Have you inherited a cybersecurity program with many different tools? Do they offer little in the way of measurable outcomes that show your program is more effective today than it was last month?
You are not alone.
Many CISOs at mid-sized companies have evolved their programs by adding new tooling over time. Each on its own has been a rational investment in a solution to address new threat vectors. But this piecemeal approach snowballs into a management burden of alerts and tools that require fine tuning to remain effective. If not for the day-to-day heroics of the security team, these investments would be wasted.
Fortunately, there always seem to be a few key people who go the extra mile to ensure alerts are investigated and the program can report progress. But how long can they keep up the heroics without inviting more risk? Ransomware gangs have an endless supply of vulnerabilities to exploit, while security professionals are getting tired of the Sisyphus routine. Maintaining unified visibility across complex environments is a challenge in itself, while keeping the systems tuned to generate actionable alerts is often an impossibility for small teams. The management of tooling and data has simply become too complicated for small teams to do well. Their focus should be on security tasks, not managing tools or figuring out how to filter out useless alerts.
The IT Media Group (ITMG) noted the link between effectiveness and efficiency problems - consequences of the divergent data IT leaders are forced to deal with. In their February 2022 report Evolving Cybersecurity Essentials: A CIO Guide to Protecting the Enterprise, ITMG noted that the speed at which cyberattacks happen poses challenges for resource-constrained IT departments, such as those at small and medium-sized businesses.
With an incrementally assembled security solution, your team will face more work, not less, in identifying genuine threats and high-severity signals amongst the background noise. By piecing together alerts and data from multiple systems with varying degrees of integration, analysts lose valuable time in what can be a fast-paced threat environment.
So how can we better enable CIOs of mid-sized enterprises to achieve the efficacy and efficiency needed to respond to threats ‘in time’? By addressing the issues that pain their IT teams, at the source.
Overcoming “Disjointed Data”
If your present-day SOC came to be through extensions (by vector, by function, by directive), it’s unlikely to have the unified visibility necessary to enable expedient decisions. Each tool or group of tools may also suffer from “siloed management” within your organization, leading to further inefficiency - this problem is exacerbated the larger your organization becomes. Such pain points are inevitable with a vector-based approach.
What’s the solution?: Transformation is requisite. If the vectored approach hasn’t worked, you now need to achieve the cross connections to even think about visibility across your stack. With a unified view, you can scale and analyze your data faster. However, such an approach could mean a (necessarily) complex sourcing of insight across your security stack and team…
The time and cost of rebuilding from the ground up is not an option for most organizations. However, there are ways to bring all your data together under a single view. Creating a dashboard can provide visibility across your environment by forwarding logs from your existing security technology. For inspiration, you can see the approach we took in our customer portal.
A more straightforward way, however, is to leverage a unified solution built to cover holistic threats across multiple vectors and that ingests information from all your tools.
Fighting Alert Fatigue
Even if you have (especially once you have) all your security systems feeding a single pane of glass, your team will still be subject to alert fatigue. Alert fatigue impacts not only on your efficiency (combing through a million alerts) but also your efficacy. The response time you lose pursuing false positives can be the difference between disruption to your company’s operations and “just another day” in the SOC.
What’s the solution?: Leveraging data science to more intelligently analyze logs at scale is the industry best practice, but it is inaccessible for many organizations due to the budget, expertise and time required to build an operational capability.
Machine-learning can measurably improve the quality of alerts when applied in a supervised environment with feedback from domain expert analysts who understand the environment. Over time, this approach can also enable more timely remediation. To remain effective, it needs to be a living process. We’ve chronicled many of the best practices we’ve learned while building our data science program to reduce alert fatigue for our analysts.
Getting Good Help (Even Though it is “Hard to Come By”)
There’s a severe shortage of talented cybersecurity professionals. Whatever the size of your operation, you probably wish you had a larger infosec team. Attracting and retaining cybersecurity talent is a difficult proposition for even the most well-resourced teams. Reducing the need to hire personnel - particularly those with niche expertise - and making investments to help existing team members achieve better outcomes is essential.
What’s the solution?: To see how we solved this problem, read our whitepaper on the Hyperscale SOC and the minds behind it.
Conclusion
Infosec leaders need to be constantly looking for opportunities to give their teams an edge. Leveraging data science and security operations services can alleviate pressure on internal teams by improving the quality of alerts and simplifying remediation. By making smart investments to integrate data and reduce complexity, you can drive down the risks of disruption to your business while keeping your most valuable resources - your team - from burning out.