Security operations often focus on the wrong approach. Rather than enable the business to thrive, security professionals often chase compliance, vulnerabilities, and the perfect security controls without understanding the most critical assets to the business.
The most sensitive assets at hospitals, for example, are typically patient information and functioning operations in the emergency room and surgical theaters. Attackers who are able to access those priority assets can perform data exfiltration and, increasingly, extort the facility for ransom.
On the other hand, an aerospace or defense firm needs to protect intellectual property, including systems designs and process methodologies. And a financial-services company needs to protect account access, its proprietary database on financial transactions—such as mergers and acquisitions—and non-public financial analysis.
These extraordinary assets, of critical importance to a company, must be at the heart of an effective strategy to protect against cyber threats, because in an increasingly digitized world, protecting everything equally is not an option.
In the past, many security operations centers (SOCs) focused on building walls around the business, but not enabling the company to operate efficiently. As the world emerges from the pandemic, enterprise agility and resiliency are critical for companies to be able to pivot to more stable opportunities.
The goal of the modern CISO should be to focus on enabling cyber resilience in a way that supports business growth and transformation. Here are five suggestions for protecting the most critical assets.
1. Align cybersecurity priorities with business-value chains
In many companies, business groups, IT departments, and risk functions often have conflicting agendas and unclear working relationships. As a result, many organizations attempt to apply the same cyber-risk controls everywhere and equally. Often, this results in wasted time and money, but it can also result in a lack of priority for assets and functions critical to the business-value chains.
Security teams should focus first on the business problem and consider the whole enterprise to identify and prioritize the top risks. Cybersecurity budgets often compete with technology investments for limited funds, so security teams need to consider the entire enterprise, collaborating with an interdisciplinary team to consider security problems from the standpoint of enabling the business.
2. Find critical business assets to prioritize protection
A primary dimension of cyber resilience is the identification and protection of the organization’s digital crown jewels. In any given enterprise, some of the data, systems, and applications are more critical than others. In addition, some are more exposed to risk, while others are more likely to be targeted.
Companies must focus their strongest protections on their most important systems and assets, especially assets that meet a trifecta of criteria: highly critical for the business, exposed to greater risk, and likely to be targeted. Most enterprises recognize the severity of the issue but still treat it as a technical and control problem—even while acknowledging that their defenses will not likely keep pace with future attacks. To start, teams should focus on cyber risks that are prioritized on an enterprise-wide "business back" basis.
3. Conduct intelligence gathering to determine attacker motives
While threat modeling, risk reviews, and vulnerability analyses should focus on the value of an asset to the company and potential shortcomings in defenses, the profile of adversaries who may attack the company are also important. Modeling the most likely attackers and how they operate can help identify new gaps and direct funds to strengthen weak points likely to be targeted.
This is an intelligence-heavy, data driven process, but it’s critical. While companies will want to have in-house expertise, bringing in security consultants can help companies with a second set of eyes. In addition, third parties that specialize in threat intelligence monitor a wide range of sources and likely have resources that the average business cannot afford.
In the end, improving defenses allows organizations to engage and deflect attackers in real time by combining threat intelligence, machine learning, and analytics resources within the IT function.
4. Create a cybersecurity capability to support resilience
A key part of cyber resilience is the ability to anticipate attacks before they happen. Threat modeling is a key part of this approach. However, to blunt attacks in real time, a company must have a ready cybersecurity capability as well.
SIEM systems can provide real-time detection of known attacks. Using a framework such as MITRE ATT&CK can provide a reference model for measuring the effectiveness of an organization’s detection strategy and the potential impact of deploying other security technologies. Anomaly-detection models look for behavior that deviates from typical patterns, such as an unusual access by a user. Companies with an active-defense posture use both SIEMs and anomaly-defense systems to provide more comprehensive threat detection.
5. Take note: NotPetya, SolarWinds are warnings
The parade of news about breaches and ransomware attacks should serve as a warning to companies. In 2016, a Los Angeles hospital paid a $17,000 ransom to a hacker who had seized control of its systems. Now, the sum seems quaint. In February, French President Emmanuel Macron vowed to invest €1 billion after France suffered two major ransomware attacks on hospitals.
Lesson: Adapt and evolve
Rather than continue in a passive stance, organizations must adapt and evolve their approach to cyber threats. They should assume that their firewalls will be penetrated and that accounts will be compromised.
Evolving requires organizations to anticipate attacks before they happen, detect alarms to contain attacks, and adopt a tiered approach to protecting critical assets.
Fore more on this topic, watch Stan Wisseman and IDC's Craig Robinson in this webinar on how to approach threat operations with a cyber resilience approach.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.