Digitalization is changing the world – amount of the components in the network is growing exponentially. One of the unpleasant side effect is that hacking is also a growing business area. 90% of breaches had a financial or espionage motive. The sad stats on cyber security: 70% attack go unchecked.
Companies have invested in security enforcement and detection tools and business systems are migrated to highly secured cloud environments where the service providers are responsible for security enforcement and detection. However response to security incidents is not well covered and it cannot be fully the responsibility of the service provider as they do not have the business knowledge and thus cannot analyze whether confidential data is compromised or not.
To really grasp the case, lets use a simple metaphor, companies have invested in locks and alarm systems, but not in the process of managing the alarms. In case of breaking in to your house, you can always call the police, but in the digital world that rarely helps. Instead the company should organize by themselves efficient security incident response process to ensure the “housebreaker” doesn’t have enough time to steal or destroy business critical information.
Controlling your home base, securing & remediation
Base 1. Define Your Process
Same as in Itil, for security incident response there is a de-facto best practice process provided by NIST. With the following steps: Draft, Analysis, Contain, Eradicate, Recover, Review and Closure. Ensure that the process inputs, activities and outputs have been aligned for your organization with clear responsibilities to ensure ensure efficiency of the process. Service Management tools provide a great platform for defining workflows that ensure process compliance, provide transparency and automation capabilities (i.e. business criticality assessments and automated remediations).
Base 2. Know Your Environment.
It makes a huge difference whether someone is entering your yard, living room or safety deposit. To ensure the security incidents are dealt correctly and prioritized by business impact it is important to ensure your business services are well documented with relations to other components, to ensure you can analyze the impact from the affected component towards the application services that describe whether or not they contain confidential information.
Base 3. Proactively manage vulnerabilities and threats
Rather than having to look several excel sheets from different vulnerability and threat sources (i.e. Firewalls/IPS/IDS/TAXII), it is recommended to combine vulnerabilities (i.e. door without a lock) and threats (i.e. burglar breaking via front door) into a holistic view. Utilizing service management platforms enables prioritizing vulnerable assets based on the business impact and it leads to efficiency in both IT and security team as end-to-end processes can be managed where security identifies items and IT patches them via change management.
Home Run. Automation
Protection and detection systems are in use in all companies, but how many companies remedy immediately when vulnerability or attack is identified? Average fix time after security incident is more than 200 days without automation.
Automation can be orchestrated on two levels – with structured workflow and system management capabilities. Example of automation of structured workflow is defining if a data breach has happened and in case of a data breach creating and assigning relevant tasks automatically (such as “Notify Law Enforcement”, “Create PR response”, “Removing malware” etc.). System management capabilities can be utilized for example to automatically launching patching to resolve a vulnerability related to a specific asset (e.g. database server hosting confidential data).
As a summary we can identify that there is a lot that many companies can do to improve Security Operations and also it is important to notice that IT Service Management practices and tools can help in the process. We recommend to improve the security operations processes iteratively and start from the first base.
Service Now http://www.servicenow.com/products/security-operations.html
Ponemon Institute http://www.ponemon.org/
Cybersecurity Predictions for 2017: The Experts Speak
A panel of industry insiders and experts share their cybersecurity predictions for 2017 By Joseph Steinberg CEO, SecureMySocial http://www.inc.com/joseph-steinberg/cybersecurity-predictions-for-2017-the-experts-speak.html
Verizon 2016 Data Breach Investigations Report
If you want to know more, do not hesitate to contact us!