I recently brought together three recognized practice leaders in cybersecurity—Security Curve CTO and Founding Partner Diana Kelley, Berkeley Varitronics President and CEO Scott Schober, and world-renowned security expert Shahid N. Shah—for a rapid-fire Q&A session designed to give you actionable insight in just a few minutes of reading time. Here's the result.
Q1: What's one best practice that SecOps teams tend to fall short on?
A1 (Shah): SecOps teams often fail to form a truly solid, accurate, and complete understanding of their organization's “as-is” behavior before they plow ahead with all their other wonderful and sophisticated countermeasures. This is a big mistake because your ability to detect anomalies in your particular environment is almost entirely contingent on understanding what normalcy is for your particular environment.
And, of course, your normalcy baseline has to be a bit more sophisticated than a mere snapshot of your environment's behavior at some random time on some random day. You also need to apply behavior modeling and analytics to your determination of “normal for us” so that reasonable deviations in behavior driven by regular business activity don't create a lot of annoying false positives.
Q2: What's one attitude or perspective that SecOps teams typically need to adjust?
A2 (Kelley): When it comes to ransomware, many security professionals still have that old PEBCAK—or “problem exists between chair and keyboard”—attitude. That's not a very productive way to think about your users. Instead, SecOps teams should think of users as early responders who are in exactly the right position to flag unusual activity as soon as they see it in their inbox.
So rather than wrongly believing that users are untrainable—and instead of just finger-pointing and shaming users who click on phishing emails during anti-ransomware training—it makes much more sense to celebrate people who accurately flag bad emails by giving them a “Catch of the Month” award or some other kind of positive reinforcement.
Q3: What's one topic SecOps teams need to get better at discussing with their peers in IT?
A3 (Schober): Backup is ultimately your last line of defense in the event of a successful attack, so security professionals should be in constant dialog with IT about the state of their organization's backup. And backup doesn't just mean copying some files to some secondary storage media. It means running routine tests to ensure that restores from backups really work—including restoration of all critical physical and virtual servers—and that the backup window remains acceptable to the business, even as the volume and complexity of what's being backed up continually increases over time.
It's also vital that backup data is truly immutable—that is, it cannot be changed or deleted by the same kinds of attacks that can threaten primary servers and storage.
And this discussion shouldn't be adversarial at all. In fact, IT leaders often want to invest more in backup and failover than their budgets allow. By bringing security into what otherwise might be strictly a disaster recovery/business continuity discussion, it's often easier to shake loose much-needed funding from the budgetary powers-that-be.
Q4: What's one technology or technical discipline you believe security pros should embrace more?
A4 (Kelley): Cyberattacks of all sorts—including ransomware—leverage known software vulnerabilities to either gain a beachhead or move laterally in the target environment. Unfortunately, organizations now have more code running in more places than ever: commercial applications running on-premises, SaaS running in multiple clouds, systems that they share with suppliers and customers, custom back-end code for mobile apps, etc.
Of course, we know that we have to keep this software at the latest version and patch level. But that's tough to do if you don't have a complete inventory of all the software in use across your organization. One solution to consider is vulnerability management (VM) that is continuously inventorying all IT assets and using risk-based scoring to prioritize your riskiest assets in context of your organization. Point-in-time assessments can be useful if looking for lingering threats or risks but having a solution continually looking for your vulnerabilities is key to building security discipline in your organization.
Q5: What's one budget item every security leader should push to get fully funded?
A5 (Schober): Even the greatest writers have editors who review their work before publication, and even the greatest scientists have to submit their papers for peer review.
This exact same principle holds true for security. No matter how great a job you believe you and your team are doing, you need a fully qualified and independent third party to perform vulnerability assessment and penetration testing on your environment. And you don't want to skimp on this, because potential attackers are not skimping on the creativity with which they're attempting to cause you to have a Very, Very Bad Day.
As I listened to these industry experts share factors that SecOps leaders consider while they plan for 2022, I realized that they align with the trends we are seeing here at Secureworks. There has been increased investment in cybersecurity partnerships to deliver 24x7 threat prevention, detection, and monitoring. This then enables SecOps teams to focus on other critical initiatives referenced above. Given that 62% of security professionals have seen an increased workload from the cybersecurity shortage many are looking to Managed Detection Response (MDR) services to alleviate the pressure on their team while securing their ecosystem.
Learn how MDR Done Right can improve your cybersecurity posture.