By Avihai Ben-Yossef, CTO, Cymulate
2023 is shaping up to be another challenging year for cybersecurity defenders. Although some will say they hear this every year, this time is different. Attackers are not cutting back and have increased access to nation-state-style tactics. Ransomware is also showing no sign of slowing down. An unstable economic climate will continue to put pressure on budgets, and many new projects—including budgeted and planned security projects—may experience delays. The pressure for security leaders to prove the resilience of their security programs will likely be greater than ever.
Practical and cost-effective security programs will be a predominant theme for many businesses this year. So how do you do more with less?
Let’s start with preparedness. This begins with understanding how effectively incident detection and response tools function. Here are three essential domains security leaders should be evaluating and benchmarking their performance, along with questions to ask themselves:
• Security Program Effectiveness: According to our security policy, are the tools in my security stack detecting and blocking threats effectively? Is the policy even configured the way I conceive it? Also, can threats still get through when controls are working as designed? Can we keep up with the volume of threat activity? Where can automation help? Does my team know what to focus on first? Does the time it takes them to remediate stay within my risk tolerance levels?
• Exposure To Threats: How will our risk profile or the environments we need to protect change in 2023? How has my attack surface changed since last year, and where am I exposed? Can we quickly understand if we are at risk of new immediate threats as they emerge? Does my software supply chain create weak links? Where are the likely infiltration routes for an outsider?
• The Business Impact Of Exploitable Vulnerabilities: What are our most vulnerable systems, data and operations, and what do we stand to lose if they’re successfully attacked? Have we taken the right precautions? Have we employed offensive security validation measures in addition to defensive programs?
The next area for planning centers on optimization and automation for offensive security validation measures.
With fixed budgets and headcount, using every single data point and information source becomes critical, as long as you can separate the wheat from the chaff. SIEM solutions should have visibility into all operations, free from the restrictions of business units and other logical barriers. Incident response protocols should be exercised regularly under controlled circumstances to ensure plans can be successful in an emergency. Updates, upgrades and patches should be prioritized by their impact on corporate systems and the likelihood of a successful attack.
Cyber resilience should become an ongoing, iterative process to allow for successful progress without burning out staffers. Leveraging systems to enhance and extend the team's reach can become a massive force multiplier. Where automation can be used safely and effectively—in areas such as virtual red teaming, regular validation operations and other operations that don’t require manual supervision—it can allow the team in place today to meet and exceed goals and overall metrics.
SOAR solutions can streamline mitigation when issues are discovered or the SIEM recognizes a problem that escalates to the staff when automation isn’t the best option. Introducing safe and effective automation allows the human element to be used optimally, where it is most needed, while the systems themselves continue handling the repetitive operations.
The Bottom Line
Despite the unpredictable economic situation, the one thing we can predict is that cyberattackers will not rest. They will use budget restraints, staffing shortages and a surging number of new vulnerabilities as a rallying call for more threat action. Taking a hard look at the company’s security posture and validating that security controls are functioning correctly has become table stakes—and will continue to be necessary through and beyond 2023.
Understanding if threats can get through and prioritizing patching based on exposures will both be necessary for proving that diligence was done to protect the organization. Even the smallest of organizations should consider automated red teaming to help scale their programs and provide continuous assessment of their cyber risk across their on-premises and cloud environments.