As the modern world is beset by ever-more common and sophisticated cyber-attacks, the very tools focused on threat detection, investigation and response (TDIR) are ready to be laid to rest.
There are several reasons for this, but one of the most pertinent and increasingly recognised is that no single solution can lock out all the adversaries. Despite this, many vendors persist with single-vendor lock-in contracts and all-encompassing licence agreements.
The truth of the matter – there is no ‘one-size-fits-all'. No single vendor is capable of plugging all the breaches, analysing behavioural patterns and predicting where threats might lie. There are simply too many factors at play.
The capitalist market dictates that all vendors try to gain a monopoly, or at the least the largest slice of the pie, but cyber-security needs to evolve beyond this point and accept that collaboration is a far more effective way of doing business. Due to the sheer scale of the threat landscape, it makes sense for vendors to focus on one specific part and do that particular job very well – rather than try to cover too much ground and lose focus.
Siloed information is still a contributing factor as well. The applications that contain clues and information vital to detecting threats are becoming more widely distributed, and the contextual information they hold is often viewed in isolation or not at all. This makes the ‘security nirvana' of holistic visibility across the organisation difficult to achieve.
Activating that data and making it widely available across the organisation is key to unlocking both the potential of threats within it and also making the most of the opportunities it provides for deep analysis.
Cloud-based applications are great for mobility and workflow but pose a whole new set of issues for threat detection. Security is no longer based on the concept of a secure perimeter. Instead, it needs to assume that threats already exist inside the organisation – whether that be a stolen password, compromised device or even a malicious employee. Therefore, secure identity has replaced the perimeter border and needs to be the main focus of SecOps moving forward.
Multi-factor authentication is one way to help secure identity within an organisation and is becoming an essential part of the cyber response.
Change needs to come from the top of an organisation and be ubiquitous. As such, it requires buy-in from all levels and departments of the company regardless of their function. While the IT department maintains control over the various technologies at play, it is also their job to educate and ensure employees engage with the measures put in place.
The Essential Eight is a set of eight measures set out by the Australian government's ACSC in their Strategies to Mitigate Cyber Security Incidents. The government admits that there is no ultimate guide to mitigating ALL threat but suggests adopting the Essential Eight as a baseline.
For these reasons, SecOps needs to evolve. A security ecosystem must use data to understand normal and abnormal user and device behaviour for early detection of potential adversaries. Suspicious behaviour patterns from humans and machines must be analysed and contextualised, then tied to proactive countermeasures.
Like a colossal game of chess, TDIR must remain several steps ahead. The way to do that is through better collaboration on the vendor side, a lean system that is highly functional with few data silos and the concept of zero trust.
Attackers will breach defences – security teams must have visibility into indicators of compromise and be able to rapidly move to nullify attacks before they take hold.