Seven Rules for Inclusion in the CSO’s Security Playbook

As conventional cyber-security practices continue to fall behind the sophistication of bad actors, enterprise chief security officers are scrambling to keep up. Organizations spent about $75 billion in the U.S. last year on security products and services, representing some 11 percent of total dollars spent on IT. Nonetheless, 75 percent of large enterprises are breached, and the average dwell time of the adversary from breach to detection is 99 days. In light of these challenges in such a fast-moving sector, effective enterprise security requires understanding that old techniques don’t work anymore and success comes from investing in what does work. This eWEEK slide show, based on industry information from Jamie Butler, chief technology officer at Endgame, offers tips on how chief security officers establish an effective enterprise security framework.

Effective enterprise security begins by assuming you’ve been breached and that there are already bad actors in your network. To combat this, you need to proactively hunt for bad guys already in your network and have the capability to remediate the problem without damage and loss or significant downtime to your networks.

Legacy endpoint detection and response (EDR) platforms are good at identifying many advanced attacks, but not in time to prevent damage and loss. Your security program fails if 1 percent of attacks succeed, so you need to invest in technologies that enable your existing teams to identify and effectively respond to the most advanced threats in the shortest amount of time. 

Many legacy and some leading EDR solutions are great at preventing known threats but do not account for the unknown or never-before-seen attack. The most sophisticated, state-sponsored attackers use methods that can bypass traditional indicators of compromise (IOC) search. While signatures remain an important component of detection and prevention of well-known threats, they are inadequate to defend against modern advanced threats.

Security operators and analysts encounter simple tasks and actions daily while also executing their complex, higher order work. However, the elementary tasks unfortunately consume an inordinate amount of time. Using artificial intelligence-enabled assistants and bots powered by valuable analytics frees up your team from time-consuming work, such as data gathering and routine analysis, to instead focus on more complex work.

Organizations with security budgets of $10 million or more use an average of 13 security vendors. This is too high a number for most organizations, so it is essential to integrate technologies that minimize the number of agents security operations center (SOC) teams use, as deployed by IT.

The Mitre ATT&CK Matrix is a model and framework for describing the actions an adversary may take while operating within an enterprise network. CSOs need to become familiar with this impressive taxonomy of advanced techniques to ensure the solutions they buy are durable as attack techniques evolve and new ones are introduced.

Near-constant change is necessary for the success of most businesses, and security is no exception. To find success, CSOs need to recognize the mistakes of the past. These include assuming they could prevent all breaches and relying on IOCs, instead looking forward to utilize AI and automation. They also need to think critically about security architecture and understand enemy threats. Your security depends on it.