How organizations can optimize existing cybersecurity investments

March 22, 2023
In the face of an uncertain resource environment, embrace the concept of a “waste not, want not” mentality

Between inflation and a potential economic downturn, there’s plenty of uncertainty going into 2023—including security. Rather than looking for the next “hot tool” that will solve all potential business problems, why not optimize existing investments? Not only will this save your organization time and money, but it can also help you focus on amplifying the value of existing investments.

Prioritize and “Right size” Your Cybersecurity Portfolio

First, look at your security tool portfolio. If you’re like most organizations, there’s likely some capability overlap in tools—many tools today have multiple functions as they try to displace other vendors that are competing for that limited security budget. While most tool vendors have robust functionality in one or two functions (usually the ones they started with), many have additional functionality that is less mature as they look to compete in adjacent functions. This is happening a lot right now in code security technologies. For example, only a few years ago you needed a single tool for Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and Interactive Application Security Testing (IAST). Now you can get many of these in one or two tools. The same dynamic is happening in the Third-Party Risk Management (TPRM), Attack Surface Management (ASM), and Digital Risk Protection Management (DPRM) space. Analyze these tools. Based on your specific risk appetite, decide what functions must be best of breed, and what other functions just need to be “good enough.” Then consolidate. It will save you budget and reduce the burden on your vendor management, procurement, training, and sustainment responsibilities.

Policy Tuning “To Perfection”

Once you’ve done some consolidation, audit the policy configuration of the tools that remain. In the hustle and bustle of current operations, it’s likely your teams have not reviewed the current policies that are implemented, and further, it’s likely these tools have evolved with additional features since you last configured them. What you’re likely to find is that many policies are overdue for some refinement based on both business changes and tool advancements. More specifically, look for the opportunity to apply more granular policies that facilitate more prevention (blocking) without impacting the business.

Optimize Signal to Noise Ratio

Policy Tuning to perfection doesn’t end there. In addition to blocking, most of our tools throw out a lot of alerts, and honestly,  a lot of them are noisy. Too many alerts are unimpactful or low severity. It’s important for the SOC to determine which alerts are high fidelity—with a high probability of malicious activity, and which ones generate a lot of “low severity noise.” Once qualified, if the noisy alerts cannot be turned into higher fidelity, consider consolidating them into a report, or turning them off altogether. Make sure that you're getting to the signal—the things that matter and trimming the noise. And be sure to lean on your SOC partners to help you.

Optimize Your Security Teams with Automation

This philosophy can also be applied to labor, which continues to be a challenge in the cybersecurity industry. Today’s CISOs should prioritize retaining and upskilling their existing security teams by identifying how they can best support them with the right tools, training, and benefits. Particularly in security operations, but in all technical support, we struggle with how to take the “low-brain, high carb” activity off their plate. In the SOC analyst role, responding to high volumes of meaningless alerts or continuing to answer every phishing email is mind-numbing. How do you reduce that burden, so that your teams can focus on more proactive business needs? One word—automation.

Automate everything from provisioning and deprovisioning credentials to the investigation of malware or virus alerts. It’s an area we focus on heavily because roughly 70-80% of an analyst's time is spent investigating alerts. If you can automate the context required for, to accurately adjudicate an investigation, you can free up the analyst for more proactive and business-impacting work.

Proactive Security is the Name of the Game

Here are three proactive activities worth considering should you unburden your analysts using automation. These happen to be the areas I try to focus my teams on when they are not chasing alerts.

The first one I call “credible threat mitigation.” It’s a fancy term for keeping up with the threats that matter most to your business by ensuring you have controls aligned with their techniques. And further, instead of focusing on every MITRE technique in the model, why not focus maniacally on those techniques that your most credible threats are using? Credible threats are those that are specifically targeting you, targeting your sector, or those that use techniques for which you are particularly vulnerable. In other words, you are focusing on those threats you’re most likely to come up against and validating the alignment of your controls. This is a focus area that keeps businesses better protected and helps manage risk.

The second proactive activity is threat hunting which aggressively looks for anomalous activity. The primary goal of proactive hunting is to confirm or deny a hypothesis –typically centered around the existence of a threat (or not). Equally important, however, is the second-order benefit of getting to know the traffic patterns in your environment so you can very quickly see when something is anomalous. Most of the time, the discovered anomalous activity is safe – the result of misconfigurations or undisciplined human activity (often unknown), which are equally valuable.  Many of these hunts should be run automatically on a recurring basis. Hunts like anomalous firewall traffic, anomalous authentications, and anomalous DNS traffic, should be scheduled to automatically run on a recurring basis with pre-configured filters that highlight traffic outside of what is expected.

The third proactive activity is control testing. In breach postmortems, how often do we hear about a control that was missing (not installed), not properly configured, or incorrectly logging? In other words, how do you know what you own is working? One word: Testing. And better yet, recurring, and automated testing. There are lots of automated testing tools businesses can use.

In sum, in the face of an uncertain resource environment, embrace the concept of a “waste not, want not” mentality of “less is more”. With a little focus, leaders can optimize existing tooling and human resources to save money, reduce attack surface and tune away noise. While those are valuable just standing on their own, you can also further improve your team's morale and security posture by transitioning to some higher value proactive work like credible threat mitigation, hunting and controls testing.

About the author: Col. (retired) John Burger serves ReliaQuest as the Chief Information Security Officer (CISO) and Vice President of IT Infrastructure. Prior to joining ReliaQuest, he served 27 years in multiple assignments including the CISO at the United States Central Command from 2010-2012. As the CISO, he directed the efforts of National Security Agency HUNT teams to protect and defend a warfighting network of over 1+ million devices in the Middle East. In 2012, he was selected as the Chief of Cyber Warfare, where he directed the cyber-attacks in Afghanistan, Iraq, and the planning for offensive cyber operations against Iran.