5 Core Security Functions to OperationalizeAdd bookmark
Effective cybersecurity depends on three things: people, technologies, and processes. If even one of these pillars is lacking, all the investment in the world in the other two won't keep your organization safe. Unfortunately, too many businesses approach cybersecurity on an ad-hoc basis. They focus on putting out tactical fires—without building a strategic operation that can suppress these fires before they really ignite.
Even when they've made massive investments in people, technologies, and processes across business units or functions, they often aren’t able to bring them together holistically in ways that protect the entire enterprise. As a result, a security breach is just as often due to an organizational failure as it is the failure of a person, technology, or process.
By operationalizing your core security functions, you can understand and define how your tools, teams, and processes should work together in harmony to ensure your security operations center (SOC) runs efficiently, effectively, and swiftly.
Here are the five core security functions every enterprise should seek to operationalize:
You can't fight what you can't see. That's why monitoring should be the foundation of every SOC. At the same time, it's almost impossible for most security teams to see everything at once. There are simply too many data flows and devices for any internal team to monitor to guarantee 100 percent visibility at all times.
When creating your monitoring strategy, define the mission-critical data flows to your business, along with the high-value assets and employee groups that most impact your operations. In doing so, you can focus your attention on what matters most while building up your monitoring capabilities to incorporate less-critical elements down the road.
Also, remember that attacks don't always take place during business hours. Define your plan for delivering 24x7 coverage by: (1) either ensuring adequate internal staffing; (2) outsourcing monitoring completely to a third party; or (3) using a hybrid approach with a third party covering the evenings and weekends.
Finally, define the KPIs you'll use to measure the effectiveness of your strategies, such as percentage of coverage, time to ticket, or remediation times. By using consistent KPIs from day one, you'll be able to measure progress over time and steer future investments to where they can make the most impact.
Once monitoring is in place, you must be able to respond to the information you receive. However, the last thing you want to do is reinvent your response every time there's an incident.
Create an incident response plan that defines team roles, how you classify incidents, and your methods for managing threats, remediation, and recovery. Don't just define the steps themselves, but also how quickly each step should be completed. This will help ensure the plan is executed in an effective timeframe in the case of a fast-moving attack.
It can be daunting to create a plan from scratch. Instead, focus on the issues that occur most often, document your workflows, and update your plan as you go. Your plan should also outline your external partners so you can ensure that any third-party vendors or contractors have the same security expectations and requirements as you do.
In addition, don't make the mistake of creating a plan and then leaving it on the shelf until you need it. Test the plan regularly to make certain everyone knows their roles and is prepared when the time comes. This will also help you identify and repair gaps in your plan before it’s too late and you only discover the plan’s shortcomings in response to a real-world breach.
- Vulnerability Management
This is the bread and butter of cybersecurity. The more effective you are at patching, the better protected the entire network ultimately becomes. But it can be tempting to put patching off for another day when there's a fire-drill task to handle, and it's easy to overlook patches for every last app and device in the enterprise.
To ensure effective patching, create a vulnerability management strategy that defines your entire patching process, including what you scan and how often, and sets a regular schedule for deploying patches. Some legacy systems can be more difficult to patch than modern systems, but that doesn't mean you can exclude them. Instead, patch what you can while keeping careful track of what you're missing so you can follow up later.
Deploying patches is just the first step. Create a plan that defines your method for validating that patches were applied to each device so you can be sure the vulnerability is eliminated completely from your network. In addition, define your strategy for testing the effectiveness of the patch to verify it doesn't create new issues that will compromise your system.
- Threat Intelligence
Threat intelligence can help you understand your risk of an attack from potential and current threats. However, there are far more indicators of threats than there are actual specific threats to your organization. You need to learn how to filter your threat intelligence so you don't waste time chasing down false positives on the one hand or treat intelligence as noise on the other.
Begin by understanding the specific threats that impact your industry, along with the types of adversaries your industry most often faces. For example, a bank will be more concerned about protecting customer account numbers from criminal networks, while a pharmaceutical company would be more worried about protecting IP from competitors or foreign governments.
Once you have this understanding, you can tailor your efforts to disrupt common industry-specific attacker patterns, while shoring up your defense where it’s most needed. This can also help your team see the full scope of a sophisticated attack to better tailor an appropriate response.
- Threat Hunting
It is difficult enough to protect your network from known issues, let alone go hunting for unknown security threats. As a result, the operationalization of threat hunting should come only when the first four functions are fairly mature within your organization. As you begin to incorporate hunting into your cybersecurity efforts, start small and build it up over time as you continue to grow your other functions.
To avoid a wild goose chase, make sure you document every step of each threat hunt so you can review what worked, ensure consistency, and identify opportunities for automation.
Learn More About the Foundation for Modern Security Operations
A security operations provider can help you operationalize security across these five functions by providing the 24x7 monitoring, detection, and response, as well as the risk management capabilities you need to scale security.
To learn more about the capabilities you need for effective security operations, watch the on-demand webinar 5 Must-Have Capabilities for Modern Security Operations.