June 17, 2021
Lack of Visibility and Control is Driving up Cyber Risk
New security technologies are becoming easier to adopt, and more money invested in them, but underlying challenges persist, which could drive up cyber risk.
By Chris Hallenbeck, chief information security officer (CISO), Tanium
Cybersecurity has finally reached the boardroom. As CDW Canada's lateststudy shows us, breaches are now costing organizations millions of dollars perincident which should be enough to get the attention of most CEOs.
But although new security technologies are becoming easier to adopt, andmore money is there to invest in them, underlying challenges persist, whichcould drive up cyber risk.
With that in mind, here are some of my key takeaways on the biggestchallenges highlighted by the report:
Understanding the use cases and non-technology factors that will helpmake the most of SOAR and AI/ML deployment
Artificial intelligence (AI), machine learning (ML) and securityorchestration, automation and response (SOAR) are being productized at agrowing rate and deployed by an increasing number of organizations.
Fundamentally this comes down to people. We have an estimated shortfall of over three million ITsecurity professionals globally right now. So these tools are often purchased topartially fill these skills gaps.
In the case of SOAR, it's commonly a response to historicover-investment in point solutions, which means securityoperations centre (SOC) analysts are overwhelmed with alerts.
I'd advocate these tools be used to automate repetitive tasks. But tooptimize their value, organizations must also realize that they still needskilled humans to make sense of their output. They aren't a silver bullet tosolving skills shortages, but instead offer a better way to allocate yourexisting resources.
Remote work and cloud adoption make device exposure a significantcontributor to increased breach incidents and costs
The new era of remote work, distributed endpoints and cloud services aremade for the zero-trust security approach: one predicated on a mantra of Never trust, always verify.
As you move more resources into the cloud, it becomes easier amajority of cloud-based apps have the open APIs and other pieces necessary todo zero trust. We've almost got to a point today where there's no excuse not totake a look at this security model.
However, organizations must take caution to ensure that when they'recontinually authenticating users to access specific resources, they take aholistic approach.
That means not only checking user identity and access rights but alsothe security posture of the device they're using. It's a challenge to controland secure these distributed endpoints today, but visibility into devicesecurity is non-negotiable.
Failure to adequately address the security implications of supply-chainand third-party partner access to organizational data and systems
The supply chain risk to organizations was laid bare earlier this year,but the truth is it has been building for many years. Too many third-partyassurance programs are built on manual, spreadsheet-based questionnaires andtrusting that your partners will answer them honestly. The result is apoint-in-time, incomplete picture of supplier risk.
We need to get to a data-driven model where you can assess yoursupplier's security posture almost machine-to-machine. It should take in patchand vulnerability telemetry, as well as data on security architecture, thesoftware development lifecycle, threat modelling and more for a more holisticand accurate picture.
A data-driven approach also means you can run these checks once a monthrather than once a year, for continuous risk insight.
Implement formalized vulnerability management programs and regularpenetration testing to understand attack surfaces
Too many vulnerability management programs fall at the first hurdletoday. Security teams are happy if they can complete a vulnerability scan ofall enterprise endpoints within a month.
This data is then sent over to IT operations to run against availablepatches before testing and deployment. The result is that they could be running75 days or more behind when a patch was first made available.
On the other side, we know that threat actors are building exploits andscanning for vulnerable machines across the internet within minutes.
Visibility into all enterprise endpoints, at speed and scale, isfoundational here. Organizations need to be getting comprehensive answers backabout vulnerable assets within seconds or minutes, not weeks.
Penetration testing is another critical part of improving organizationalresilience. But too often, the problems highlighted by Red Teams are only fixed narrowly.
No wider lessons are learned about why Blue Teams didn't spot their attacks. I'd like to seemore Purple Teaming. That means Red and Blueteams working closely together so that when the former spots something, theycan collaborate to fix the underlying issue and learn from it.
Purple Teaming encourages dialogue to enhance overall detection andresponse and what organization wouldn't benefit from that today?
To learn more about how theTanium platform provides organizations with real-timevisibility, comprehensive control and rapid response across operations, contactyour CDW account representative.