SANS on Defining and Measuring Cybersecurity Visibility

Security visibility is a lot like modern art—it varies from critic to critic, and while it's difficult to define, most people (and security experts) know it when they see it.

But what about when you don't see it? After all, visibility can be amorphous and challenging, subject to the time-honored truism: You don't know what you don't know. That's why leading organizations are working to define and measure visibility. Through that effort, these organizations are showing that the best way to defend your company is to have a full picture of it, warts and all.

SANS has produced a new white paper that digs into how to define and measure visibility, and why every organization should take steps to establish a strategy.

Uncovering the Gaps in Your Visibility Road Map

Understanding the concept of visibility may seem simple enough, but it's quite subjective.

When we think of cybersecurity visibility, it's traditionally around devices, applications, endpoints, and networks. Survey data backs this up. The lack of visibility into what data is being processed in the infrastructure and where is one of the most common gaps respondents reported in the 2020 SANS Network Visibility and Threat Detection Survey. But that's far from the only discrepancy.

Visibility often specifically calls to mind technology like devices, applications, endpoints, and networks. Frank Kim, Fellow and lead for both the SANS Cybersecurity Leadership and SANS Cloud Security curricula, explains that "we also need visibility into users (identity, access, risk profile) and key business processes (M&A, entry to new markets) as well as technology processes (DevSecOps)."

If companies are to avoid falling prey to the next major cybersecurity event, they must break out from their silos with a cohesive, interdisciplinary plan that anticipates future threats. Perhaps the largest vulnerability is a mindset that it's not my job. This is where the human factor must be addressed: Your visibility strategy will touch your whole team. Two guiding points can help you. First, understand your top human risks and second, understand your organization's ability to manage (and reduce) those risks.

Why Organizations Must Look Forward

Hindsight is 20/20, but it only gets companies as far as they've come. There's something to be said for the ability to look back after an incident and analyze what failed. However, that alone is not enough to anticipate future dangers and targets. You need a forward-looking strategy to get ahead.

For example, early visibility might have indicated that SolarWinds was a probable target for attackers. It had a high market share and heavy adoption, and was installed on sensitive internal networks. Armed with that early visibility, rather than relying solely on past experiences, enterprises could have moved proactively to profile behaviors and monitor suspicious activity. Instead, SolarWinds became the largest and most sophisticated incident in history.

Organizations need to know the potential weaknesses that exist in their infrastructure today so they can address them.

Knowing It and Seeing It

We know that organizations with a strong visibility strategy—i.e., one that works in sync with their security profile—are in a good situation to assess where to make investments to improve and be proactive.

One key component here is the ability to visualize what's happening in real time. That's where dashboards can be excellent solutions to gain actionable insights. While the concept has been around for a few years, dashboards are still incredible tools to track, analyze, and report on metrics and indicators, and share that information out with stakeholders. An example is tracking the ratio of devices on the network that are fully patched and up to date.

Taking this one step further, use of advanced analysis and machine learning can identify threats so organizations can neutralize them before they cause damage. This forward-looking practice is critical to avoid the devastating costs—both financial and reputational—that come from a breach.

With a solid visibility strategy and the right tools in place, you can begin to uncover success patterns and achieve a cybersecurity masterpiece.

Learn more by downloading the SANS white paper, Making Visibility Definable and Measurable.