Aiming at a Moving Target: The Future of Security Teams in a Dynamic Environment

One look at the latest headlines and the prevailing cybersecurity threat becomes abundantly clear. In the last few weeks alone, we witnessed a consequential ransomware attack on a major US fuel pipeline, an attack on Ireland’s National Health Service, and more recently, the world’s largest meat processing company took a hit. According to Red Canary’s State of Incident Response Report, 93% of organizations have suffered at least one security incident that compromised data in the last 12 months.

Cybercriminals are taking advantage of new opportunities created by the pandemic and a drastic shift to remote working. Suddenly, security teams are scrambling to migrate to the cloud and manage the onslaught of personal devices newly introduced to the corporate IT environment. Indeed, a report by SailPoint revealed that 1 in 3 US employees are using their own computer and smartphone to facilitate remote work.

It’s no wonder security leaders are concerned. This change to remote work has meant that the IT environment and attack surface they were charged with protecting, suddenly looked and acted a lot differently.

Uncertainty in a Changing IT Environment

Organizations can no longer rely on perimeter defenses alone to protect their network and IT infrastructure. A simple antivirus, network firewalling and email filtering system are no longer sufficient in keeping attackers out. IT environments have become significantly more complex, and so have the tools that cybercriminals use to try and make their way inside them.  Increasingly, security teams find themselves having to secure assets that they can’t touch and systems with which they have less experience. Unlike static, physical devices, cloud environment assets, including containers and virtual machines, are more fluid or elastic by nature. This presents heightened risks such as unauthorized access, compromised management APIs due to internet connectivity and reduced threat visibility from virtualization sprawl.

To further complicate the job of modern security teams, the tools cybercriminals have at their disposal are also increasing in sophistication. As organizations adopt automation tools to protect their infrastructure, threat actors also boost their arsenal with new technologies that speed up their operations and broaden the scope of their attacks. What used to be methodical, targeted compromise attempts can now be carried out en masse and with minimal costs.

Your Secret Weapon: How Allies Can Support Security Teams in Fast-Changing Environments

While often over-dramatized, it is not a coincidence that so much of the cybersecurity language borrows from the language of warfare and military operations. The daily fight with cybercriminals is a constant, excruciating battle — one that often feels unwinnable. To make a real advance against adversaries, security teams depend on allies. These allies are the tools they choose to adopt, as well as the Managed Detection and Response as a Service teams and the threat intelligence providers that help them stay on the lookout for new types of attacks.

In fact, the majority of security leaders are beginning to recognize the benefits of partnering with allies. The State of Incident Response whitepaper, for instance, found that security leaders believe third-party providers can help the most with speeding up containment and response to threats (55%), augment in-house expertise (53%) and increase automation of processes (50%).

There are two focus areas, in particular, in which allies can prove beneficial in helping IT teams protect against adversaries: A security ally can prepare internal teams to operate efficiently, enable them to move more quickly in the case of a security event and aid them in executing their response.

Focus Area 1: Prepare to Operate, Execute and Respond

As the Navy SEALs like to say, ‘slow is smooth and smooth is fast’. In other words, speed in shutting down attacks comes from being prepared to execute a methodical and efficient plan of action in the case of a breach. Moreover, it is important that these plans are able to withstand the complexity and speed of real-world attacks.  

For this reason, an effective security strategy is one that accounts for potential failures that allow adversaries to enter the corporate IT environment. Consequently, IT teams can prepare themselves by responding to attacks with Incident Response (IR) plans. These might include tabletop exercises, testing and attack simulations to allow security teams to test the speed at which they would be able to respond to a real-life attack.

In addition to this, a clear communication strategy can aid organizations in ensuring the appropriate stakeholders, both internal and external, are apprised of the specifics of an attack and next steps of response. Third-party training providers, for instance, are useful when consolidating an effective IR plan.  This allows the organization to rest assured that its security team’s response will be smooth, and damage minimized, should a breach occur.

Focus Area 2: Move Quickly

Speed is of the essence when finding intrusions to your environment, therefore reducing dwell time is key.  Adversaries are now more cunning than ever. As such, we need to act fast to quash their schemes before they take effect. Defenders need to be at least as fast, if not faster. Additionally, Security teams would greatly benefit from allies who can help them detect threats before they are able to damage their security posture. The ability to stay ahead of attackers is of paramount importance — whether that means an extra layer of protection in the form of a threat detection system or whether that means an outsourced team is put in charge of monitoring the environment 24/7.

Evaluating Your Team and Environment Before Acting

Of course, there are always limitations to the extent at which you can rely on internal resources to fend off escalating attacks that, quite literally, come from all over the globe, and are executed by threat groups with impressive resources and cutting-edge tools at their disposal.

There is strength in numbers and, as such, joining forces with an ally may be a key factor for IT teams to improve their defense strategy. In the end, it is about the good guys operating toward a common objective: keeping cybercriminals out. Ultimately, if working together increases the chances of accomplishing that objective, then their new security operations mantra ought to be “stronger together."

What’s Hot on Infosecurity Magazine?