As technology and IT environments become more complex along with an evolving threat landscape, many organizations have been looking deeper into their cybersecurity defense strategies. Advanced technology brings more sophisticated threats from attackers who target more businesses than ever before, including their supply chains, partners and customers. These changes make cyber defense a priority for the C-Suite.
Organizations continue to struggle at the security operations center (SOC) level, constantly trying to improve their defensive cybersecurity processes and manage the influx of alerts. Meanwhile, the increased success of phishing attacks means training additional security around sensitive data is still important.
By understanding the evolving threat you can uplevel security by following a few cybersecurity tips.
Over the last few years, cyberattacks have increased in number and severity, making them more newsworthy. In response to this, legislators look to hold businesses more accountable. Robust incident response is fundamental to these initiatives because many regulations incorporate reporting requirements.
They’re the first group in your organization to engage with an incident. Many security analysts are overwhelmed by too many alerts which leaves them either investigating false positives or assuming the alert isn’t important. Ensuring that they have high-fidelity alerts is fundamental to ensure that they can identify a real incident quickly to move on to investigate and remediate it.
Artificial intelligence (AI) and machine learning (ML) are more important than ever, especially when SOCs must respond to sophisticated attacks. By preparing them with tools that give them valuable information from across your interconnected IT environment, you enable them to efficiently and effectively respond to incidents.
Incident response consists of the policies and processes used to identify, contain, and eliminate an incident. As you add more technologies to your IT stack, you increase your attack surface. Simultaneously, digital transformation has eliminated the idea of a network perimeter since even people in your offices use a wireless connection. These changes make incident response more challenging.
Your incident response plan isn’t a “set and leave it” process. While your policy defines objectives and roles, you need to continually test and iterate your processes. Newer regulations and standards focus on training incident response teams regularly with tabletop exercises or red teaming. The more your team reviews and iterates the processes, the faster they can contain and eliminate an incident.
The evolving regulatory landscape changes your company’s responsibilities. With more new privacy and cybersecurity laws enacted every year, your compliance and legal risk change.
For example, in 2022, US President Biden signed the “Cyber Incident Reporting for Critical Infrastructure Act” (CIRCIA) into law. In June 2022, the US House Committee on Energy and Commerce voted 53-2 to send H.R. 8152 “American Data Privacy and Protection Act'' to the House floor.
This regulatory shift isn’t limited to the United States. Since the implementation of the General Data Protection Regulation (GDPR) in 2018, more countries have either updated old laws or passed new laws. China implemented its Personal Information Protection Law (PIPL) and Data Security Law in 2021, and Italy published the National Cybersecurity Agency by Law No. 109 in August of 2021.
Understanding new reporting requirements that impact your organization’s compliance and legal risk is mission critical. For example, CIRCIA requires impacted critical infrastructure organizations to report “significant incidents” within 72 hours. Having a SOC that can detect, investigate, and respond to incidents as quickly as possible remains a key component of your security, privacy, and compliance postures. You need to monitor these new laws and ensure that your SOC can meet the reporting requirement deadlines.
Planning for incidents makes your response more rational and efficient. Although each incident is different and the specifics are unpredictable, knowing how you plan to respond and continuously iterating the processes enables cyber resilience.
When regulations discuss employee training, they usually specify that training must be related to an employee’s role and responsibilities. For example, business-level employees need awareness training that tells them how to identify phishing attacks. However, your security analysts already know what a phishing email looks like. They need training that helps them detect anomalous behavior in systems and networks so that they can investigate, contain, and eliminate threats faster. By providing meaningful training through tabletop exercises and red teaming, you give them an opportunity to learn based on their job function.
Complex IT environments require different types of security tools. At the very least, you probably have endpoint detection and response (EDR), firewalls, and identity and access management (IAM) tools. As you increase your attack surface, you add more tools. At each attack vector, your security analysts get alerts all day long, leading to alert fatigue.
To overcome information overload, you must optimize your security data, so that your teams have high-fidelity alerts. Further, you need to do this before an incident occurs because your analysts won’t have time while they’re responding to one. When you use automation and artificial intelligence, you enable your security analysts by identifying the most important security data and streamlining response activities. It becomes a force multiplier. Network detection and response (NDR) with self-learning artificial intelligence (AI) is helpful to better detect intrusions.
Digital transformation did more than just shift the perimeter. It changed how threat actors deploy attacks. Today, you need to converge security and networking, enabling them to work together.
The SOC is the center of your defensive security program, a centralized location where your security analysts monitor systems and networks to detect an incident. When you converge security and networking, your SOC has the necessary visibility into the activity that indicates abnormal access or data exfiltration.
The NOC is the center of your network health and performance, overseeing infrastructure and equipment, wireless systems, databases, firewalls, network devices, and telecommunications. They ensure that your systems remain available. When you converge security and networking, you ensure that the NOC can focus on network outages related to their duties instead of starting an investigation that is really a security incident that they need to transfer to the SOC. By providing the SOC and NOC with the same data, they can focus on their tasks, ultimately ensuring enhanced availability and security.
Software vulnerabilities remain an attack vector. Adversaries pivot their methodologies in the aftermath of a new vulnerability announcement, often within hours or days. To enhance security and reduce security analyst overload, installing security updates as quickly as possible is critical. In addition, another way to detect threats earlier that are relevant to your organization is by using a digital risk protection service (DRPS). Such a service can monitor an organization’s external attack surfaces to discover unknown/known vulnerable internet-facing assets that can be used by attackers. It can also monitor the dark web, underground and invite-only adversary forums, and open-source intelligence (OSINT) forums, to discover leaked credentials/data that are up for sale. All of this can help an organization take action earlier and faster on imminent cyber threats.
Deception technology is a non-intrusive, easy-to-manage network of landmines that mimics an organizations’ sensitive assets (files, creds, apps, servers) where only attackers interact, making it the most accurate way to detect malicious in-network activities. Decoys and deception tokens generate zero false-positives, high-quality intelligence data to help SOC teams effectively detect, analyze, and automatically respond to stop attacks before they impact business.
Deception technology combines the concept of honeypot with threat analytics and threat mitigation capabilities and automatically generates deception decoys and tokens to deceive attackers and analyze their behavior. Every interaction with a decoys/tokens generates high-fidelity, actionable alerts and threat intelligence that are based on real-time interactions with adversaries, to help accelerate investigation and response. Further, with built-in, automated attack quarantine capabilities, deception can stop attacks before they escalate and cause damage.
The cybersecurity landscape is changing at a rapid pace. Top-performing SOC strategies from five years ago have waned in their effectiveness. As the rate of cyber threats increases and attackers develop more sophisticated strategies, it is more important than ever that businesses take a proactive and adaptative approach to cybersecurity through AI-assisted data management.
A robust cybersecurity strategy starts with a powerful SOC. Businesses who train their employees and maintain a single data set are better equipped to identify and respond to cyberthreats.
Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.