By Christina Richmond, Chief Strategy and Growth Officer, Inspira Enterprise
As cyber risks continue to grow and evolve (here’s looking at you, generative AI) – more and more vulnerabilities are being created, which means cybersecurity professionals must constantly adapt their strategies and tactics. A big part of the security equation involves continuous monitoring and, above all, greater visibility.
Visibility is essentially the elephant in the room. Almost every IT leader today knows they need more of it, but they’re still struggling to obtain a broader view. And what’s more, while visibility is extremely important, it’s not enough. Countless vendors tout their ability to expand organizations’ visibility of their networks, of their systems and of their security tools. But you can’t stop there; it’s what you do with the visibility you’ve achieved that really matters. The bottom line? This challenge won’t be solved by humans alone.
The constant need for more visibility
To truly get a handle on cybersecurity, you need the ability to see the full picture of your networks, your tools and so on. This will enable you to see where things are broken, where things aren’t implemented properly and where your management is accepting risk that probably isn’t acceptable. Therefore, you need to harden more of your data and your identities and lock down access. Many times, when companies accept a lot of risk, they aren’t taking these steps.
And what’s more, despite all the conversations about visibility, it remains a significant problem. Survey after survey finds that organizations are still struggling to get control over their assets. The explosion of endpoints and the growth of a more distributed enterprise are among the many factors contributing to this situation.
You can’t protect what you can’t see. You must know what you have, and you must see the traffic and the output from all your security tools. But even if you can gain this visibility, it’s going to quickly overwhelm your staff – and it’s not enough by itself.
Going a step beyond visibility
Gaining more visibility is a double-edged sword. There’s the positive side of being able to see more of your network, but the downside is it can quickly lead to alert fatigue amongst your analysts tasked with monitoring it. Having too many alerts is always going to leave you a few paces behind – and it can lead to significant burnout. In fact, SOC analysts statistically have high rates of burnout, driven largely by alert overload. According to the Ponemon Institute, 65% of SOC professionals have considered quitting their jobs due to stress.
There are simply too many alerts for humans alone to handle; it’s not realistic anymore to assume they can. To make the most out of expanded visibility you need a better way to monitor it, which is where automation can play a key role. You also need remediation and responsibility capabilities too. Organizations need to take visibility one step further, but they are not going to be able to do it with their human staff. They must add appropriate technologies to partner with people.
This brings up the inevitable question of whether automation is safe or will open up your organization to new risks. A parallel of this scenario is the rise of cloud computing. In the beginning, there was a great deal of concern about security in cloud computing, but now most people think the cloud is more secure. The reality is that automation is quickly becoming a necessity for security and if you don’t use it, you won’t succeed. Organizations need to get comfortable with automating some remediation and response via security technologies because organizations will not be able to successfully hand these massive tasks off to their humans. Attackers are using automation more and more, so organizations need to fight fire with fire.
A quick caveat, though: you can’t automate all remediations across all environments. Start with lower-priority devices, data and networks. Once you’ve got those working well, see where else automation is feasible.
Best practices for using automation to help go beyond visibility
Gathering threat intelligence isn’t enough; it’s how the intelligence is correlated that truly makes the difference. Automation and machine learning can assist with ingestion, correlation and resulting output that provides visibility into threats that may have been previously unknown. This analysis must be able to scale to the volume of threats that exist today, which cannot be done manually. With correlation to other data sets, and with detection technologies, a threat can be discovered.
Security orchestration, automation, and response (SOAR) technologies can help prescribe a course of action when an anomaly is discovered. Previously burdened with time-consuming and repetitive duties, SOC teams are freed to resolve problems more quickly. This lowers expenses, increases productivity and fills in coverage gaps.
It’s also important to streamline processes so the information that comes from greater visibility is used rather than bogged down in slow processes. Using AI, ML and automation will simplify ingestion, analysis and recommended remediation steps, which will reduce the process slow-down.
Information plus automation
Once you can see all that you need to see across your IT environment, you quickly realize that a humans-only approach to cybersecurity is no longer viable. Taking visibility to the next level isn’t going to be done with humans alone; it’s simply too big a task. Automation and machine learning are ideal for this scenario. Use the best practices noted above to maximize the value of the information visibility provides and optimize your cybersecurity stance.
About the Author
Christina Richmond is the Chief Strategy and Growth Officer for Inspira Enterprise, a global cybersecurity risk management and digital transformation service provider across the Americas, Asia Pacific, Middle East, India and Africa regions. She is a long-time cybersecurity advisor and recognized luminary in the industry. For nearly a decade, Christina was a well-known industry analyst and led the global security services research practice at IDC.