In a fast-paced business landscape led by digitization and automation, organizations (still) struggle to improve security by designing a proper cybersecurity framework. The question that often arises is not whether to apply the best security practices and solutions, but HOW to do it.
Unfortunately, there’s no “one size fits all” rule that can apply to all organizations, especially to those with a complex infrastructure. Security-wise, organizations need to identify specific pain points, find their strengths and adopt a more proactive approach when dealing with sophisticated threats.
How they can do that in a more efficient way?
We never miss a chance to learn something new (that’s the spirit of the DefCamp community) and we were curious to learn from Shah what’s the best cybersecurity approach in complex environments.
Shah Sheikh works as a Senior Security Consultant at DTS Solution and he’ll be live on the DefCamp stage, talking about Red, Blue, and Purple Teaming Deep Dive. He is also a cybersecurity adviser for two ICOs (Initial Coin Offering) launched in the Middle East Region.
Let’s see through Shah’s lens what is one key element cybersecurity operations in complex environments are lacking and what can be done to improve it.
Large and complex environments are difficult to manage from a cybersecurity perspective. Due to the inherent nature of the use of the latest technologies, combined with legacy infrastructure, you see a blend of heterogeneous systems, devices, and applications forming the IT environment. Coupled that with the possibility of having a large attack surface in terms of monitoring perimeter boundaries such as the Internet, WAN, 3rd party connections, cloud etc.
Such complex and hybrid environments can generate a huge amount of security telemetry data which needs to be effectively ingested, normalized, parsed and used in terms of threat monitoring and detection.
Shah also highlighted that:
Complex environments or enterprises don’t have a strategy or plans to adopt big data lakes for security visibility and operations. This can be in the form of a SIEM (Security Information and Event Management) that adopts big data architecture, but essentially not monitoring your critical assets and how they work together essentially means not knowing your risk posture.
We often remember one phrase that should be on the walls of every organization: “Prevention is the best cure” and this can be achieved throughout cybersecurity education. Complex organizations need also to implement effective tactics for building a learning process focused on cybersecurity, but it’s a challenging process to figure out what the core components should be.
Here’s what Shah believes about these tactics:
Cybersecurity is not a fixed point solution or an appliance. It is a process, an architecture, it is a form of art and not science. There is no checklist or standard that once implemented guarantees immunity to cyber breaches. The bottom line is that a business needs to do what is tolerant to them from a business perspective, to have the relevant controls and mitigations in place.
The game name is cyber resilience and not cybersecurity anymore. The most effective tactic is building cyber resilience because everyone is vulnerable to a breach.
We need to move away from scaremongering and build strong recovery and resiliency controls.
If cyber resilience is built within the enterprise security framework for any large complex environment, it will set a good benchmark in terms of the investment and risk-averse appetite.
When it comes to protecting their most valuable assets from new and advanced security threats, organizations face lots of challenges. They need to learn to integrate infosec activities (and proactively apple them) with other business units’ workflows.
Regardless of this aspect, we asked Shah to list 3 big challenges he’s been dealt with:
- Lack of understanding or knowledge in cybersecurity, for one, is a major challenge.
- The other major challenge is that cybersecurity is often seen as being a showstopper and afraid to be integrated within security-related processes.
- Finally, I would say the lack of enforcement or endorsement from executive management on the importance of cybersecurity. Cybersecurity culture within an organization is another challenge.
We see these challenges pop up all the time when integrating with critical business workflows such as change management, asset management, vulnerability and patch management, secure DevOps or SDLC etc.
These challenges need to be taken seriously by all organizations out there focused on mitigating the impact of cyber threats. One of the key aspects that Shah will approach in his presentation is about building a next-gen cybersecurity operations center (CSOC 2.0).
That’s why we thought it’s worth asking Shah which sectors have the highest and lowest maturity level in terms of building and maintaining CSOCs and why.
Financial institutes have the best maturity in terms of building and maintaining a CSOC environment (this also depends on the region and the size of the institute). These are pressured and regulated by PCI-DSS, SWIFT, Central Banks etc; and they are also the ones which are highly targeted. Government sectors that are highly targeted have strong CSOC environments, but generally, all government entities that are targeted need to be one step ahead.
In terms of the lowest maturity level, it varies from healthcare to retailers. Entities can always outsource to an MSSP (Managed Security Service Provider) and obtain SOC as a Service but that also requires a certain amount of due diligence.
The CSOC maturity varies and a very good model that has been adopted is SOC-CMM (Capability Maturity Model). But it will take years to be integrated flawlessly and organizations need to have an “appetite for it”. Also, the CSOC model is more suitable for organizations that want to have visibility (either building it in-house or outsourcing it).
The last topic we wanted to approach is one that concerns both organizations and individuals: data breaches. A recent report saying that “45 data breaches led to 4.5 billion data records being compromised worldwide in the first half of 2018, indicates we won’t see these threats stopping anytime soon.
Here’s what Shah advises companies to focus on in order to make significant progress in securing data:
Data breaches will keep happening and we will see this trend evolve in terms of intent and impact level, not just from data leakage but from critical infrastructure damage. More and more systems are having cyber-physical attributes such as street lighting systems, smart metering systems, smart homes, etc.
So how do we prepare for the next wave of cyber threats?
As organizations, you need to build cyber resilience program by conducting a regular risk assessment that is deep technically but also focused on both processes and people. Also, they need to run regular simulations and war-gaming activities and know their readiness and preparedness.
Cybersecurity is important but cyber resilience for businesses is more important because you can never be 100% secure in the world we live in.
We can never be 100% secure in this world, but we are 100% sure we’ll attend DefCamp #9. What about you?
Don’t miss the opportunity to gain more knowledge in cybersecurity and listen to great security experts who will be on DefCamp stage.
Be there on November 8-9!
DefCamp is powered by Orange Romania and it’s organized by the Association “Research Center for Information Security in Romania” (CCSIR).
DefCamp 2018 is sponsored by Ixia, Keysight Business, SecureWorks and Intralinks as Platinum Partners and it’s supported by IPSX, Bit Sentinel, TAD GROUP, Enevo, Crowdstrike, CryptoCoin.pro, Siemens, Alef, UiPath, Atos and Kaspersky Lab.