No matter how much we invest in defense and how many new solutions hit the market every year, we still face an onslaught of highly successful cyberattacks. Hackers are savvy and persistent, and our failure to keep pace is leading to a problem projected to eclipse $3 billion in losses, according to 2018 data.
Particularly as the cyber arms race has ratcheted up over the years, I have seen a fixation on technology and consistently poor investment in people and process to operate it. We absolutely need the technology, but we can't forget or overstate the importance of humans working methodically to make it effective, especially for security monitoring.
I have long seen organizations of all kinds fail to approach security monitoring with the same discipline and rigor they afford to other business programs. For cyber defenses to be effective, we must begin to view and manage security monitoring as an essential business service.
Here are the common pitfalls I see, and how to overcome them.
When a business function is regarded as critical, it is resourced with the time and talent it requires. Could a security breach render your organization helpless? If you answered yes, security monitoring is more than just a "nice-to-have."
I routinely see organizations task folks with security monitoring duties while still expecting them to drive other IT initiatives and work on a myriad of unrelated issues. This best-effort approach lacks the experience, training, focus, and proper staffing necessary to run an effective monitoring program. Tasking even your most skilled generalist with security monitoring is the equivalent of asking a sales rep to take over an entire marketing function. They may have dabbled, but they need expertise, a team, and ample time to do it right.
Your monitoring analysts need to know what they're looking for and looking at. It's a tough role to fill, and analyst burnout is a thing. That makes developing this team one of the more difficult challenges for a security leader. However, taking the time to recruit and retain good analysts will pay dividends in threat detection and ultimately business risk reduction. Moreover, as team members begin to perform a deeper analysis of environment activity, they will likely arm you with valuable insights about the implementation and efficacy of your broader security infrastructure investments and overall program.
Failure to Identify and Drive Toward Outcomes
There's an assumption that security analysts inherently know what constitutes an "incident" and how to find it, and to some extent this is true. But if the organization hasn't defined and prioritized the kinds of incidents that might cripple or cost the business, there's a good chance that important events will never even cross the analysts' radar.
Consider a business with an e-commerce presence. Should the security monitoring program be extended to the applications and infrastructure delivering that service? Let's assume it should. Does the monitoring program look for traditional network-based attacks? Application-level attacks? Insider activity? Account takeovers? Compliance-impacting events? You see where this is going.
Each one of these monitoring use cases is supported by special telemetry and processes, and some may warrant special service-level agreements. Without careful planning and prioritization, it's quite likely that the monitoring team doesn't even have visibility into some of these events, let alone the ability to deliver consistent outcomes the business requires.
Make sure your monitoring program has clearly defined and prioritized service deliverables, then be sure to establish the telemetry and processes necessary to fulfill these essential business objectives.
Forgetting the Basics
We invest in security infrastructure with the hope of becoming less penetrable or better equipped to detect and respond to those events that warrant our attention. Unfortunately, many businesses make major technology purchases, then fail to get those technologies fully integrated into the environment and the business operations they serve.
Take firewalls, for instance — a basic, decades-old technology that is synonymous with network security. They remain a table-stakes infrastructure investment in every organization with a modicum of cybersecurity concern. At the same time, firewall management practices are straight from the Wild West in many, many organizations.
Time and time again, I have encountered organizations, even enterprise environments, that have no semblance of configuration standards, porous rule sets, and unenabled features. In many of these organizations, each firewall configuration looks like a complete one-off. In the rush to next-gen devices, many implementation efforts were declared complete immediately after performing a like-for-like migration of outdated Cisco Adaptive Security Appliance policies.
What does this have to do with monitoring? Everything.
Firewalls are just one example of monitoring telemetry. When telemetry is not implemented correctly, consistently, and completely, your monitoring effort will have visibility gaps. When these gaps are the result of inconsistent implementations, they may go undetected for some time, all the while leaving you with a false sense of security. Your telemetry (all that security technology you've invested in), where it's placed, how it's configured, and how it's managed is critical to your monitoring program success.
People, process, technology: We all know how important these are, yet we often lose sight of that fact. Hopefully, these insights help you to maintain the balanced view required to monitor your environment effectively.