Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/8/2020
09:00 AM
By Earl Matthews, Maj Gen, (Ret), Vice President of Strategy, Mandiant Security Validation
By Earl Matthews, Maj Gen, (Ret), Vice President of Strategy, Mandiant Security Validation
Sponsored Article
100%
0%

Why Now Is the Time for Security Validation

With tight budgets and a cybersecurity skills shortage, companies need a process, risk framework, and platform to continuously measure, optimize and rationalize security investments.

Did you know…

  • 53% of attacks successfully infiltrated without detection?
  • Only 9% of alerts are sent to the SIEM?
  • 65% of the time, CISOs are unaware that an attack could bypass their defenses?

Do you know what these statistics mean for your company, or how secure your assets are and what value you’re getting from your security investments? The data comes from the Mandiant Security Effectiveness Report 2020, A Deep Dive Into Cyber Reality, which shares findings from an evaluation of enterprise production environments across 11 global industries. The report reveals that despite a steady growth in security spending, organizations operate under the assumption that they are protected from cyber threats when in fact, most companies will be breached -- or already have been but they don’t know it.

This happens for many reasons, but most frequently because:

  • Security tools have not been properly configured or have regressed over time,
  • There are gaps in security protocols,
  • The IT environment is overly complicated, or
  • Security teams do not always have visibility to changes made to the IT infrastructure -- which is catastrophic, as one small change in the network can cause environmental drift to security.

This is clearly problematic from a security standpoint but it also means companies are investing in security and not getting the intended value. In today’s economic climate, businesses can’t afford to spend money on technology that doesn’t perform as expected. This was the case before Covid-19 struck, but now, with economic uncertainties and companies needing to cut costs, the mandate has become clear: CISOs and CFOs must work together in new ways to answer the age-old question “Are we safe from attacks?” with quantifiable metrics and proof. How well they do this may very well determine the financial future of the company.

Security Validation: Reduce Risk While Optimizing Performance 
What I’m talking about is the need for CISOs and CFOs to validate performance of their security investments. Validation is about measuring the effectiveness of a security program across technology, people, and processes to determine if an organization is getting value from their security spend. It’s also about aligning the security stack with desired business outcomes -- be it cutting costs, reducing risk or strengthening the brand, particularly when measured against the threats most likely to target the business.

This is not easy. Most organizations today have between 30-70 security tools, which lends to IT complexity and overlapping controls. Sure, companies are doing everything they can to maintain a strong security posture. But spending millions of dollars without knowing how well each control is performing or how to optimize each point solution for a particular IT environment is not an effective strategy.

To properly validate security performance, companies need a process, risk framework, and a platform to continuously measure a company’s security effectiveness, validate security performance, and financially rationalize cybersecurity investments. This process and framework cannot be a one-time process. Continuous vigilance and validation must be the new normal in order to protect against the acts of cyberhackers and respond to IT infrastructure drift, and unforeseen acts of nature. Three key steps must be taken:

  1. Assess to understand the relevance of threat intelligence and exposure to a likely attack and establish a baseline of the effectiveness of a company’s current cyber security program.
  2. Optimize to ensure that effectiveness is maintained, if not increased, once gaps and shortcomings are addressed or changes to the organization’s risk profile are established.
  3. Rationalization of financial value and costs means attaching financial value to cybersecurity effectiveness in order to justify spend, reduce costs and eliminate duplication and waste  while simultaneously maintaining or increasing security effectiveness in key areas: executive communications, remote working protocols, and customer data protection. Financial rationalization can demonstrate the alignment between the efforts of the cybersecurity technology stack, policies, and people with the desired outcomes, priorities, costs, and risk profile of the company.

I will be hosting a webinar on this topic, Validate Security Performance to Rationalize Investments, as part of the FireEye Virtual Summit at 4pm ET on June 11, in which I will discuss the need for rationalization of security investments and outline key steps to strengthen your security posture and minimize cyber risk. (To register for the webinar visit here.)

Without data-driven evidence of security performance, companies stake their brand reputation and financial performance on assumptions that simply don’t match reality. Only by validating the effectiveness of security controls through automated data measurement, optimization and rationalization can a company maximize protections and minimize risk across the entire business.

To learn more about the FireEye Virtual Summit, or to register, click here.

About the Author

Earl Matthews, Maj General (Ret)
VP Strategy, Mandiant Security Validation
Major General Earl Matthews USAF is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead large-scale, diverse, global organizations that operate, extend, maintain and defend global networks. He has earned a reputation as a motivational leader and change agent focused on delivering technical innovations that resolve complex challenges.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25694
PUBLISHED: 2021-05-13
Teradici PCoIP Graphics Agent for Windows prior to 21.03 does not validate NVENC.dll. An attacker could replace the .dll and redirect pixels elsewhere.
CVE-2020-12967
PUBLISHED: 2021-05-13
The lack of nested page table protection in the AMD SEV/SEV-ES feature could potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor.
CVE-2021-26311
PUBLISHED: 2021-05-13
In the AMD SEV/SEV-ES feature, memory can be rearranged in the guest address space that is not detected by the attestation mechanism which could be used by a malicious hypervisor to potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise...
CVE-2021-22152
PUBLISHED: 2021-05-13
A Denial of Service due to Improper Input Validation vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially to prevent any new user connections.
CVE-2021-22153
PUBLISHED: 2021-05-13
A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim’s local machine with t...