From investment to impact: Unlocking cybersecurity value
Despite organisations investing more in cybersecurity tools and technologies than ever before, the issue of cyber threats remains on the rise.
Recent research by Focus Network and SentinelOne shows that Australian organisations have an average of 36 cybersecurity tools. As a result, many are now looking for effective strategies to extract maximum value from their current tools and existing investments.
A "simplification" strategy that often arises in this regard is to rip and replace several existing best-of-breed tools and replace them with a single vendor platform. However, this is not the right approach from a cost and operational effectiveness perspective.
Instead of replacing existing tools, the key to simplification and value extraction is instead found in making certain small, concerted efforts that can yield significant results.
Conducting regular health check-ups, re-focusing on cyber hygiene, and working to unite internal security resources against a common enemy are three small strategies resulting in big value unlocks for security teams and organisations.
Regular health check-ups
While it's generally well understood that cybersecurity technologies and policies should not be 'set-and-forget', they are often not revisited or reviewed frequently enough. Many organisations rarely look back on the configuration of tooling or the application of internal policy settings.
The introduction of risk may be one reason for not making regular adjustments to tool settings; after all, we know that just one false positive detection by a tool can lead to calls for it to be disabled. Teams are wary of making their tool settings too sensitive and may view a 'hands-off' approach as sensible to maintaining current detection capabilities.
There may also be internal politics at play. Whenever there is enforcement of security controls or a new security regime is implemented, there will always be demands to exempt certain critical systems or executives. Even though these exceptions have an expiry date, it is seldom reviewed. These exceptions become exploitation opportunities for attackers as time goes on.
To extract the maximum amount of value from securing tooling, regular tweaks to configurations and controls can be beneficial. Where existing configuration settings are set too stringent, value is trapped and goes unrealised. In addition, a configuration check-up can also determine if a tool is still capturing the behaviours of every process and application as intended and if advanced capabilities are still providing the highest levels of protection against evolving threats. Configuration effectiveness drifts over time as the environment and threat landscape evolves. If you do not know how your site landscape is evolving, then you do not know what you are securing against.
So the first small strategy that can generate big value is to work with partners, OEMs and technology vendors to perform a regular health check-up of the configuration of security tools in your ecosystem.
Cyber hygiene
A second small step with big results is to redouble efforts around cyber hygiene. While it may look trivial on paper, its effect on elevating the security posture of the organisation cannot be overstated. In particular, organisations should consider the use of a framework such as PMP - Privileges, Multi-Factor Authentication and Patching - to reduce the attack surface and probability of being attacked.
One of the reasons cyber hygiene punches above its weight in unlocking cybersecurity value is that organisations that do the basics well are much harder to compromise. Attackers, like defenders, ultimately work according to the principles of economics; they focus and expend more time on organisations with lower defences, where they can achieve outcomes for the least amount of effort. By elevating their base security posture, organisations are better placed to appear harder to breach.
Unity is strength
The third key value unlock mechanism is uniting your security forces.
We know attackers have become more organised over time, taking responsibility for executing certain aspects of an attack - initial access brokerage, launching the attack, negotiation of a ransom - while presenting outwardly as a united force.
On the defender side, however, the security organisation is often still divided by domain, team structure, tools and technology, and KPIs. There are often separate domain areas for network, email, web, cloud security and policy. The teams work very much in silos, and because there may not be effective collaboration or intelligence-sharing across domains, gaps exist - between two teams or two tools, for example - that attackers are able to exploit.
Instead of fighting individually against a common enemy, organisations need to unify their security operations and present themselves (and perform) as a single united front. Unity is strength.
One practical way to bring unity to cybersecurity is to integrate all your existing best-of-breed cybersecurity technologies. Teams should focus on finding ways to bring existing tools - or, more pertinently, the data and insights they're collecting - together into one centralised security data lake, where a more simplified overview can be obtained and maintained. With a single data lake structure, organisations are able to see everything in one place and do a better collective job at identifying attacks much earlier in the timeline.