By Chris Hallenbeck, chief information security officer (CISO), Tanium
Cybersecurity has finally reached the boardroom. As CDW Canada’s latest study shows us, breaches are now costing organizations millions of dollars per incident — which should be enough to get the attention of most CEOs.
But although new security technologies are becoming easier to adopt, and more money is there to invest in them, underlying challenges persist, which could drive up cyber risk.
With that in mind, here are some of my key takeaways on the biggest challenges highlighted by the report:
Understanding the use cases and non-technology factors that will help make the most of SOAR and AI/ML deployment
Artificial intelligence (AI), machine learning (ML) and security orchestration, automation and response (SOAR) are being productized at a growing rate and deployed by an increasing number of organizations.
Fundamentally this comes down to people. We have an estimated shortfall of over three million IT security professionals globally right now. So these tools are often purchased to partially fill these skills gaps.
In the case of SOAR, it’s commonly a response to historic over-investment in point solutions, which means security operations centre (SOC) analysts are overwhelmed with alerts.
I’d advocate these tools be used to automate repetitive tasks. But to optimize their value, organizations must also realize that they still need skilled humans to make sense of their output. They aren’t a silver bullet to solving skills shortages, but instead offer a better way to allocate your existing resources.
Remote work and cloud adoption make device exposure a significant contributor to increased breach incidents and costs
The new era of remote work, distributed endpoints and cloud services are made for the zero-trust security approach: one predicated on a mantra of “Never trust, always verify.”
As you move more resources into the cloud, it becomes easier — a majority of cloud-based apps have the open APIs and other pieces necessary to do zero trust. We’ve almost got to a point today where there’s no excuse not to take a look at this security model.
However, organizations must take caution to ensure that when they’re continually authenticating users to access specific resources, they take a holistic approach.
That means not only checking user identity and access rights but also the security posture of the device they’re using. It’s a challenge to control and secure these distributed endpoints today, but visibility into device security is non-negotiable.
Failure to adequately address the security implications of supply-chain and third-party partner access to organizational data and systems
The supply chain risk to organizations was laid bare earlier this year, but the truth is it has been building for many years. Too many third-party assurance programs are built on manual, spreadsheet-based questionnaires and trusting that your partners will answer them honestly. The result is a point-in-time, incomplete picture of supplier risk.
We need to get to a data-driven model where you can assess your supplier’s security posture almost machine-to-machine. It should take in patch and vulnerability telemetry, as well as data on security architecture, the software development lifecycle, threat modelling and more for a more holistic and accurate picture.
A data-driven approach also means you can run these checks once a month rather than once a year, for continuous risk insight.
Implement formalized vulnerability management programs and regular penetration testing to understand attack surfaces
Too many vulnerability management programs fall at the first hurdle today. Security teams are happy if they can complete a vulnerability scan of all enterprise endpoints within a month.
This data is then sent over to IT operations to run against available patches before testing and deployment. The result is that they could be running 75 days or more behind when a patch was first made available.
On the other side, we know that threat actors are building exploits and scanning for vulnerable machines across the internet within minutes.
Visibility into all enterprise endpoints, at speed and scale, is foundational here. Organizations need to be getting comprehensive answers back about vulnerable assets within seconds or minutes, not weeks.
Penetration testing is another critical part of improving organizational resilience. But too often, the problems highlighted by Red Teams are only fixed narrowly.
No wider lessons are learned about why Blue Teams didn’t spot their attacks. I’d like to see more Purple Teaming. That means Red and Blue teams working closely together so that when the former spots something, they can collaborate to fix the underlying issue and learn from it.
Purple Teaming encourages dialogue to enhance overall detection and response — and what organization wouldn’t benefit from that today?
To learn more about how the Tanium platform provides organizations with real-time visibility, comprehensive control and rapid response across operations, contact your CDW account representative.