Digital transformation is providing government agencies a unique opportunity to rethink how technology, people and processes can be used to fundamentally change mission performance. Integration of business systems, information technology, and operational technology will fundamentally transform the effectiveness and efficiency of agency operations.
This digital transformation must be underpinned by a corresponding transformation in cybersecurity, moving past the historical status quo of unmanageable legacy systems and point solutions aimed at detecting and responding to cyber incidents (i.e., “reactive” cybersecurity), to an integrated data-driven approach aimed at predicting and preventing cyber threats (i.e., “proactive” cybersecurity).
Shifting cybersecurity from a reactive to a proactive posture requires:
- an integrated approach that can operate across the full spectrum of prevention, detection, hunting, and response;
- a deep understanding of the cyber terrain that is being defended;
- robust threat intelligence to alert defenders to the emerging and evolving threats most likely to impact their networks and systems;
- advanced analytics and machine learning technologies to, for example, stitch together seemingly unrelated events occurring across the enterprise to produce high confidence and actionable alerts;
- retrospective analysis of how threats originally manifested within the environment, and;
- automation and orchestration to improve the efficiency and speed with which security staff are able to maintain a secure environment, investigate anomalies, and respond to cyber incidents
Security Operation Centers (SOCs) are overwhelmed by the sheer volume of alerts lacking context and the number of investigations demanding their attention. Security analysts are often presented with more alerts than are humanly possible to triage and investigate, granting adversaries more time to evade detection because of the time required by SOCs to detect and respond. This pain point was evident in Fidelis’ latest State of Threat Detection 2019 survey, which identified a lack of time and skills as the leading barriers to establishing effective threat intelligence and threat hunting. These problems become even further exacerbated by a rising skills gap as organizations struggle to build an adequate bench of expertise. More data is not necessarily a good thing. The focus should be on zeroing in on the right data with advanced analytics in place to process the data and making make it actionable.
A huge challenge for many organizations is having the skilled resources to sort through separate reporting tools and management consoles to try and get the full picture of what is happening. This is the reason complex and sophisticated attackers can remain inside a network for months without detection. Security teams need to shift focus from alert triage to reducing dwell time; stopping attacks before data is stolen or operations are disrupted. Security software must automate and enhance the process of alert triage, attack verification, and manual responses in order to detect the attack in process, automate the response and lay the foundation for a more proactive and predictive cyber defense.
These problems can be mitigated by focusing on both the technology baseline and workforce development programs. As we discuss in our Re-Imagining the Security Stack white paper, having less, but more efficient and effective tools that enhance the ability to hunt for threats and assist with the automation, alert triaging and prioritization of alerts has proven to be a workable solution for many enterprises. Automation is also a way to capture the trade craft of the good guys and use that knowledge as a force multiplier for junior analysts. Automated capabilities also provide SOCs with more real metrics and management support as they are looking into the effectiveness and ineffectiveness of an incident. Lastly, providing regular trainings on best and emerging practices such as threat hunting can help to boost the talent floor in your organization, expanding your roster of experienced staff and further decreasing time to detection and response.
The cybersecurity skills shortage is not a new subject and the awareness continues to increase both in the private and public sectors. Agencies’ workforce shortages are quickly becoming a risk management problem on top of a human capital problem. Despite recent initiatives like the White House’s Cyber Workforce executive order that have prioritized cyber spending and education opportunities, this imbalance between supply and demand of skilled professionals continues to leave agencies vulnerable.
Cybersecurity will become more automated and intelligence-driven in 2019. Machine learning coupled with threat intelligence plays a pivotal role in the discovery of sophisticated actors attempting to gain access to networks and systems. It will be the key to being able to respond at cyber-relevant speeds or even predictively, rather than reactively, to individual threats. It will allow the network cybersecurity posture to be change dynamically in response to the changing threats.
Today, many cybersecurity SOCs and analysts are using machine learning and artificial intelligence-based capabilities to monitor network activity, monitor outputs from security tools, look for unusual patterns, and correlate events—all in real time, far exceeding the average human’s ability to perform such tasks manually. These capabilities are critical, especially in complex IT infrastructures. An important benefit of AI is its ability to maximize the capabilities of overwhelmed security teams. These tools improve the detection of threats and provide better information to security operations center teams, enabling them to focus their attention where it is needed most.
If you would like to learn more about how federal leaders and other private organizations can work to optimally modernize their workforce, please join us for our upcoming Addressing the Federal Cyber Workforce Skills Shortage webinar, taking place September 13 at 11:00 AM.