Augmenting Cybersecurity

Vishal Salvi Oct 25, 2019

A data breach can cost an affected organization as much as a whopping $3.9 million, according to the Ponemon Institute.[1] And these costs can continue to impact the organization more than a year after the breach actually occurred. Fortunately, while most organizations have made cybersecurity a top priority, they still face challenges in beating the threat landscape. This is evident from the following statistics that we gathered in a recently published report by Infosys. 2

An overwhelming majority (94%) of executives at large enterprises now describe cybersecurity as the top initiative in their digital transformation journey. However, the challenges in building a strong cybersecurity are plenty. 84% of the respondents are worried about hackers and hactivists and three-fourth of them feel threatened by corporate espionage. Roughly two-thirds (67%) of these executives face the challenge of embedding security in their IT architecture. 65% of them say their organization is yet to build a security-aware culture while nearly half of them (49%) complain about shortage of skills.

In other words, existing cybersecurity strategies need to be augmented in order to take care of the growing sophistication of hackers and malicious insiders. Lack of skilled personnel and the fast-paced technological changes need to be managed with services from experts such as managed service providers or cybersecurity service providers.

Strengthening cybersecurity, the smart way

Cybersecurity-aware executives protect their organizations from cyberattacks and breaches in many ways. And they’re putting their money in gear. Cybersecurity measures, estimates Gartner, cost organizations worldwide more than $114 billion in 2018.4 Popular approaches include encryption, risk and compliance, security-awareness training, security incident management and identity and access management.

Unfortunately, these conventional approaches are not adequate as is evident from the rising incidences in cybercrimes. So what else is needed?

While there are multiple ways to augment cybersecurity the key approaches that organizations can start adopting are detailed below:

Infuse artificial intelligence and machine learning in cybersecurity

The two major characteristics in the cybersecurity landscape is the existence of large quantities of data and the lack of talent. Data in humungous quantities originating from disparate systems needs to be processed to detect anomalies, locate vulnerabilities or pre-empt threats which is beyond human capability. Most organizations already face a crunch in cybersecurity experts. In such a scenario, machine learning and artificial intelligence can facilitate timely threat detection, appropriate and quick response in a manner that not only reduces human errors but also lightens the workload of security teams.

Interestingly, hackers most often leverage AI and ML to break through security firewalls. Hence including them as part of the enterprise cybersecurity strategy can help organizations beat cybercriminals at their own game.

However, both these technologies need to be adopted with caution and one must remember that these are only tools to aid human involvement and decision making and that is what will keep organizations safe.

Here is how they work:

AI algorithms are developed based on past and current data to define the ‘normal’ and develop competencies to identify anomalies and threats that deviate from this ‘normal’. AI can come up with patterns that machine learning can use to recognize a threat. A classic example is the user and entity behaviour analytics or UEBA that uses ML and algorithms to identify deviations from defined patterns.

Machine learning can recognize similarities between different cyber threats, particularly when hackers use automated programs to synchronize multiple attacks. That’s why ML is most often used to evaluate and classify malware, conduct risk analysis and detect anomalies.

Organizations can tailor the AI and ML algorithms as per their needs to establish robust systems and processes for self-reporting of security incidents including AI-based behavioral analysis.

For example, if a London-based employee attempts to log on from Tokyo, the system might identify that action for further human investigation before allowing the person to log in. Possibly, the employee is on a legitimate business trip, and there’s no problem; but just as possible, it’s a hacker spoofing the employee’s identity to steal corporate data.

Implement SOAR

Short for Security Orchestration Automation and Responses, SOAR gathers data and security alerts from different sources and helps to define, prioritize and coordinate an organization’s incident response thus enabling security employees to be more productive. This helps organizations cope up with the industrywide shortage of skilled cybersecurity professionals. In fact, SOAR is a good example of leveraging AI, ML and automation to respond to security incidents at optimal speed. As an automation and orchestration tool, SOAR can strengthen existing cybersecurity architecture with things like preventive security controls, firewalls and application security and intrusion prevention systems.

There are several key areas where SOAR can contribute immensely in strengthening the cybersecurity of an organization:

Integrate security infrastructure: Most companies employ a myriad of tools to manage their security infrastructure leading to a response mechanism that is not consistent. With SOAR, one can integrate the security infrastructure which helps in enhancing visibility and communication amongst the different components.

Make security teams work smarter: Multiple daily alarms can cause the security team to fatigue out very quickly as they constantly need to switch between systems. Automating mundane and routine tasks can free the team to focus on more strategic aspects of cybersecurity. Understanding an attacker’s tactic and having the ability to identify indicators of compromise is another SOAR capability that can help security teams detect incidents and respond to them faster besides making better decisions.

Enable rapid response to time-sensitive breaches: SOAR can help reduce mean time to detect and mean time to respond from days to minutes thus helping arrest damage at an early stage.

Capture knowledge: Security talent is in short supply and hence difficult to retain. This results in people moving out from organizations causing loss of valuable information around procedures and existing organizational construct around threats. SOAR can help aggregate information from different sources and present it in dashboards helping not only preserve knowledge about the processes but also acting as an important communication tool for business leaders.

Use capabilities that work across cloud and onsite data centers: A SOAR typically uses a bunch of technologies and capabilities that makes it a robust automation and orchestration tool. This enables rapid response irrespective of where the security component is located, i.e. whether on cloud or on-premise. Some of these technologies are self-repairing software, patch management, horizon scanning technologies, predictive analytics, identity management.

Employ automation: In order to counter new and emerging security threats, most organizations deploy hundreds of security products to detect and protect their network. These security products are not always tuned in, to achieve coupling and orchestration of various security process and coordination. In addition, handling security operations including monitoring and response management is quite complex. Most of the security processes are time intensive, manual and therefore prone to errors and compliance issues. This also leads to slower remediation processes. A plethora of alerts and access requests can take a toll on IT resources.

Security automation is the need of hour to improve the overall security posture. Automation can collect and correlate security data, detect already-existing compromises, and generate and implement protections much more rapidly than humans can— an important consideration given the aforementioned security-skills shortage.

A typical automation journey should involve adding capabilities in phases that bring incremental value to the organization transforming it from being a deterministic enterprise to a cognitive one. Enterprises can begin automation by defining benchmarks and integrating the different tracking and monitoring tracks into a centralized dashboard.

Next would be use process insights to identify areas where automation will be effective. Monitoring and unifying operations, bringing in plug and play apps and orchestration of scripts can help reduce human errors and enhance control.

Once cost is optimized and efficiency is enhanced, organizations must look at applying automation to enrich user experience or to respond faster. Finally, organizations must aspire to be more cognitive and self-healing in their automation journey, bringing in solutions like bots that can self-resolve incident tickets or conduct root cause or impact analysis.

Engage with Security Managed Service Providers

While the recommendations on AI, ML, automation and SOAR can be taken up by organizations directly. It is often advisable to partner with a cybersecurity managed service provider because they not only bring in their specialized knowledge but often bring to the table curated platforms using best in class products with AI/ML use cases already defined. They can also augment the skills of the existing employees with their own expertise thus helping clients leapfrog their maturity in the cybersecurity space.

Collaborate with other industries and geographies

Another valuable strategy is to share information with other companies that might be targets. In the modern connected world, almost all companies irrespective of the industries they belong to face similar cyber threats. To stay ahead of cybercriminals, organizations need fresh intelligence on things such as new attack schemes or malware variants that come into play. To stay abreast of developments, organizations can coordinate with industry associations, regional IT groups, cybersecurity vendors, service providers, and relevant government agencies.

An organization may take all the right steps to augment its cybersecurity, but it is essential to be cognizant of the ever-evolving range of new threats that can make existing security protocols outdated in a day’s time. Also, adding technological capabilities or adopting different approaches to building a resilient cybersecurity will work only as long as the security teams take active participation in utilizing the tools effectively and view cyber strategy as an ongoing activity that must be continually reviewed and reworked as per the demands of the security ecosystem both within and outside the organization.