How to gain an unfair advantage over cyberattackers: “Mission control” cybersecurity

The core mission of every infosec organization is to mitigate threats and risk. Unfortunately, attackers have an unfair advantage by default. They choose when to attack, can fail as many times as they need to get it right, and only have to get it right once to succeed. They can use benign software and tools to hide their intentions and access sophisticated artificial intelligence (AI) and machine learning (ML) tools to evade detection. And monetization of cybercrime has led to sophisticated attacks occurring more frequently. 

The way to outsmart cyber attackers is for every infosec organization to gain an unfair advantage over bad actors by focusing on what they can control, instead of what they can’t. In addition to identifying threats, organizations need to think more holistically about how they can limit their attack surface and streamline their internal security processes to maximize efficacy. The single biggest challenge that most organizations have is with operationalizing security in their environment. To do so effectively requires the orchestration and continual adaptation of people, processes and technology. 

Adding more security products doesn’t solve the problem 

There’s an emphasis on tools in cybersecurity. But having too many tools creates complexity and actually creates gaps that increase vulnerability. This is counterproductive to threat mitigation.

Most organizations cannot afford to employ full-time security operations center (SOC) analysts to handle the alerts generated by the myriad of products in their environment. As a result, infosec’s day-to-day work becomes an endless struggle of filtering through and responding to alerts, which distracts the team from focusing on implementing security processes, policies and controls to improve overall security posture and maturity. 

Some organizations turn to outsourcing to manage the alerts their team contends with daily, but most managed security service providers (MSSPs) simply field alerts and pass them on to the infosec team without adding much value. They become an intermediary between the tools and the infosec team. The burden of investigating the alert, determining whether it’s a false positive or not, and deciding how to best respond if it’s a real incident all fall on the shoulders of the infosec team.

Managed detection and response (MDR) vendors offer more support with alert triage and investigation, but most do not take the time to understand their customers’ environments deeply. They leverage threat detection technology to identify threats, but because of their lack of environmental understanding, they are unable to offer guidance to their customers about the optimal response to a given incident. Most MDR providers also do little to recommend best practice guidance for reducing an organization’s attack surface or advise on how to reduce risk by streamlining internal processes, the practices that help improve an organization’s security maturity over time. 

Taking a smart approach to outsourcing cybersecurity 

In a Dimensional Research study, 79% of security professionals said working with multiple vendors presents significant challenges. Sixty-nine percent agree that prioritizing vendor consolidation to reduce the number of tools in their environment would lead to better security.

Security maturity must be prioritized by instituting a framework of continuous assessment and prevention, in addition to detection and response in a 24×7 model, with deeper dives led by the SOC engineer. The optimal managed detection and response (MDR) service provider, a unified platform of people, process and technology that owns the end-to-end success of mitigating threats and reducing risk, should increase security maturity using assessment, prevention, detection and response practices. A root cause analysis (RCA) should be conducted to determine the cause of an attack, informing preventative methods for the future. 

The Third Annual State of Cyber Resilience Report from Accenturefound that more mature security processes lead to a four times improvement in the speed of finding and stopping breaches, a three times improvement in fixing breaches and a two times improvement in reducing their impact.

How organizations can effectively gain a security advantage over attackers 

The one advantage a defender has is the ability to know its environment better than any attacker could. This is commonly referred to as home-field advantage. Yet most organizations struggle to leverage this due to the following reasons:  

• Digital transformation has led to the attack surface expanding rapidly (for example with work-from-home models, bring your own device, migration to cloud and SaaS). It’s difficult for infosec teams to get consistent visibility and control across the increasing number of attack entry points. 

• Modern IT environments are constantly changing to accommodate the next business innovation (i.e., new apps). It is a challenge for infosec teams to keep up with all the changes and adapt the security posture without grinding IT operations to a halt. 

• IT and infosec teams typically operate in their respective silos without sharing information productively. This lack of communication, coupled with the fact that IT and infosec use different tools to manage the environment, contributes to the above-mentioned challenges. This is compounded by the fact that often it is IT who has to act to respond to a detected threat (i.e., remove a workload from the network). 

Be like NASA

The crux of the problem is that most organizations struggle to operationalize their security efforts. An MDR service provider can help with that. But the MDR service provider needs to go beyond detection and response to operate like NASA’s Mission Control – with everything focused on the outcome and embracing five key factors: 

The first is having a mission in service of the outcome. It’s easy to get bogged down in the details and tactics, but it all needs to tie back to that higher-level objective which is the end result – to minimize risk.  

The second step is to gain visibility into your potential attack surfaces.  One cannot secure what one does not understand, so knowing the environment is the next step. With each organization, there are different points where an unauthorized user can try to enter or extract data (attack surfaces). An analyst needs to be keenly aware of where these points are to create a strategic protection plan aimed at decreasing them. The analyst must also be familiar with where critical assets are located and what is considered normal (versus abnormal) activity for that specific organization to flag suspicious activity. 

The third step is collaboration. Protecting an organization, mitigating threats and reducing risk takes active collaboration between many teams. Security needs to keep on top of vulnerabilities, working with IT to get them patched. IT needs to enable the business, working with security to ensure users and resources are safe. But to deliver on the mission, it takes executives to prioritize efforts. It takes finance to allocate budgets and third parties to deliver specialized incident response (IR) services. 

Next, there needs to be a system. This entails developing a process that ties everything together to achieve the end result, knowing exactly where people and technology fit in and implementing tools strategically as the final piece of the puzzle. As mentioned earlier, too many tools is a big part of the reason organizations find themselves in firefighting mode. Cloud providers are helping by providing built-in capabilities as part of their IaaS and PaaS offerings. Wherever possible, organizations and their cybersecurity service providers should leverage the built-in security capabilities of their infrastructure (i.e., Microsoft Defender, Azure Firewall, Active Directory), lessening the need for excess tools. Infosec teams need to start thinking about how to develop systems that allow them to focus on only the most important incidents. 

The final step is measurements, which should not only consist of backward-facing metrics, but predictive ones indicating preparedness to defend against future attacks. To measure the effectiveness of security posture, the scope of measurement should go beyond mean-time-to-detect and mean-time-to-respond (MTTD/MTTR) to include metrics like how many critical assets are not covered with EDR technologies and how long it takes to identify and patch critical systems. These metrics require a deep understanding of the attack surface and the organization’s operational realities.  

For most organizations, executing cybersecurity strategies is difficult due to a lack of resources and time. This is where an MDR provider can be a game changer, arming an organization with the technology, people and processes to transform its security posture and become a formidable adversary to any potential attacker. 

Dave Martin is vice president of extended detection and response at Open Systems.