The current state of cybersecurity
The number and severity of cybersecurity threats is increasing daily. At the same time, the world is experiencing a severe and growing shortage of skilled IT security professionals. According to the 2019 (ISC)² Cybersecurity Workforce Study, the skills gap has surpassed 4 million globally, and in Europe, the unmet need for IT pros more than doubled in 2019. It’s no wonder that almost two thirds of organizations reported a shortage of cybersecurity staff, and 36% said that the lack of experienced security personnel was their number one business concern.
To defend themselves against cyber threats, companies are deploying more and more security tools aimed at addressing specific problems. Unfortunately, most of them do not play well with each other and require separate training. This complexity stretches the already limited IT staff by scattering attention and creating unseen overhead. It also makes it hard to communicate important cybersecurity risks horizontally between teams and to the Board, creating operational and security silos.
Another issue is that most companies are focusing on threat hunting, but are quickly overwhelmed by alerts. A 2018 survey found that 55% of security operations centers (SOCs) get more than 10,000 alerts each day, and 27% get more than 1 million every day. Most of those events are just noise, but the sheer volume makes it impossible to spot the events that truly matter.
A better way to frame the cybersecurity challenge
To combat this complexity and enable lean IT teams to be most effective, we need to challenge our basic assumptions and rethink how we treat visibility and security. The key is remembering this fundamental principle: You cannot protect what you do not see.
To develop an effective cybersecurity strategy and choose appropriate technologies, you need to be able to distinguish between what is important and what is not. For example, if you know exactly where sensitive and business-critical data resides in your network and who should (and should not) be able to access it, you can determine which assets need to be closely monitored to ensure they stick to your defined baseline and prevent problems with application-critical workloads.
A great way to reframe the cybersecurity challenge is to map your organization across the following 5 fundamental pillars:
- Identity
- Data
- Applications
- Workloads
- Network
These pillars are highly interconnected, and one way to map those relationships is to create a visual network graph that shows where sensitive data resides. Having that map enables you to answer complex questions like the following in a matter of seconds, without jumping through dozens of reports or screens:
- What is a given user capable of doing across the entire IT infrastructure?
- Where is sensitive and business-critical data located? Is it stored only on protected subnetworks?
- How is a particular asset that stores sensitive data configured?
- Is the production environment properly isolated?
Why a unified view of the IT environment is essential
You’ve probably played, or at least seen, a real-time strategy (RTS) game like StarCraft. To win, you need to interact with your assets swiftly and precisely by reading and interacting with their models on the screen. Now imagine that Player A is playing the game normally, but Player B has to play blindfolded, navigating only by the sounds of alerts of various disjointed events. In addition, to take an action, Player B has to filter down to the entity you want to control and then explicitly type the commands. Who do you think will win the game?
Unfortunately, most IT pros today are as handicapped as Player B. Many IT security tools on the market still bombard us with endless lists of cryptic events that we have to manually sort through to find the relatively small set of valuable data. And each one covers only a particular realm, so we have to try to piece together the larger picture ourselves in order to work effectively with other IT teams and explain cybersecurity risks to non-technical board members.
Having a broad picture is also essential for compliance with many modern regulations, including the following :
- PCI DSS 1.1.2 — You need a current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks.
- GDPR Article 35 — A data map is essential for 2 of the 6 steps in a data protection impact assessment (DPIA) (describing the information flow, and identifying privacy and related risks).
How much more effective could your limited IT staff be if they had the unified view and power of Player A, with business-oriented dashboards and network and infrastructure graphs? Both startups and major vendors are taking steps to provide these types of interfaces; for example, products like Illumio, ExtraHop and VMware Secure State visualize and tie together some of the 5 pillars mentioned above. But it is clear we can and must do even more to simplify cybersecurity and develop a common language for articulating and solving cybersecurity challenges.
Conclusion
So, what do you think? Would having cleaner interfaces that visualize what’s happening across your environment, instead of countless lines of cryptic data, enable you to be more effective? Should we look into new ways of tackling security data presentation, especially for security newcomers? Are those approaches even mutually exclusive or should they coexist? Or is all of this just marketing hype?
Let us know!