CISO Insider: Issue 2

Ransomware attackers are targeting your most valuable assets where they feel they can extract the most money from you, be it the most disruptive or valuable if held hostage or most sensitive if released.

Industry is an important determinant of an organization’s risk profile—while manufacturing leaders cite business disruption as the top concern, retail and financial services CISOs prioritize the protection of sensitive personally identifiable information; healthcare organizations, meanwhile, are equally vulnerable on both fronts. In response, security leaders are aggressively shifting their risk profile away from data loss and exposure through the hardening of their perimeters, backups of critical data, redundant systems, and better encryption.

Business disruption is now the focus for many leaders. The business incurs costs even if the interruption is brief. One healthcare CISO recently told me that, operationally, ransomware was no different than a major power outage. While an adequate backup system can help restore the power quickly, you still have downtime that interrupts the business. Another CISO mentioned they’re thinking about how disruption can extend beyond their main corporate network to operational concerns such as pipeline issues or the secondary effect of key suppliers shut down by ransomware.

Tactics for managing disruption include both redundant systems and segmentation to help minimize downtime, allowing the organization to shift traffic to a different part of the network while containing and restoring an affected segment. However, even the most robust backup or disaster recovery processes can’t fully solve the threat of business disruption or data exposure. The flip side of mitigation is prevention.

Many of the CISOs I talk with are taking a palette approach to attack prevention and detection, utilizing layers of vendor solutions that cover vulnerability testing, perimeter testing, automated monitoring, endpoint security, identity protection, etc. For some, this is intentional redundancy, hoping that a layered approach will cover any gaps—like stacks of Swiss cheese, in the hope that the holes won’t line up.

Our experience has shown that this diversity can complicate remediation efforts, potentially creating more risk exposure. As one CISO notes, the downside of assembling multiple solutions is a lack of visibility due to fragmentation: “I do have a best-in-breed approach, which in itself presents certain challenges because then there is a lack of insight into aggregate risks because you have these independent consoles that you’re managing threats, and not having this aggregate view of what is going on in your place.” (Healthcare, 1,100 employees) With attackers weaving a complex web that extends across multiple disparate solutions, it can be hard to get a complete picture of the kill chain, identify the extent of the compromise, and fully root out any malware payloads. Stopping an attack in progress requires the ability to look across multiple vectors to detect, deter, and contain/remediate attacks in real time.

The promise of XDR remains unrealized by most. Many CISOs we talk to have implemented a powerful starting point in EDR. EDR is a proven asset: we have seen that current endpoint detection and response users have a track record of detecting and stopping ransomware faster.

However, because XDR is an evolution of EDR, some CISOs remain skeptical about XDR’s utility. Is XDR just EDR with some point solutions tacked on? Do I really need to use an entirely separate solution? Or will my EDR eventually offer the same capabilities? The current market for XDR solutions adds further confusion as vendors race to add XDR offerings to product portfolios. Some vendors are expanding their EDR tool to incorporate additional threat data while others are more focused on building dedicated XDR platforms. The latter are built from the ground up to deliver out-of-box integration and capabilities centered around the needs of the security analyst, leaving the fewest gaps for your team to have to fill in manually.

Faced with a security talent shortage and the need to respond quickly to contain threats, we have encouraged leaders to employ automation to help free up their people to focus on defending against the worst threats instead of handling mundane tasks like resetting passwords. Interestingly, many of the security leaders I talked to mention that they’re not taking full advantage of automated capabilities yet. In some cases, security leaders aren’t fully aware of the opportunity; others hesitate to embrace automation for fear of losing control, inviting inaccuracy, or sacrificing visibility into threats. The latter is a very legitimate concern. However, we’re seeing the effective automation adopters achieve just the opposite—more control, fewer false positives, less noise, and more actionable insight—by deploying automation alongside the security team to guide and focus the team’s efforts.

Automation covers a range of capabilities, from basic automated administrative tasks to smart machine learning-enabled risk assessment. Most CISOs report adopting the former, event-triggered or rule-based automation, but fewer have taken advantage of built-in artificial intelligence and machine learning capabilities that enable real-time risk-based access decisions. Certainly, automating routine tasks helps free up the security team to focus on the more strategic thinking that humans do best. But it’s in this strategic realm—in triaging incident response, to name one example—that automation has the most potential to empower the security team as a data-crunching, pattern matching, intelligent partner. For example, AI and automation are adept at correlating security signals to support comprehensive detection and response to a breach. About half of security practitioners we recently surveyed say they have to manually correlate signals.¹   This is incredibly time-consuming and makes it almost impossible to respond quickly to contain an attack. With the right application of automation—like the correlation of security signals—attacks can often be detected in near real time.

We’ve found many security teams are under-utilizing the automation built into existing solutions they already use. In many cases, applying automation is as easy (and high-impact!) as configuring available features like replacing fixed-rule access policies with risk-based conditional access policies, creating response playbooks, etc.

CISOs who choose to forgo the opportunities of automation often do so out of distrust, citing concerns about the system making irrecoverable errors while operating without human oversight. Some of the potential scenarios include a system inappropriately deleting user data, inconveniencing an executive who needs access to the system, or worst, lead to a loss of control or visibility about a vulnerability that has been exploited.

But security tends to be a balance between daily small inconvenience weighed against the constant threat of a catastrophic attack. Automation has the potential to serve as an early warning system for such an attack and its inconveniences can be mitigated or eliminated. And besides, automation at its best does not run on its own but alongside human operators, where its artificial intelligence can both inform and be checked by human intelligence.

To help ensure a smooth deployment, we’ve been adding report-only modes to our solutions in order to offer a trial run before rollout. This allows the security team to implement automation at their own pace, finetuning automation rules and monitoring the automated tools’ performance.

The security leaders who are using automation most effectively deploy it alongside their team to fill gaps and serve as a first line of defense. As one CISO recently told me, it’s nearly impossible and prohibitively expensive to have a security team focused everywhere at all times—and even if it were, security teams are prone to frequent turnover. Automation provides a layer of always-on continuity and consistency to support the security team in areas that require this consistency, such as traffic monitoring and early warning systems. Deployed in this supportive capacity, automation helps free the team from manually reviewing logs and systems and allows them to be more proactive. Automation doesn’t replace humans—these are tools that empower your people to prioritize alerts and focus their efforts where it counts most.