In their third annual study of how today's CISOs and risk management professionals are handling modern security threats (both insider and external), the Ponemon Institute came out with some statistics that—while sobering—didn't exactly shock us to the core.
The truth is, the problems made glaringly evident by this survey are ones that any SecOps practitioner will recognize. We're sharing a few of the ones that really jumped out at us here because the first step towards solving a problem is talking about it, not just within the bubble of the security industry but also with IT Operations teams and business leaders.
Go here to read the full 22-page report for yourself, but for now here are our top three takeaways:
#1: 68% of respondents said business leaders don't understand how advanced threats can impact the enterprise.
A breach today has a much, much broader range of potential impact than many non-technical leaders might initially realize. From the loss of data itself, to the risk of regulatory noncompliance fines with legislation like GDPR, to the difficult-to-measure but easy-to-feel hit on your reputation, threats that make it past your perimeter defenses and into your network itself are capable of causing significant and lasting damage.
On the one hand, yeah, that's obvious, right? But many organizations clearly still find it challenging to turn this knowledge into meaningful investment in a cross-functional security posture that covers both deep knowledge of the attack surface (often found with the IT Ops team, who know their environments inside and out) and the ability to prioritize, investigate, and respond to threats quickly.
#2: Only 33% reported knowing where critical data are stored.
In other words, only a third of respondents felt confident saying that they know which assets in their inventory would cause the most damage if attackers found them.
If you look at any of the industry frameworks for IT security, you'll find two things at the top of every list:
- Know what's inside your environment.
- Know which assets are critical to the business.
This is not only because it's useful to gauge how much trouble you're in when attackers do come knocking, but also because without this knowledge, prioritizing alerts out of a sea of thousands becomes almost impossible.
Most major security breaches don't happen because that company's SecOps team isn't skilled enough to stop the attack, but rather because the SecOps team simply didn't spot that one crucial warning out of all the false positives or non-critical alerts in their inbox every single day.
Understanding where your critical data is stored is the number one thing you can do to start improving that rate of signal to noise.
#3: Only 34% have security staff capable of identifying and resolving insider threats.
There is an assumption that threat hunting is solely the purview of highly trained veterans of the industry. Sure, experience can only help, but we challenge you to pivot your thinking on this one:
Instead of putting enormous pressure on the business to find those highly skilled InfoSec professionals (who are few and far between, and often act as threat hunters on top of their original roles as admins or analysts), look into ways you can maximize your existing resources and give them better visibility inside the network, more accurate machine learning to help them prioritize and investigate, and the collaborative workflows that will allow them to find answers and respond quickly. That's the only way to effectively scale your security posture for 2019 and beyond.
Hopefully you've gotten some useful takeaways here. Check below for other good posts on improving your security posture, and I also highly recommend taking a look at Gartner's report on aligning NetOps and SecOps in order to share tools and knowledge for a more secure enterprise.