As cybersecurity continues to become more complex and harder to manage, the role of security operations for organizations is also shifting across the board. Long gone are the days where firewalls or intrusion detection systems (IDS) could keep adversaries outside the perimeter. Instead, we are seeing increases in both size and frequency of attacks leading to more pronounced impacts to the business.
There are two primary factors that driving this change. To be successful today, modern security operations needs to understand these drivers and evolve their processes, procedures and tools to meet these new challenges.
The first driver has little to do with security as we think about it today. The modern IT organization is being required to deliver more business value at higher velocity with reduced costs. The most recent Rightscale State of the Cloud Report states that 85 percent of enterprises now rely on multiple clouds. This trend makes perfect sense as IT organizations reach for the best tools possible to meet their goals. However, the diversity of platforms and tools has driven more complexity in to the security operations than they were designed or resourced to accept. In my experience, most organziations have difficulty understanding where their data resides in the suite of platforms in use, let alone how that data is being protected.
The second driver is directly related to the security landscape. Over the past five years, we’ve seen the results from the investments adversaries have made in expertise. Modern attacks performed by advanced persistent threat (APT) groups rarely use sophisticated methods like zero-day attacks. Instead, these groups are characterized by the “persistent” component of their moniker. A consistent set of attacks, powered by cybersecurity expertise, is capable of breaching most organizations using traditional prevention or deterrence techniques.
Given these drivers, security operations must adapt to be successful. To handle the move to multi-cloud, teams must understand and support the business in their use of these services. This means having resources in the security operation that know these platforms and being willing to tailor their tooling and interaction models to the underlying technology and the teams using it. As always, this approach requires new skillsets, approaches and tools which will consume additional resources.
Most organizations I see have, on average, zero to six people on their security team with their time monopolized by compliance driven tasks like vulnerability management and patching. While these goals are important, defending against modern adversaries requires security operations teams to assume that a compromise will occur and actively hunt adversaries in the environment. This is a 24/7 job and requires significant security expertise and focus. Highly capable security operators able to perform active cyber-hunting missions successfully will not be fulfilled or retained by vulnerability management. Specializing the security operation will grant increased capabilities, but can consume more of security’s limited budget.
Most organizations shouldn’t dedicate the resources to build these types of operations. Building a modern security operation capable of defending against advanced threats across multiple clouds will cost a minimum of $3 million to $5 million per year. Instead, internal resources should be focused on the business, working closely with stakeholders to ensure the integration of security into day-to-day business operations. Security organizations should look to outsource operations to organizations capable of not only deploying and responding to tool alerts but performing cyber-hunting missions and actually respond to adversaries. If your partner isn’t actually evicting the adversary from the environment, then your business will stay at risk until someone does.
Once you’ve found a partner for 24/7 security operations, it’s time to tackle the other areas in security including compliance, data protection, identity and application security.