Exabeam, and are increasing in maturity. While human analysts and manual research methodologies can act as a firewall against many risks, there’s a need to scale SOC intelligence and threat hunting capabilities to safeguard against APTs.

What Is Threat Hunting?

Threat hunting can be defined as “the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain.” The practice uses techniques from art, science and military intelligence, with internal and external data sources informing the science of statistical and cognitive analysis. Human intelligence analyzes the results and informs the art of a response. Last year, 91 percent of security leaders reported improved response speed and accuracy as a result of threat detection and investigation, according to the SANS Institute.

Threat hunting is not defined by solutions, although tools and techniques can significantly improve efficiency and outcomes. Instead, it’s defined by a widely accepted framework from Sqrrl. These are the four stages of Sqrrl’s Threat Hunting Loop:

  1. Create a hypothesis.
  2. Investigate via tools and techniques.
  3. Discover new patterns and adversary tactics, techniques and procedures (TTPs).
  4. Inform and enrich automated analytics for the next hunt.

The goal for any security team should be to complete this loop as efficiently as possible. The quicker you can do so, the quicker you can automate new processes that will help find the next threat.

The 4 Characteristics of a Comprehensive Threat Hunting Capability

A mature threat hunting capability is closely associated with SOC maturity. The least mature SOCs have human analysts who act as a firewall. As SOCs approach maturity and adopt security information and event management (SIEM) tools, their capacity to reactively investigate indicators of compromise (IoCs) increases. The most mature SOCs take a proactive approach to investigating IoCs, with researchers, analysts, solutions and a clearly defined methodology to orchestrate both investigation and response. A comprehensive capacity for hunting threats is defined by four key characteristics:

  1. Data handling: The ability to handle a deluge of data across siloed networks, including insight into internal risks, advanced activities from external threat actors and real-time threat intelligence from third-party sources.
  2. Data analysis: The ability to correlate a high volume and velocity of disparate data sources into information and, ultimately, intelligence.
  3. Informed action: Resources to increase threat hunters’ skills and easily feed threat intelligence through training, policy and cognitive capabilities.
  4. Orchestrated action: Defined processes and methodologies to hunt threats in a repeatable and orchestrated way that informs proactive security capabilities throughout the organization.

Organizations that fail to increase SOC maturity and adopt the solutions and processes for hunting threats face a number of risks. Relying on manual research methodologies can lead to costly data breaches and permanent brand damage when APTs evade detection. A lack of solutions and methods for an orchestrated IoC investigation process means less efficient and accurate operations. The absence of SOC orchestration encourages heavily manual processes.

The Diverse Business Benefits of Hunting Threats

Using cognitive intelligence tools to enhance SOC capabilities, Sogeti Luxembourg successfully reduced the average time of root cause determination and threat investigation from three hours to three minutes. In the process, the financial institution sped up their threat investigation process by 50 percent and saw a tenfold increase in actionable threat indicators.

Hunting threats can offer a number of benefits to both the business and the security operations center. The outcomes include greater protection of reputation, a more intelligent SOC and orchestrated security response.

Reputation Protection

Falling prey to an APT can cause lasting damage to a brand. One core benefit of implementing a more sophisticated threat hunting capability is the potential to guard against the most costly data breaches, which typically result in millions of lost records or permanent data deletion.

SOC Maturity

SOC analyst stress and falsely assigned benign positives are at record highs. APTs can easily go unnoticed due to the sheer volume of noise, which creates a culture of alert fatigue.

Achieving mature threat detection capabilities can change how analysts work and allow organizations to implement a cognitive SOC. Security analytics platforms enhance human intelligence and reduce manual research, and correlation tools provide real-time insight from a variety of structured and unstructured third-party data sources.

Orchestrated Security Response

With the technological capabilities to outthink adversaries, organizations can inform a proactive, unified approach to incident response (IR) that begins in the SOC. Internal and external data sources augment the intelligence of human analysts, allowing real-time, informed decision-making. Investigations and response can inform action as soon as anomalous behaviors or patterns are detected. The result is a defined process that allows your organization to mitigate threats earlier in the Cyber Kill Chain.

Intelligent Response to Sophisticated Threats

The majority of threats your organization faces each day will fit predictable patterns. While APTs make up a statistically small percentage of incidents investigated by an SOC, sophisticated threat actors use unique tactics and techniques to evade detection in a noisy SOC. These threats are the most likely to evade detection and result in highly expensive cybercrime.

State-sponsored criminal activity and attacks launched by sophisticated crime collectives are increasing. To guard against these increasingly complex threat vectors, organizations need to proactively prepare their defenses. Implementing cognitive tools in the SOC can enable organizations to adopt proactive threat hunting capabilities that leverage both art and science. By combining repeatable processes for threat investigation with intelligent solutions and skilled analysts, organizations can respond to threats earlier in the kill chain and protect their most critical assets.

Read the e-book: Master threat hunting

The post Maturing Your Security Operations Center With the Art and Science of Threat Hunting appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

Artificial intelligence, Chief Information Security Officer (CISO), CISO, Incident Forensics, Incident Management, Incident Response, Incident Response (IR), orchestration, Security Intelligence & Analytics, Security Leaders, Security Operations and Response, Security Operations Center (SOC), Security Professionals, Skills Gap,

Maximize Your Security Operations Center Efficiency With Incident Response Orchestration

It’s 5:48 a.m. — only 48 minutes into your 12-hour shift in the security operations center (SOC), and you’ve already investigated three threats. You were prepared for a long shift, but since an analyst on the night crew just quit, now you’re covering her shift, too. How is anyone supposed to stay vigilant in the thick of a monotonous 24-hour slog in the SOC?

When you first started, you tried talking to your boss about how incident response orchestration software and other tools might work more efficiently. Today, you’re just trying to survive. It’s hard to not feel completely numb when you’re buried in hundreds of alerts you can’t possibly review.

When the tools in the SOC don’t integrate seamlessly into a unified security immune system of solutions, analysts can’t make the most of their time. Given the widening cybersecurity skills gap, the rising cost of a data breach and the blinding speed at which alerts pile up in security information and event management (SIEM) logs, security leaders must empower their analysts to maximize their efficiency.

The first step is to give them the tools they need to accurate prioritize all those alerts — but what does intelligent incident response look like in practice, and how can orchestration and automation help tranform a reactive response system into a proactive security powerhouse? Let’s zoom in on what’s holding SOCs back and how an integrated ecosystem of tools can help analysts overcome these challenges before, during and after an attack.

Learn to orchestrate incident response

Reactive, Manual Processes in the Understaffed SOC

The average security analyst investigates 20–25 incidents each day. It takes the average analyst 13–18 minutes to compare indicators of compromise (IoC) to logs, threat intelligence feeds and external intelligence, and manual research can yield false positive rates of 70 percent or higher.

To make matters worse, as security analysts struggle against an increased volume of complex alerts, the SOC is facing a talent crisis: Sixty-six percent of cybersecurity professionals believe there are too few qualified analysts to handle alert volume in the SOC.

According to the Ponemon Institute’s “2018 Cost of a Data Breach Study,” the average cost of a breach globally is $3.86 million, a 6.4 percent increase from 2017. As threat actors become more effective at evading and targeting the enterprise, the majority of analysts can’t keep up. Twenty-seven percent of SOCs receive more than 1 million alerts each day, and the most common response to alert fatigue is to modify policies for fewer alerts.

Orchestration and automation can free overwhelmed analysts in the SOC and significantly improve cyber resiliency throughout the enterprise. In act, research has shown that SOC orchestration can triple incident response volume and reduce time to response significantly.

“While data breach costs have been rising steadily, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs,” said Dr. Larry Ponemon.

Automation reduces the average cost of a data breach by $1.55 million. To build a cyber resilient enterprise, security leaders need intelligent solutions for orchestration, automation, machine learning and artificial intelligence (AI).

What Are the Attributes of Intelligent Incident Response?

Enterprises can save an average of $1 million by containing a data breach in under 30 days, according to the Ponemon study. However, the average time to containment is 69 days. Security leaders should consider the risks of failing to adopt solutions to for intelligent and proactive response, including costlier data breaches caused by reactive response and longer containment times.

The SOC is facing a higher volume of more sophisticated threats, and there is a massive shortage of cybersecurity talent to boot. The right approach to intelligent response, therefore, encompasses solutions for the following:

  1. Orchestration and automation — An integrated, streamlined ecosystem can enable organizations to create dynamic incident response (IR) plans and automate remediation.
  2. Human and artificial intelligence — Operationalize human intelligence, leverage advanced threat intelligence and collaborate with experts.
  3. Case management — Establish systems for continual IR plan improvement while developing a clear understanding of internal workloads and skills.

Let’s take a closer look at how intelligence incident response orchestration works in practice and how it can help security leaders free up their overworked analysts for more pressing tasks.

3 Use Cases for Intelligent Incident Response Orchestration

A comprehensive ecosystem of security solutions can enable the enterprise to prepare for sophisticated cyberthreats, respond proactively to risks and apply lessons learned to create future safeguards. Intelligent orchestration creates efficiency and accuracy before an attack, during an incident and after remediation.

1. Before an Attack

Half of respondents to a recent survey believe it’s somewhat or highly likely that their organization will have to respond to a major incident in the next year, while 9 percent have “no doubt.” The right time to address SOC challenges, such as the increased volume of highly targeted threats and too many single-purpose solutions, is before an attack occurs.

The first step to build a cyber resilient enterprise involves adopting an advanced incident response platform to create automated, intelligent workflows that encompass people, processes and technology. This solution can be enhanced with a security information and event management (SIEM) solution to deliver comprehensive incident analytics and visibility into emerging threats.

Enlisting security operations consultants can help organizations supplement their internal talent. Collaborating with external IR experts, meanwhile, can help companies implement effective training and strategic preparation.

2. During an Attack

Minutes count when the enterprise is facing a sophisticated, targeted threat. The incident response platform (IRP) can act as a centralized solution for comprehensive response remediation. When coupled with cognitive intelligence, organizations can rapidly investigate threats without overwhelming their SOC staff.

When a critical incident is detected, the SOC can call in on-demand IR experts for assistance managing and remediating the incident. The IRP generates a response playbook, which updates dynamically as threat intelligence solutions provide analysis of the incident and endpoint analytics solutions deliver details of on-site infection and automated reporting to the legal team.

Using solutions for threat intelligence, forensics and other solutions, IR analysts can research the tactics used by attackers to pinpoint the source of the incident. By following instructions from the playbook, SOC analysts can coordinate with IT on remediation actions, such as global password resets and segregation of privileged accounts.

3. After an Attack

There are few genuinely random cybersecurity attacks. In the last 18 months, 56 percent of organizations that fell victim to a significant attack were targeted again in the same period.

When an attack is fully remediated, security analysts can prepare efficient reporting on the incident using data from security intelligence solutions, forensic investigation tools and insights from the response researchers. This research can be presented directly to the executive leadership team to communicate the status of the incident, actions taken and lessons learned.

By collaborating with third-party response experts and security service consultants, the SOC team can work to refine formal incident response policies and enhance security controls. As SOC operations resume, analysts can improve readiness with a customized response drill training.

Why Incident Response Orchestration Matters

By protecting the enterprise with solutions to automate and orchestrate incident response, security leaders can introduce the benefit of cyber resiliency to the organization. According to Forrester, “Technology products that provide automated, coordinated, and policy-based action of security processes across multiple technologies, [make] security operations faster, less error-prone, and more efficient.” Adding the right solutions for orchestration, cognitive intelligence, and case management can ease the burden on the SOC while reducing cybersecurity risks.

Six steps to proactive and resilient incident response

The post Maximize Your Security Operations Center Efficiency With Incident Response Orchestration appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Dan Carlson

Advanced Persistent Threat (APT), Advanced Threats, Authentication, Behavioral Analytics, CISO, Cost of a Data Breach, Data Breach, Incident Response, Incident Response (IR), Multifactor Authentication (MFA), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Solutions, Threat Intelligence,

Close the Gap on Advanced Threats With Integrated Security

The board of directors is finally starting to grasp that security risk equals business risk. But as you finalize your presentation on the company’s cybersecurity posture, you can’t help but second-guess yourself. You know the CEO, CFO and other senior leaders want to hear that the security team has an effective strategy for handling advanced threats, but the truth is that your analysts are drowning in data with little meaningful insight into risks.

Based on your knowledge of the rapidly expanding threat landscape, you know the company is vulnerable to a data breach it can’t afford. The problem is that you can’t demonstrate this risk without adequate visibility into the organization’s sensitive data and the vulnerabilities threat actors might exploit to steal it. What’s worse, your security operations center (SOC) is spread thin across the widening cyber skills gap, and alerts are piling up as analysts slog through manual processes. How can chief information security officers (CISOs) free up their SOC teams to investigate the most pressing alerts and minimize risks before they evolve into costly incidents?

Detect and stop advanced persistent security threats

Why Threats Are Outpacing the SOC

While the security profession is finally gaining respect and attention it deserves, understaffed SOCs are struggling to triage enormous volumes of security event data. And the problem is only getting worse; Cybersecurity Ventures predicted that the industry will have 3.5 million unfilled cybersecurity positions by 2021.

Despite the increased spend, many organizations are failing to see results from their security investments. Some organizations have 85 distinct security solutions from 45 unique vendors, but little confidence in their capacity to detect threats. No matter the size of your security arsenal, these standalone tools cannot adequately protect enterprise networks from today’s advanced threats in isolation.

Coupled with the skills crisis, the SOC is grappling with the increasing complexity of the threat landscape. Costly, difficult-to-detect insider attacks have increased by 46 percent since 2014. Meanwhile, 62 percent of security experts believe threat actors will weaponize artificial intelligence (AI) to launch targeted attacks at scale in the next year, according to a Cylance survey.

A New Approach to Detect and Stop Advanced Threats

Despite record-breaking spend on security solutions, the SOC is losing ground for more reasons than the skills shortage and evolving threats. Technology is a barrier for many enterprises in which the security organization lacks a comprehensive view of the risk landscape. Disconnected systems, the IT skills gap and a lack of automation have made it very difficult for these organizations to distinguish advanced threats from false positives.

The cost of failing to adopt a new approach to threat detection and remediation is higher than ever. According to the “2018 Cost of a Data Breach Study,” sponsored by IBM Security and conducted by the Ponemon Institute, a mega breach of 50 million or more records can cost as much as $350 million. Targeted, malicious attacks and botnets are among the most expensive types of security incident.

“With a variety of threat vectors to contend with, companies must proactively implement policies and technologies that mitigate the risk of facing a costly breach,” said Larry Ponemon, chairman and founder of Ponemon Institute.

By creating an integrated security ecosystem of solutions, policies and people, organizations can more efficiently and effectively detect advanced threats. AI, machine learning and automation can improve the accuracy and speed of threat investigations, while solutions to orchestrate systems, processes and users minimize the impact of incidents.

5 Use Cases for Advanced Threat Detection and Prevention

How’s this for a use case: With an intelligent security ecosystem, Wimbledon achieved 60 times greater efficiency in threat investigations over manual processes. IBM solutions helped the oldest brand in tennis investigate five times more incidents during the annual tournament, with zero security impact to operations.

Use cases for operations strategy, managed incident response, SOC automation, behavioral analytics and user authentication demonstrate how IBM Security solutions offer a complete spectrum of protection against sophisticated threats.

1. Operational Strategy

A recent survey of Black Hat 2018 attendees revealed that sophisticated, targeted attacks are the top concern for 47 percent of security professionals. Other frequently cited challenges facing the enterprise include social engineering, insider threats and cloud risks. When an enterprise is facing these known risks and lacks confidence in existing technologies, it’s critical to strengthen operations proactively.

Partnering with security operations and consulting services can enable the enterprise to design and build a comprehensive response with a cognitive SOC, SOC training and security incident event management (SIEM) optimization.

2. Incident Response

According to Marsh & McLennan, 14 percent of organizations are “not at all confident” or unsure if they are adequately prepared to respond to or recover from a cyber incident. As vulnerabilities and risks evolve, organizations need a culture of continuous improvement to weather the coming storm of advanced threats.

Developing relationships with industry detection and response experts can provide organizations with decades of threat intelligence experience. Managed SIEM services can offer cognitive intelligence for cybersecurity and comprehensive, compliant infrastructure.

3. SOC Automation

Enterprise SOCs encounter 200,000 unique security events each day on average. A cognitive SOC with automation, machine learning, AI and orchestration solutions eases the burden on analysts and improves effectiveness. Incident response automation can reduce the total cost of a data breach by $1.55 million. Meanwhile, intelligent SIEM solutions deliver cognitive security analytics and automation with contextual intelligence to identify significant risks.

4. Visibility Into Anomalies

According to Fidelis Security, 83 percent of SOCs triage less than half of the alerts received each day. This may be due in part to too much time spent chasing false alerts; manual research processes can yield false positive rates of 70 percent or higher.

Organizations can identify user risks and suspicious behavior by investing in behavioral analytics that provide at-a-glance visibility into anomalies.

5. User Authentication

As the enterprise pursues digital transformation, a smarter approach to identity is the new perimeter. While just 67 percent of respondents are currently comfortable using biometrics and other advanced forms of authentication, according to “The Future of Identity,” 87 percent believe they’ll be comfortable in the future.

With cloud-based multifactor authentication, organizations can simplify and scale a checkbox approach to authentication policies across web and mobile applications, including risk-based approaches to user access and biometric authentication methods.

Closing the Gap on Enterprise Threats

Enterprises are spending more than ever on security solutions. However, industry surveys and breach rates show that standalone tools aren’t providing meaningful protection against sophisticated threats.

As the threat landscape continues to evolve, organizations need an integrated ecosystem of solutions that provide visibility into internal and external risks. By continuously aligning systems, policies and people, security teams can improve the accuracy and speed of threat investigations and minimize the risks of advanced threats at each stage of the attack chain.

Advanced threats: 3 steps to safety

The post Close the Gap on Advanced Threats With Integrated Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

Access Management, Artificial Intelligence (AI), Chief Information Officer (CIO), Chief Information Security Officer (CISO), CISO, Data Breaches, Data Protection, Data Security, database security, Hybrid Cloud, Incident Response (IR), Integrated Security, Network Security, Patch Management, Risk Assessment, Risk mitigation, Security Operations Center (SOC), Vulnerability Management,

Your Security Strategy Is Only as Strong as Your Cyber Hygiene

It’s an all-too familiar scenario: An email directive to apply a patch to a web server goes ignored, and no one follows up to be sure the patch has been applied. As a result of this simple lack of cyber hygiene, the organization falls prey to a widespread strain of malware.

The team that should have handled the update was probably busy and might not have been fully staffed. There may not have been enough budget to hire enough of the right kind of talent, or perhaps there were just too many factors to be checked and covered. None of that matters, though; the network was breached, and it was entirely preventable. Failure to cover the basics was the downfall, and it could lead to negative publicity and loss of business.

Learn more about enhancing security hygiene

Your Security Improvements Could Be Missing the Point

The average enterprise security team has more solutions in its arsenal than ever before. As reported by ZDNet, some companies have more than 70 unique security applications and tools in place. While chief information security officers (CISOs) and their teams  may be drowning in technology, the enterprise isn’t becoming more secure. In fact, the chances of facing a data breach have increased exponentially over the last several years, according to research from the Identity Theft Resource Center.

The truth is that the vast majority of data breaches can be prevented with basic actions, such as vulnerability assessments, patching and proper configurations. An Online Trust Alliance study estimated that 93 percent of reported incidents could have been avoided with basic cyber hygiene best practices, a figure that remains largely unchanged in the past decade. While advanced threats are growing in volume and sophistication, organizations are still getting breached due to poor key management, unpatched applications and misconfigured cloud databases.

CISOs aren’t blind to these trends. According to the “2018 Black Hat USA Attendee Survey,” 36 percent of leaders spend the majority of their time on any given day trying to accurately measure their organization’s security posture. Sixteen percent believe their organization’s greatest failure is “a lack of integration in security architecture” and “too many single-purpose solutions.” Security teams are drowning in alerts and grasping for solutions that streamline cyber hygiene activities.

What Does Cybersecurity Hygiene Entail?

Cyber hygiene refers to maintaining the security and health of an enterprise’s network, endpoints and applications through routine efforts to avoid vulnerabilities and other fundamental activities. It means perfecting the basics, including:

  • Deleting redundant user accounts;
  • Enforcing access and passwords with policy;
  • Backing up mission-critical data;
  • Securing physical and cloud databases;
  • Application whitelisting; and
  • Managing configurations.

When put into practice on an enterprise network, security hygiene is a continuous cycle of identifying vulnerabilities, mitigating risks and improving response capabilities. This begins with a vulnerability assessments of your network and data assets. After all, knowledge is the first step toward effective security hygiene.

Why Preventable Data Breaches Continue to Happen

Organizations that fail to perform basic security improvements face near-certain risks. Last year, IBM X-Force reported a twofold increase in injection attacks aimed at vulnerable applications and devices over the previous year. In total, injection attacks comprised 79 percent of all malicious network activity. An unpatched server or misconfigured cloud database can also lead to costly consequences. The loss of consumer trust could be more severe in the event that an organization is forced to admit it didn’t perform the basics.

The reason why organizations are struggling with cyber hygiene goes beyond human negligence. Networks are more complex than ever, and cyber hygiene requires the effective alignment of people, policies, processes and technology. Organizations fall prey to fully preventable attacks due to increased endpoints, cloud adoption, stolen credentials and the immense resources needed to address regulatory shifts.

“Security in a hyperconnected era presents a new set of challenges, but these can be greatly eased by implementing innovative practices and adopting a more integrated, holistic approach,” said Marc van Zadelhoff, former IBM Security General Manager, in a statement. “CISOs that prioritize these factors can help their organizations significantly improve business processes and achieve measurable success.”

Enterprise networks are complex, and fragmented security solutions for vulnerability assessment don’t reveal the full picture. Security operations centers (SOCs) are overwhelmed with alerts and relying on manual threat research. Performing basic security improvements is impossible without the right ecosystem to identify data risks.

5 Steps to Create an Effective Cyber Hygiene Practice

Hygiene is at the core of a security risk mitigation strategy. Security hygiene is a cultural mindset that spans security, IT, leadership and the individual. To adequately address basic risks, CISOs need full buy-in to continually review data management practices, improve response capabilities and enhance employee awareness. Let’s take a closer look at five steps organizations can take to create an effective cyber hygiene practice.

1. Identify Risks

Data is a modern organization’s most valuable asset. Solutions for security hygiene must comprehensively identify the location and sensitivity of business data, extending to risk assessment, remediation and vulnerability assessments of hybrid cloud environments.

Risk needs to translate into action, and CISOs should actively share knowledge of data security with other executives to improve privacy. Solutions for comprehensive, real-time vulnerability assessment can help in the development of a stronger approach to risk and compliance.

2. Prioritize Response

Security hygiene is a continuous effort to address risks in real time and prioritize the protection of the most sensitive data assets. Organizations must develop a response policy based on data sensitivity. Cognitive security solutions can help orchestrate efforts to remediate the highest-risk vulnerabilities and automate activities to enforce policy or regulatory requirements.

3. Improve Risk Awareness

CISOs, risk officers and business leaders should collaborate to improve incident response (IR) capabilities where hygiene is viewed as an imperative. Third-party expertise can increase risk awareness and orchestration capabilities and design thinking can help increase the use of cognitive technologies, artificial intelligence (AI) and risk management automation for streamlined security hygiene.

4. Secure Digital Transformation

Change is inevitable and constant in a contemporary enterprise network environment. Security hygiene involves a forward-thinking attitude that creates policies for secure deployment and management of new technologies. Change management efforts should incorporate discussions on how to actively secure Internet of Things (IoT) deployments and other emerging technologies.

5. Disseminate Responsibility

Leaders should create a culture that encourages compliant behaviors in employees. Silent security can safeguard data privacy across endpoints without sacrificing user productivity. A culture of shared responsibility helps mitigate the risks of shadow IT, especially when coupled with employee awareness initiatives.

Take Preventative Measures Against Meaningful Security Risks

The most crucial improvement to your organization’s security stance may not be acquiring new solutions; it could be a shift to a culture of cyber hygiene. CISOs must collaborate with other leadership to address one of today’s most significant business risks: failure to check off the basics effectively.

The majority of today’s security breaches are caused by inadvertent insider mistakes, such as unpatched systems, misconfigured cloud databases and incomplete risk assessments. Without full network visibility and regular utilization of cyber hygiene best practices, your enterprise could face very real, but entirely preventable, security risks.

Read the e-book: Enhance security hygiene

The post Your Security Strategy Is Only as Strong as Your Cyber Hygiene appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kami Haynes