Intelligent CISO Issue 13 - Page 65

monitoring and threat hunting. Automated analysis and ad hoc validation provides not just a way to avoid consultancy fees but to catch problems quickly and respond effectively. Moreover, this can be easily demonstrated to the security illiterate with easily intelligible trending analysis tools. Whether they choose to validate externally or internally, many companies are discovering their own dark spaces, areas of their environment which they can’t see into or analyse. To light up that dark space, these companies are looking to new ranges of network traffic analysis tools which can accurately identify threats, vulnerabilities and attack behaviours and directly integrate that analysis into SOC workflows. Any forward plans must have their sights centred on lighting up that dark space. Plans for the next year must ensure complete coverage and security for the entire enterprise. This includes capability to see into the long neglected East-West corridor of internal traffic and analytics that extend to cloud services, remote sites and encrypted traffic. Getting a better view of your environment Real time analysis of network traffic will give you a full picture of what your environment actually consists of, providing you with a full inventory of assets and putting you most of the way to meeting CIS Control 1: Inventory and Control of Hardware Assets. This allows you to closely monitor and control your most critical assets such as databases or developer workstations, responding quickly when suspicious behaviour is detected. | Issue 13 All of this boils down to richer, more intelligible information and that will make big waves across an entire organisation. That accuracy will vanquish another bugbear of every CISO and SOC – false positives. The average platform supposedly gives out 5,000 alerts a day, wasting the time of experienced security teams as they chase – what are too often – phantom threats. Real time monitoring can provide the accurate, contextualised and relevant analysis required to save time, cut down on false positives and maximise the talent, skill and experience of security teams. Furthermore, such tools can easily replace pricey encryption audits from the outside, by gathering data about the strength and type of encryption being used on the network. That information is available not just in real time but can be published as a regular report. The same goes for monitoring access. When it comes to watching privileged accounts, APIs or sensitive assets, real time monitoring is far more effective than occasional scans. With real-time monitoring, suspicious behaviour can be detected and quarantined almost immediately, extinguishing fires before they even have time to spread. Increasingly, malware is written to avoid conventional detection measures. With that in mind, any monitoring platform must be able to spot attack activities which are traditionally hard to identify. However stealthily a piece of malware is written, they won’t be able to outsmart an SOC which can identify attack behaviours like internal reconnaissance, lateral movement, C&C activity and exfiltration. The SANS Institute considers this lack of visibility to be the number one cloud security issue so obviously, that coverage has to extend to cloud services and third parties. One patch of dark space can be just the thing an adversary needs to do real damage. Deloitte, one of the world’s largest of the ‘big four’ accountancy firms, learnt just that lesson in 2017 when an attacker used an apparently unmonitored cloud-based email platform to hide inside its network for months. From tactics to strategy All of this boils down to richer, more intelligible information and that will make big waves across an entire organisation. That means a clearer idea of what your priorities are and what your next steps should be. It means a faster, more effective response to real threats and not the false positives that dog so many SOCs. In essence, it means a way to more effectively deal with short term threats and a long-term strategic view – for everyone – of how to best secure your organisation. A secure organisation needs buy in all the way from the top. Playing the long game means that decision makers have better strategies for long term security success and a better understanding of how security will enable a business’ true goals. u 65