Enterprises need to be more than secure; they must be cyber resilient. This means being prepared for, able to respond to, and recover from, known and unknown crises, threats, adversities and challenges – all the while ensuring business continuity. On top of this, a strong cyber resilience framework must also support business growth and transformation. To achieve these ends, SOCs must have robust processes that serve as a playbook for real-time effectiveness.
Having an organized playbook in place can be the difference between a significant breach and a minor security incident or stifled progress versus thriving transformation. While process generally ranks after capabilities in terms of importance, security professionals recognize it is still of critical importance.
Arguably, the most important security operations process is the regular evaluation of defenses. Doing so ensures effectiveness against current threats and that existing security controls continue to operate as expected. Fortunately, progress is being made. For example, upwards of 85% of organizations claim to evaluate their threat models at least once every six months, according to a recent CyberRes 2021 State of Security Operations report. But to what extent? And what is deemed best practice?
The following are our top lessons from the industry report.
Adopting Threat Models
A formalized threat modeling framework, such as MITRE ATT&CK, can help organizations prepare for and respond to threats. They are also valued for their ability to identify gaps in security defenses, improve an organization’s ability to remediate threats and ensure consistent language is used. Simply put, threat models provide detailed guides, checklists and recommended processes to follow to protect against known vulnerabilities.
According to the report, the most frequently used framework is the Cyber Kill Chain – a variant of the US military’s kill chain analysis technique adapted by Lockheed Martin. Not far behind were MITRE ATT&CK framework and STRIDE, created by Microsoft. Each has its own strengths and flaws, so it is common and advised for organizations to leverage multiple threat modeling frameworks across their security teams. As most frameworks are open-source and can serve many functions, organizations should look into implementing at least one.
Simulation of Defenses Using Cyber Ranges & Red Teaming
Threat modeling isn’t infallible. Human-centric exercises such as red teaming – where employees simulate an adversary's actions – and penetration testing are equally important processes. By simulating an attack, you get first-hand experience of the chain of events as they unfold, a proper understanding of how competent your response is, and identify potentially hidden vulnerabilities.
"The benefit of automation is a reduction of workloads so employees can focus on higher-value activities"
According to the report, over two-thirds of organizations currently run similar exercises at least twice a year, with upwards of 90% considering red teaming an essential activity. As part of risk-and-readiness, the results of these exercises should be reported to the board and CISO for due diligence.
Employing Automation
The benefit of automation is a reduction of workloads so employees can focus on higher-value activities. About a third of SecOps decision-makers consider automating remediation tasks to be a top use case for automation, followed closely by reporting risks. Furthermore, more than half of security professionals considered building a repeatable priority intelligence requirement (PIRs) process a top concern for their intelligence-related investments over the next two years.
Intelligent automation is also of vital importance to augment and enhance SOC capabilities. The use of unsupervised machine learning – a system that learns by observation rather than by example – has become critical in checking behavior patterns, spotting abnormalities and detecting potential fraud. These autonomous systems are instrumental in hunting threats and spotting potential risks that may otherwise go unnoticed by a cyber-analyst.
To this end, machine learning is a fundamental piece of a highly automated SOC, helping teams make sense of and manage an increasingly complex attacking surface. And while automation will never fully replace human intuition and expertise, the volume and velocity of tasks, shortage of skilled resources and rising cost drivers make it an essential element of any SOC.
Attack Surface Management
Another key element of control is attack surface management (ASM). This is the capability to discover, track, classify and monitor assets in your network or used by your employees. These range from laptops and routers to software and cloud services. ASM tools attempt to find the weakest link under the assumption that “if you do not find it, the attacker will.” From data discovery to hunting down rogue devices, attack surface management gives companies the peace of mind that a hardened system doesn’t have any weak spots.
There are many more processes and best practices SOCs can adopt to ensure a strong cyber posture. Yet, the core objective throughout all of them should remain the same: protect, detect and evolve. Protect your business with best-in-class solutions, make sure you're able to detect changing or new risk surfaces and keep evolving competencies in line with these changes. These tenets ensure a strong cyber resilience framework and encourage a mature playbook that provides the flexibility and agility needed to adapt to changing work environments or unforeseen circumstances in a reliable, safe manner.
For more information on the latest security operations trends, download the CyberRes 2021 State of Security Operations report or visit www.CyberResilient.com.