By Lloyd McCoy Jr.
Manager of Market Intelligence
immixGroup, an Arrow company
This four-part series is a summary of a presentation from Lloyd McCoy Jr. as part of Arrow’s 2017 Security Symposium, held May 3-5 at the Omni Fort Worth Hotel in Fort Worth, Texas.
In the first part of this series, we took a big picture look at the cybersecurity market. In the second part, we looked at what’s driving this demand. In the third, we explored how security is changing.
In the last part of this series, let’s focus on cyber framework. The main objective of cyber framework is to provide a set of industry standards and best practices to help organizations manage security risks. Although the framework is voluntary, many private and public sector organizations have adopted it.
NIST is the National Institute of Standards and Technology. This is a government organization whose mission is to roll out standards to government agencies and the private sector. They are the ones who defined this framework. It’s geared for the private sector so that they have an effective approach to risk management. Now, while the framework is not the perfect solution for addressing cyber threats, it does provide organizations and industry, at large, with a common language and basis against which they can assess and continually improve their programs. The framework is high-level enough that it is applicable for vendors and customers across the board and establishes a common vocabulary for security risk; helps facilitate conversations between OEMs, partners and customers; and helps organizations determine their current risk posture.
Ultimately, if followed correctly, the framework sets up a solid security foundation that guides organizations toward making sure they are hitting all the bases. There are strong indications that the framework is here to stay and will continue influencing more and more companies’ decisions on where they need to invest the most.
The framework’s five functions
Let’s go through each section and tease out the trends and where the opportunities are for you from a customer perspective.
Do you know where your data is? Most conversations related to identify probably start with some variation of that question. This is where the risk management, risk assessment and asset prioritization part of the framework live.
Customers need help from YOU, vendors and partners, in figuring out the delta between “what can I fix” and “what will make the biggest difference,” and they must balance it all against the time and resources that they’re working with. The answer is a risk-based approach.
It’s based on the idea that cybersecurity should be predicated on first protecting those assets, that if destroyed, could bring down the business. Discovery, monitoring and all the other hot areas in the security market require a risk assessment to identify where the vulnerability is. A great way to engender trust with your customer is to have conversations about their risk posture and the policies they have in place, rather than coming in guns blazing and pushing product at them.
Ninety-nine percent of the threats out there hit known flaws. Hackers are taking advantage of basic vulnerabilities. This makes vulnerability assessment a critical first step to protecting data. So much of the vendor language is threat detection, threat detection, threat detection… it’s good to go back to the basics and start every conversation with a client with a discussion around risk assessment.
Reach out to me if you want to learn about a true business differentiator – the merging of risk assessment with threat intelligence and analytics.
Identifying vulnerabilities is important, but at some point you have to protect against the bad things that might be trying to breach your network. This is where the protect or prevent function of the framework comes into play. Encryption, antivirus, access management and data protection all fall under this category.
Hackers are getting better at what they do and, of course, ransomware is driving interest in data protection as well. But, it’s not just cyber attacks that you can use as a value prop; data analytics projects related to Smart City initiatives and the healthcare and insurance industries are spawning big time privacy concerns. There’s opportunities for industry here as more and more companies want to show that they see privacy as a business priority. So we can say to them, “Hey, I can help you provide value to your consumers by providing a layer of protection over the impact of these big data initiatives.” That’s going to resonate.
Now, detection and response tools are critically important, but customer conversations will have traction if you can focus on how you can identify the attack and prevent it from taking place from the start. Customers are STILL drawn to solutions that help keep them to the left of an infection and can limit the number of alerts that responders are required to investigate.
The next function is detection. Obviously, visibility and monitoring of what’s happening on the network are the core elements here. One of the lessons driven home after the big OPM breach in 2015 was the amount of time it takes for a threat to be detected. According to a 2015 report by Mandiant, the average lag time is a shocking 205 days.
It’s not getting easier. As the amount of encrypted traffic increases on the network, the visibility into that traffic decreases. Also, visibility and control over sensitive data are fading because of an increasingly mobile and remote workforce, the rapid growth of the Internet of Things, and cloud services adoption. Vendors will be required to address these challenges with innovative approaches to both product performance and policy management.
With that said, while cloud-based storage of logs introduces data privacy and potential regulatory issues, this will be the desired approach for most buyers. While there are some holdout industries and geographies that prefer on-premises deployments, most customers are becoming much more accepting of cloud.
IoT presents unique challenges for customers, and thus opportunities for vendors and partners, when it comes to detection. Customers will have a leg up if they can navigate a world of wireless networks where 99 percent of them are not Wi-Fi. It may be cellular, microwave or something unfamiliar. Effective security providers are ones who can show their customers where and how they’re connected to their networks and making sure sensor data traversing one network has the right set of policies as it travels to another. Mobility in general applies as well. Customers need visibility into the devices inside their network and the adjacent networks those devices are using.
Lastly, managed security, managed security, managed security. Many companies don’t have the resources to wade through reams of data looking for threats and figuring out how to respond to them. Vendors and partners absolutely need to offer these to stay competitive.
Now, most of us have reached the conclusion that it’s impossible to prevent everything. A dedicated, focused, well-financed threat actor will achieve some level of penetration. Better and more effective detection and response will help deal with this reality.
One of the biggest value props you can bring to the table is cutting response times. This overlaps with risk management and detection, but it’s true that responding to a threat in ten hours versus in ten minutes can make a huge difference in terms of costs, and not just direct costs either. As attacks take longer to respond to, notification is delayed, forensics investigations are hampered, public opinion declines and regulators take harsh actions. Most breaches that occur can be defended. It’s just that the sheer number of alerts is daunting for incident response teams and impossible to manage without leveraging threat intelligence and behavioral analytics to provide a complete picture of the most urgent risks. IT modernization, namely cloud and IoT, are only going to compound the problem. We need to carry the message on how we are going to improve the ability of our customer to react to events in a timely manner.
(To hear a few other things that are high on the customer wish list, contact me.)
Managed response services, as I alluded to in the previous section, are a must, as they remove the burden from clients of having to figure out what method or device to use to respond to a threat. Features customers are looking for from MSSPs include:
- 24/7 monitoring and alerting
- Remote response services
- Monitoring of ingress-egress perimeter traffic
- Monitoring of lateral movement
- Incident response in public and private cloud environments
Speaking of cloud environments, customers will need advice and counseling from us in how they implement SaaS based response solutions. In many cases, they will need to retool how they respond to alerts and how to address infections. And it may require some organizational or process changes. A system administrator may need to look at the management console for the endpoint security solution. At one time, he or she was dispensing or refreshing laptops but may now be at the controls and monitoring for alerts and doing the lower level investigation of alerts.
Lastly, elevated levels of noise and non-signature based attacks can be mitigated if vendors get out in front by offering:
- Higher levels of automation to reduce the workload on overtaxed incident responders and reduce the time between detection and response
- Real-time, risk-based prioritization to quickly focus the SOC analyst on the events that represent the most risk to the organization
- Better-guided investigations, including identifying next steps, information about the attack and pre-correlating multiple alerts into an incident
- Proactive configuration and security analysis to reduce the attack surface and infection rate
The last function, recovery, is all about maintaining plans for resilience and restoring any capabilities or services impaired due to an incident. It also means making sure the vulnerabilities and bad configurations are patched up so the bad guys can’t get back in or move elsewhere in the network. The secret sauce here—and what vendors and their partners should be messaging—is TIMELY recovery to normal operations to reduce the impact from that incident, restoring normal functions with as little disruption as possible.
Understanding the customer’s business is key here, probably more so than any other function except risk management. A vendor will stand out if they have deep knowledge of the business workflows because resilience must involve not just the IT teams and CIO office, but the business units as well. I’ve used the term resilience. Think of recovery as event-specific. A breach was found and steps are taken to patch it up. Customers in both private and public sectors are increasingly viewing resilience as a long-term strategy and something to be included in any business plan. In fact, perhaps the term cybersecurity should be replaced by, “We’re making an organization more resilient, more adaptive to change.”
Now, in a world where ransomware is on the rise, the first rule is you need a backup. Backup remains the best protection against data loss in case of a ransomware infection. I thought it was worth mentioning that 15 percent of the data that our customers have is actual data that’s required to be stored. Thirty three percent of it is likely to be redundant or trivial, and then the remaining 52 percent of it is data organizations simply don’t need. So, just by helping your customers with their data classification and risk management, you reduce the attack surface.
Lastly, remediation is the least mature of these functions, and many enterprise organizations re-image machines for all but the most simplistic threats. This approach is expensive and disruptive. Leading solutions should have enough detailed event history information to outline repair actions that will roll back the malicious activity, guided remediation and on-the-ground breach investigation assistance.
To sum it all up, this framework is a vehicle that you can use to help drive your solution home into the customer’s mind. Companies are increasingly turning to standards like these, and effective security requires ALL five functions of this framework.
It’s also important to remember that security isn’t a destination, it’s a process. The adversary is going to continue to find new ways to attack and the race to keep up with new threats will continue to drive security spending. Whether it be IoT, exotic forms of edge computing, next-gen cloud platforms, quantum computing or whatever other technologies are realized, there will always be people, groups and nations looking to see how they can be exploited. And so, cybersecurity must keep pace with innovations.
From understanding vulnerabilities to cleaning up or recovering after an inevitable mess, cybersecurity is a multi-dimensional puzzle – one that will require security experts to become more like intelligence officers. Being able to leverage historical analytics with real-time data in an automated manner in order to react to the threats out there is the new status quo.
Lastly, cybersecurity is not just an IT issue. It involves being embedded in business processes throughout an organization, and becoming a trusted advisor rather than a salesperson. This translates into opportunities to shape their detection and incident response, not to mention guided remediation practices for when that successful attack does occur.