As a CISO or business director, you do not want to hear that a data breach has occurred. What you want to hear is that an attempted breach was detected but no damage has materialized due to application of active countermeasures. Further, protective measures have been applied to prevent that attack vector in the future.
Sound simple enough and a reasonable wish for any business owner, right?
A bit of history first. I vividly recall how we, as the security community, were some 10-15 year back preaching about the importance of risk-based security management as a critical organizational practice. We needed security management systems, based on ISO 27k, or some other framework. Many decided to invest and eventually even certified their organizations against these standards and frameworks.
Ten years back, we again preached another topic. This time saying that the protective cybersecurity controls simply don’t cut it anymore. The firewalls, the main antivirus tools of that age, were no longer an obstacle for cybercriminals, who had adopted evasive techniques and tactics to circumvent these controls that we had been investing millions in. As a solution, security operations, creating detective and responsive capabilities, were introduced in the large and at scale.
So now, 10 to 15 years later, you would expect to see some significant improvement in the security landscape. But no, the same advice is very much relevant today. The mean time to detect a breach is still counted in hundreds of days and the costs of cyber breaches keep climbing year over year. At the same time, the Information Security Management System (ISMS) has largely become a dead letter managed and maintained by the CISO office to support maintaining certification status, but it is largely ineffective from a security standpoint.
So what went wrong?
In one word, integration – or rather the lack thereof. Sounds simple enough, but let’s elaborate a bit by starting with the ISMS. The practices envisioned and painstakingly documented, reviewed and audited time and time again are very much relevant and important. Still, the effectiveness of the controls outlined in these is missing. This is largely due to the fact that it was created as a separate practice, taped on top or to the side of the actual business. In this context, integration would have meant that it would rather have been built into the way an organization conducts its business, not as a separate set of documents. As a result, workers within an organization wouldn’t even distinguish between doing security risk management or other security work from any other type of everyday work. Organizations would have a better understanding of the overall risk posture, part of managing the overall business risks. Thus, they could also make decisions on managing or mitigating it routinely as part of everyday work. As a result, I am also making the claim that the cost of this practice would be lower, because of this integration. Sure, upfront investment is required to achieve this, but when achieved, this integration becomes a normal part of operations and a cost of doing business, managed as any other cost of doing business.
So let’s take the same view on security operations. Again, we as an industry created Security Operations Centers (SOC) to add the detective and responsive capability to the legacy protective capabilities, but again without integration. We then realized that we need insight to be able to predict threats better and be better prepared, so we invented the use of Threat Intelligence, Vulnerability Assessment, etc., as data management practices to drive better informed decision-making and preparation. The harsh reality still remains that these operate largely in silos . In the ever more outsourced IT landscape, a large portion of the security controls are provided as part of the distinct IT services. You buy a virtual server, it comes with a number of security controls. You buy and endpoint, again, that comes with a number of security controls. You have a user directory, a cloud service, a network device, you name it, and they all come with security controls, practices and services of their own. But they are standalone, separate from each other, lacking integration and overall visibility and understanding to govern and improve the overall security posture of the organization.
So now what?
In one word – Fusion.
Borrowed from the language of the intelligence communities, Fusion is the process of combining the information and knowledge gathered from numerous sources with the aim of providing situational awareness in the form of intelligence products to answer the questions of decision-makers. In the scope of security operations, we further expand the concept to cover the integration of the cybersecurity capabilities of protecting, detecting and responding to negative security events into one holistically managed and integrated process or discipline to continuously enhance the security posture based on that situational awareness.
This is not about technology, but rather a strategy. It requires integration between services, but also for instance managing configurations across the organization and the services that produce the IT capabilities, embedding those controls that we now need to manage as a whole. This requires cross organizational management of specific aspects of individual services, but with a centralized intelligence-driven management. By doing this, we are effectively integrating or fusing together situational awareness, identifying what needs to be done, where, how and by whom with the protective, detective and responsive capabilities of the whole ecosystem. This is what we at Nixu call Security Fusion.
Future-proof security operations
For your security operations to be able to first close the gap and then stay “on par” with emerging cyberthreats, we need to jointly establish a security program to build and continuously enhance the fusion of all security aspects and across organizational boundaries. At Nixu, we are determined to take this journey and invite you to join us and boldly go where nobody has gone before: a fusion of security operations that keeps your business protected.
SVP, Managed Services