Vulnerabilities / Threats

7/26/2018
03:30 PM
Mike Armistead
Mike Armistead
Commentary
100%
0%

5 Ways Small Security Teams Can Defend Like Fortune 500 Companies

Keep your company protected with a mix of old- and new-school technologies.

Your security budget is small. You know this. You have a staff of three that must do "all things cybersecurity" for a midsize or large enterprise. Or maybe you're a solo security manager whose outsourced security monitoring service only occasionally sends real incidents. You might even be that IT guy who is expected to wear multiple security hats for a few hours each week. You show no sympathy as you listen to a panel webcast consisting of large financial institutions discuss how hard it is to find the 20, 40, or 100 skilled staff members they need.

You wish you had more personnel to cover more ground, but additional head count (or additional budget for a managed security services provider) just isn't coming. And all the while, your attack surface grows and the data generated by expanding digitization of your business skyrockets. How can you effectively defend your enterprise like the "fat cats" do? A mixture of old school and new, emerging technology "ingredients" give you capabilities that even those with larger cybersecurity budgets would be hard-pressed to match.

Ingredient #1: Core telemetry. When you can't do everything, you need to focus — and that focus should be on the endpoint and network. There is a reason that these two areas have long attracted attention and automation — they can tell you a lot about whether you are compromised or not. The good news for resource-strapped teams is that most every organization has existing telemetry, including endpoint protection platforms — aka anti-malware/antivirus — and intrusion detection/prevention systems. These may not be sexy (did I just use that term in a security website?), but they still offer a wealth of capabilities. Before you chase after the latest, greatest, machine learning (ML)-based widget, look to deploy proven (and relatively inexpensive) core telemetries first.

Ingredient #2: Context. Getting an alert is only half of the security equation. The other half is figuring out if it matters. To determine the impact for any alert, you must understand its context. Therefore, know your IT infrastructure, especially where the critical assets and system vulnerabilities are. Strive to spend resources, time, and energy tracking down indicators that truly matter, and don't just chase every alert.

Ingredient #3: Automated analysis. We've finally reached the point where artificial intelligence (AI)- and ML-based solutions can perform tasks that up till now have been manual. This goal, however, is not simply to acquire a tool claiming ML or AI (because every security vendor can sell you one). The ingredient you need uses software to perform tasks that people either aren't good at or consume too much time, including monitoring high-volume, repetitive data involving ingredients #1 and #2. The key questions you must ask those offering this new-fangled ingredient include "does it save me time/resources without adding time/resources elsewhere?" (the bane of security information and event management systems, user entity and behavior analytics software, and orchestration tools) and "can you prove it works?"

Ingredient #4: Easy scaling. A common strategy among security teams is to create a funnel to match the available resources of a team. For example, only investigate critical alerts because the team doesn't have the bandwidth to process the highs, mediums, and lows. Although such strategies offer useful coping mechanisms, this approach guarantees things will be missed. New solutions — especially those that offer hybrid or cloud-only architectures — offer to turn this funnel into a pipe, providing the needed extra capacity and associated processing power on demand. Just don't forget to include service-level agreement terms to ensure your supplier expands as you need it.

Ingredient #5: Automated upkeep and learning. As mentioned above, many of today's core security operations products require significant setup and ongoing attention to deliver on their promise. Here's my advice for resource-constrained security teams: Beware of the platform! In most cases, that term means both "power to configure to your situation" (good!) and "you must pay the costs to maintain over time" (bad!). Instead, adopt technologies that can upgrade automatically, a practice that is increasingly common. (Note: Although Respond offers this, so do many other companies in this market.) Also look for solutions that can automatically adapt over time via self-learning to produce better results. Don't get too caught up in how — concentrate more on the nature of what is adapted or learned and which tasks it removes from your team.

These five ingredients can elevate your smaller-budgeted security team. With a mixture of old- and new-school approaches and technologies — especially emerging solutions aimed at automating previously manual tasks without hidden costs — your security team can perform like a much larger organization.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Mike Armistead is co-founder and CEO of Respond Software, a Silicon Valley software company that brings artificial intelligence (AI)-based products to cybersecurity teams to help them more effectively defend their enterprise.  Mike is a serial entrepreneur with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
techate
50%
50%
techate,
User Rank: Guru
7/28/2018 | 11:44:31 AM
Cyber Security For Small Business
Cybersecurity is hot and demanding for a small business. As you know hacking activities have been increasing for a few years and opposite small business could not improve ist status so small businesses have more affected. Google Customer Service is work as cybersecurity for small business
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8933
PUBLISHED: 2019-02-19
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on ...
CVE-2019-7629
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.
CVE-2019-8919
PUBLISHED: 2019-02-18
The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2019-8917
PUBLISHED: 2019-02-18
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may b...
CVE-2019-8908
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/g...