Businesses are facing an environment with massively distributed architecture and service consumption, from multi-cloud installations to IT estates that mix on-premises and off-premises systems. Introducing a TEISS Breakfast Briefing at London’s Langham Hotel, James Todd, CTO at Adarma, said organisations must consider their controls on all those environments to protect their data.
He told the attendees, all of whom were senior security executives from a range of industries, that the security operations centre (SOC) of the future will need oversight of all those environments, while also staying abreast of new tools and technologies, such as artificial intelligence and machine learning.
Assessing risk
Securing the estate is a challenge because, as one attendee explained, many organisations do not have a good enough overview of their assets. But they can’t understand risk without an up-to-date picture of their assets – and part of staying up to date is making regular risk assessments. Companies assess their credit risk frequently, for example, but are often happy to assess cyber risk just once a year. Both are existential risks and need to be monitored regularly.
This allows for a more mature attitude to risk. Most businesses say they carry out all their patches, or at least try to, but some attendees argued that this can be a less mature approach. It isn’t worth patching a vulnerability identified by a manufacturer if you know that you are not at risk from that problem, perhaps because the asset in question on your estate is not connected to the internet. You could spend the time on something more useful instead. However, you would only be able to make this decision with a clear understanding of your IT environment.
If the future SOC is one built on a mature risk understanding, it is also one where companies focus beyond the obvious. One attendee said businesses give most attention to immediate security alerts, at the expense of smaller, less obvious events that might be chained together to point to a more complex threat. A series of small actions playing out over several years might be overlooked entirely by many SOCs, he argued. However, sophisticated attackers are often willing to play a long game to get the access they want.
Adding to this risk is the fact that many SOCs only keep logs for the past six months unless they are in a regulated sector where longer record-keeping is mandated. It can be expensive to store records for longer periods, but some patterns of suspicious behaviour do not become apparent in just six months.
The right incentives
The conversation then turned to the question of whether organisations are using the right Key Performance Indicators (KPIs) to measure and incentivise performance of their SOCs. Often, businesses default to measuring things that are easy to measure, but these can incentivise the wrong behaviours. For example, Mean Time to Respond (MTTR) is a common KPI but how much does speed of response tell you? The most important factor is resolving the incident, or even spotting it before it develops.
One attendee argued that businesses should focus on Key Risk Indicators (KRIs) and concentrate on driving risk down. Then the question becomes what risks you are eliminating and how quickly. This is more important than what has been achieved. For instance, if you are patching servers then the number that matters is not how many you have done but how many you haven’t.
Overall, attendees agreed SOC teams are being incentivised on quantity when they want to be assessed on quality. They want to spend their time hunting for the hard-to-find risks and vulnerabilities. That ties into a point another attendee made about staff retention. He said SOC analysts are hard to “keep entertained”, so they tend to change jobs frequently. Recruiting replacements is time-consuming and expensive so plans to outsource his SOC entirely, to avoid dealing with that.
Communicating with the board
Implementing the above changes into the future SOC depends on investment from the board, which is where many of those at the briefing had run into problems. “We are trying to provide answers for people who aren’t paying attention to cyber risk,” was how one attendee described it. The challenge is to find a way to communicate better.
One suggestion was to turn the risk into a monetary figure. In this case, the CISO would present a ‘risk value’, which is the likelihood of something happening multiplied by how much the company would lose if it did. The CISO could then explain that the risk value is £4 billion and talk about the extent to which various options could reduce that.
Summarising the conversation, Mr Todd emphasised the need to stay flexible. The future SOC should be able to adopt new tools and technologies when appropriate but not at risk of lock-in, which would reduce the ability to respond flexibly in future.
To find out more, please visit: www.adarma.com
This post was originally published on 3rd party site mentioned in the title of this site
