By Erez Tadmor, Network Security Evangelist, Tufin
The beginning of the year typically offers a time for reflection. To look back and see what was successful – and what might need some additional attention. This process is of extra significance to those in the cybersecurity industry, as it is critical to learn from both your successes and mistakes, as they help to inform your priorities and choices.
One important (and unfortunate) trend we’ve observed is that a large number of organizations still haven’t mastered security fundamentals – which has led to several missed opportunities for improving their organization’s operations and protections. Improvements that could not only make them more secure but serve as the foundation for additional improvements.
Without that foundation in place, the success of future security initiatives may be in question.
Communication Breakdown
Many organizations still struggle with basic network security tasks, such as protecting against malware and ransomware, securing access to networks and systems, and ensuring data privacy and compliance. But these are just the results of fundamental issues.
To get to the reason that issues like these still persist, you need to peel back the onion a layer. Once you do, you’ll find that the root cause can be summed up by a failure of teams to communicate, collaborate, and synchronize. Neglecting to solve these issues ends up creating more complexity.
In today’s complex and interconnected business environment, effective communication, collaboration, and synchronization are critical to success. However, many organizations still struggle with siloed teams and lack the tools and processes needed to work effectively together.
A lack of collaboration and communication helps to ensure that a siloed situation persists within an organization – and makes it highly likely that a company’s IT teams are unable to ever escape the reactionary approach. Reactive teams only take action when something goes wrong.
This approach may even seem to be effective on the surface – but reactive mode never allows an organization to improve or evolve. Every moment is spent responding to an issue, instead of proactively addressing larger company issues that cause the security issues in the first place.
Reactive mode can lead to costly and inefficient security practices, such as continually bolting on one security solution to another, without ever stopping to think about what a comprehensive strategy should look like.
Teams are unable to holistically prepare for tomorrow because they’re still not able to keep up with what’s happening today. By not synchronizing efforts throughout the entire organization, duplication of effort is common, and it becomes impossible to take any large step forwards toward solving larger security issues.
Reliance on Legacy Approaches
The reliance of organizations on static, legacy documentation and the manual processes used to manage them is still a huge problem. These processes simply do not scale, and help reactiveness to thrive.
The other major issue with static documentation is that in this day and age they are almost immediately out of date. Ten years ago, this process might have worked to some degree – even during a response to an attack or incident – but now it doesn’t in the least.
By the time a static document has been created and emailed out, the development team has moved on and already stood up and torn down three new cloud environments. New applications have been developed and launched before the document could be reviewed.
Because development is so fast – and shouldn’t be hindered if you want the company to continue to evolve and succeed – legacy approaches must change or be killed.
Threat Intelligence and Incident Response
Most organizations have improved their incident response procedures in the past few years. There are dedicated teams, dedicated solutions that can assist the process, and a set way of operating during a crisis.
That said, the biggest problem today is not the people, processes or training for incident response – but rather one of the fundamental areas – the information needed to understand a situation or a threat, and consequently – properly prioritize it. The failure of organizations to address this fundamental issue has caused inefficiencies to persist.
Every enterprise now has dozens of cybersecurity products and protections operating at any one time. Despite this, most are still lacking the ability to quickly acquire the actionable information needed to respond to a security incident in a timely manner. There isn’t a lack of volume, but instead a lack of actionable information.
During an incident, teams need to know where needed data is, how to find it, and how to leverage it to make the decisions that need to be made. Any time wasted locating and translating said data into actionable information is time not spent actively responding to an incident, which leads to greater losses and a greater impact.
Much like a tailored threat intelligence feed that, for instance, only shares threats to the financial services industry, today’s teams need context with their security alerts and data, so they can make proper sense of all of the information that’s coming into them. What’s relevant and why.
While automated solutions can help sift through and highlight specific alerts, what’s necessary to have in place is a fundamental way for the security team to communicate easily with the network operations team, for example.
It should be easy to correlate data together from each area, but when there is a siloed approach within an organization it becomes more difficult than one would think to simply communicate in terms that each other will understand.
It has only gotten worse over time. Silos refer to various disparate technologies, including the ones that operate inside the traditional networks, the native network, Kubernetes, SD-WAN, and more, which are not necessarily interconnected.
With different teams in place to manage and control each, there’s now no central repository and everything’s formatted differently, running on different software.
The incident response team now has to become experts in all of those different technologies to be able to understand the raw information and what it means to the company as a whole. Information needs to come in from each team, be correlated, and be understood in the context of each other in order to formulate an accurate response.
Correcting this fundamental problem of information sharing, collaboration and communication isn’t easy, but can go a long way to positively impacting your organization’s security foundation for years to come!
Staffing Shortages Continue
One major theme over the course of the year has been the difficulty organizations have had at finding and retaining quality security talent. These staffing problems have continued to plague the industry – and exacerbate the issues around reactive security approaches.
When there are fewer security team members than necessary, less is able to be accomplished, and teams are forced into the endless cycle of responding to issues as they arise, in order to keep the organization running. There aren’t enough hours in the day to address larger, systemic organizational security issues proactively.
Unfortunately, it does not look like this problem will come to an easy solution any time soon. While last year it was impossible to find and hire talent, the current state of the economy has thrown a wrench into many organization’s plans. Some talent may have become available recently because of cutbacks and downsizing by large organizations, but these same market forces have made it more difficult for companies to now approve new hires.
The lack of talent will be a problem IT and security teams will need to deal with for the foreseeable future.
Lack of Automation
It simply makes sense that when there are open positions within an IT organization – and the team members that are there are forced to remain in reactive mode – that new approaches are needed. One of the most basic is to invest in automating mundane and repetitive tasks.
Automation can remove these tasks from the job description, enabling key security and IT resources to be redeployed to more critical company programs. Programs and initiatives that could one day result in a move from a reactive to a proactive approach.
In the “race to the cloud” that has been hastened these past couple of years due to the pandemic and the need to have the entire business be cloud-enabled immediately, there have been many missed opportunities to review and automate these types of repeatable processes. Now that there isn’t the urgency behind keeping the organization running in an uncertain era, the time is right to restart the automation process.
During times of economic downswings, companies often look internally for ways to improve operations and become more efficient and effective.
Many companies are being forced to focus and reduce investment to only those areas of immediate demand. Security automation supports this, while also improving current employees’ work lives (and making open job descriptions more attractive as well).
Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything.