With cyber-attacks costing businesses some £4billion per annum, a figure that keeps on growing, cyber defense systems are a must for all businesses. However, today those defense systems are not confined to the perimeter of the networks, they now go deep inside of the organization, looking at user behavior, checking where data is going and even what an employee is doing when they are away from the network.
Security “in depth” has become a buzzword, seemingly with no end. With this comes complexity, as most systems do not talk to each other. Systems which are in place to monitor, such as Security Information and Event Monitoring (SIEM) platforms, fail as they are only able to alert an operative to a problem and so, is only as good as the person who reacts to that alert, if they are even looking!
Given cyber-attacks are mostly automated, the delay in reacting to an attack allows the threat to gain hold before the organization has even started to assemble a defense.
Having varied security systems in play creates other problems such as a lack of knowledge on the differing products, both in terms of their use and an understanding of what they are showing. This is often due to an installing team leaving the organization over time, and relevant system knowledge being lost.
Subsequent teams do not then fully understand the systems employed, resulting in it becoming harder, both to maintain and to know how to react to any issues that may follow. This then is followed by yet more technology being brought in, so as to plug any perceived gaps. The cycle continues with more layers of defense.
Tiers of doom
The increasing threat and building of more layers of security are what I call, ‘the Tiers of Doom’:
- Tier 1. Multiple layers means harder to manage
- Tier 2. Varied layers of complexity leads to difficulty in seeing patterns, so attacks are easier to hide
- Tier 3. Being unable to recognize a pattern results in a slow reaction to threat situations, compounded by tiers of management sign off
- Tier 4. Lack of sign off is due to poor advice, stemming from a lack of skill set within an organization on cybersecurity, as well as a lack of technical understanding of multiple layers of installed security solutions
- Tier 5. The organization reacts and installs more technology, and the cycle starts again at Tier 1!
‘The tier of doom’ results in uncontrollable costs, but still leaves the organization exposed to attacks. Stopping this cycle is a key element in improving the cybersecurity position and can be achieved by “thinking smart.”
Using technology to control technology and to close the skills shortage gap can be achieved by using a cyber management platform (or Shield) that presents warnings, actions and results in a single pane of glass view.
A single pane view with all the various system interfaces deployed, enables a cyber team to work on one platform, which they know well, rather than having to learn and remember say, 20 different dashboards.
The single pane shows all the results and consequences of events happening in real time and advises on appropriate action. This aids cyber teams in understanding the real threat posed.
Fight automated cyber-attacks with automation defense
Most attacks happen from multiple vectors, all automated and programmed, which means cyber defense teams need many ‘eyes-on’ the defense perimeters, not always possible in our resource light cyber team environment.
We need to automate defense, using appropriate levels of authority and response. Given the Shield is connected to every defense technology within the network, it can automatically instruct systems to neutralize attacks, using playbooks designed around the company’s defense policy.
Playbooks are designed around any scenario and can have various levels of action. For example on detecting an attack, an alert can be generated and set within the companies ticketing systems, giving details and suggested actions with appropriate levels of response or escalation. Once a team member actions the ticket, they may instruct the Shield to take the recommended processes by talking to and reconfiguring any platform attached to it, in order to stop the attacks progress.
Don’t allow skills shortage or vendor lock-in from having the best defense
To ease the stretching of cyber teams it can be easy to stick with one vendor and hope their offering, in a particular area, will be good. Sometimes the one vendor approach is seen as cost effective, but often both these statements are untrue.
Organizations should look at what is needed in the long term. A cyber management platform can empower an organization to pick the best product it can afford and not worry about training its staff on every aspect of the new system or, get forced into paying for expensive bolt-ons, just to keep support contracts simple.
The single pane of glass, offered by a cyber management system, takes away the requirement for compatible systems to be a driver, even legacy systems can be brought back into a cyber defence strategy. This saves money and breaks the ‘tier of doom’ as cyber teams can get on with understanding what they have and learn from the actions recommended from the platform.
No one can remember every aspect of every system within a network, especially if they haven’t logged on to the system in say, six months. The speed and frequency of attacks are becoming beyond normal controls. Couple this with the demands of day-to-day procedures such as patching, fault finding, opening ports to accommodate new business projects etc. and the pressures and distractions are great.
A Shield that will sit in the center of connected networks, seeing all, listening to all, speaking to all and controlling all, has to be a game changer in the cyber defense armory.