As a Senior Associate, I worked closely with customers at PwC to collect information for their yearly Global State of Information Security Survey (GSISS). A decade later, I was excited to receive a copy from PwC, one of Tanium’s partners. Themes from the report included an increase in the number of incidents, continued adoption of cloud solutions to host sensitive systems and data, greater involvement of executives and the board, and broad adoption of cybersecurity frameworks. Although encouraging, these trends place additional pressures on already overextended security teams now required to respond to more alerts, support growing cloud and mobile solutions, generate meaningful metrics for leadership and monitor alignment with robust security frameworks. Understanding that security talent remains scarce, organizations will need to ensure they acquire the right tools that enable existing staff to more easily and quickly obtain information required to support these trends.
The PwC report noted that improved detection resulted in a 38% increase in incidents managed by participating organizations. This presents two challenges for organizations. First, an increase in the number of incidents requires additional skilled resources to triage and investigate. Such resources are already in short supply and this will continue to exacerbate this problem. Second, forensic resources should generally be spending at least 50% of their day hunting for attacks and developing new and interesting techniques to improve an organization’s ability to disrupt the attacker, throughout the kill chain.
The solution to these challenges is not to hire more resources, but to improve the efficiency of your existing team. When working with our customers I find that the biggest efficiency gains are realized by accessing data exponentially faster than before and the ability to triage an alert in minutes, instead of hours.
Having received similar feedback from our customers, our team of developers and former incident responders created a method to continuously capture forensic data on endpoints. This information remains ready for a responder to reference, should an alert indicate potentially malicious activity on a system. Likewise, the data is searchable across the enterprise, allowing responders to find a similar activity or create complex detection use cases across all endpoints in seconds. As a result, triage of alerts is considerably quicker and forensic staff can focus on other, higher priority tasks.
The GSISS report also emphasized the proliferation of connected devices and data, with 75% of organizations moving sensitive data to the cloud and increased focus on the Internet of Things (IoT). This is bad news for most organizations, many of which are still struggling to better understand those devices currently contained on their physical networks.
This challenge can be summarized by my experience in enterprises over the past decade. Nearly eight years ago I responded to my first large, public breach. During the investigation, I discovered that the impacted organization could not provide basic information, including an asset inventory of devices and applications, patch levels for OS and common third-party applications, network maps, or a list of their production database servers.
Eight years later and despite numerous standards (e.g. SANS Top 20) strongly advocating for visibility into assets and applications, nothing has changed and organizations continue to struggle with answering the same basic questions. The challenge to gain visibility into the current state devices across an enterprise will only worsen with the proliferation of connected devices.
Organizations will need to ensure they have a solution that addresses existing challenges in maintaining 15-second visibility into traditional endpoints and emerging solutions such as cloud, mobility, and IoT. This is another area with which we’re working closely with our customers, to ensure that our technology is able to support a growing list of devices and continues to provide visibility into millions of onsite and remote devices, within seconds. Many of our customers use this visibility today to maintain an accurate asset and application inventory, monitor device configurations, and perform other tasks crucial to ensuring security hygiene, which has remained elusive for most organizations.
Bringing In The Board
Five years ago, when discussing breaches with executives and board members, my conversation focused on educating these leaders about targeted threats. Today, that conversation has changed. Board members and executives better understand the threat landscape and are focused on learning and validating how security risks are effectively mitigated within an organization. PwC confirmed this shift, highlighting that 45% of boards are now regularly interacting with security leadership to better understand risks and mitigation strategies.
As a result, security leadership must now provide visibility into enterprise risk, with meaningful metrics. This includes reporting metrics such as mean time to detect incidents, mean time to patch vulnerable endpoints, and other data that requires broad, real-time visibility. Many of our customers use Tanium to collect such real-time metrics across hundreds of thousands of devices, in order to demonstrate value and drive business decisions.
Based on feedback from our customers, boards are also increasingly asking for visibly into the security of acquisitions. In particular boards and executives want to understand if an acquisition target is either compromised or plagued by poor security practices. Smart boards realize that costs required to clean up an existing incident or improve poor security practices, need to be calculated into the cost of acquiring a company. Our customers use Tanium to address these concerns, because of it’s ability to search for compromise and security vulnerabilities/misconfigurations in minutes.
PwC’s results reveal that organizations have a number of complex challenges on which to focus. In order to address each of these challenges, these organizations certainly require smart people and repeatable processes. But just as importantly, today’s security teams require tools to help obtain the information they need, quickly and easily across tens or hundreds of thousands of devices to address both simple challenges that have not yet been solved and more advanced attacks.
To read the entire Global State of Information Security survey, visit http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html.
David Damato, Chief Security Officer