SEC Rule Sparks Reimagining of Cybersecurity Operations

This post is also available in: 日本語 (Japanese)

The U.S. Securities and Exchange Commission (SEC) has placed cybersecurity at the center of public company governance with its new cybersecurity incident reporting rule. Companies must disclose not only information on their cybersecurity risk management processes in their annual reports but also any cybersecurity incident, or series of incidents, that are “material” to the company and must do so within four days of determining that the incident was material. Regulators around the globe are requiring that companies report more about cyber incidents in defined sets of time and, in doing so, are illuminating a truth we have long known – organizations must embrace a new approach to implementing security solutions to defeat motivated, well-financed and ever more sophisticated cyber attackers.

In finalizing the rule, the SEC observed that disclosure and reporting practices varied across publicly traded companies, and reasoned that a more standardized approach would better serve investors. Unfortunately, a standardized approach reflecting most companies’ capabilities today would not yield impressive results. According to the up-to-date analysis of incident response from Unit 42, it takes companies an average of 5.5 days to initially contain an incident once discovered, and full recovery and remediation can take additional weeks or even months. These numbers are underwhelming, but they are not surprising given the flawed way too many organizations select and use their security solutions. Organizations are deploying disaggregated products to address discrete threats that do not provide a holistic picture of the threat landscape, unify data into actionable insights, or proactively hunt for potential attacks. The result is a 55% increase in vulnerability exploits in the wild from 2021 to 2022 (source: 2023 Unit 42 Network Threat Trends Research Report).

We can do better and these regulatory trends should catalyze companies to consider how best to dramatically reduce their chances of ever having a material incident in the first place. The next generation of AI-powered cybersecurity solutions, such as CortexⓇ XSIAM from Palo Alto Networks, are built to meet and defeat the cyber threats we see now and expect to see in the future and, in the process, drive significantly faster and better security outcomes. A common sense framework underpins the advanced capabilities of XSIAM, which will enable any company to reimagine its security operations.

1. A security architecture that employs an integrated, best-of-breed platform reduces risk, simplifies processes and provides better outcomes. According to 2022 What’s Next in Cyber survey, over 65% of organizations want to consolidate their security solutions because existing point solution-based architectures are not sufficient to mitigate the kinds of threats that security operations centers (SOCs) confront today. A consolidated platform shares intelligence across data points, dashboards and user experiences to better prevent zero-day threats in real-time while reducing the risks inherent in integrating point products. You achieve better security when every part of your cyber stack works together. This isn’t complicated calculus. It’s common sense.
2. Effective threat detection and investigation requires access to significant amounts of data from varied sources. Cortex XSIAM natively integrates telemetry from any source, analyzes it and then stitches the resulting intelligence together into a single, comprehensive view of cyber incidents and threats. It integrates Unit 42 security research expertise with critical data from first-party sensors across endpoint, network and cloud to lay the foundation for high-quality analytics.
3. This rich data must be analyzed at machine scale, with automation driving the SOC. Doing so will dramatically improve two key metrics that determine the effectiveness of any SOC: mean time to detect (MTTD) and mean time to respond (MTTR). If your MTTD is on the order of seconds and your MTTR is on the order of minutes, you have the best possible chance of identifying an incident and assessing its materiality as soon as possible. This gives you the best chance to react to the incident and mitigate its effect. Yet all too often, we observe MTTD of hours to days and MTTRs of days to weeks or even months. Simply put, this is no longer a human-scale problem.
4. Companies should employ an integrated, single view of the cybersecurity landscape that triages every alert and incident at a machine scale, delivering a causality chain and an automatic determination of severity and impact. Most companies manage to assess 30-50% of alerts. In this threat environment, a partial solution is usually no solution.

XSIAM employs every element of this framework today. It is an AI-powered platform that can revolutionize the SOC and deliver step-function improvements in MTTD and MTTR. The platform combines our knowledge of every known attack pattern (Palo Alto Networks detects over 275,000 new attack patterns each day) with AI-based prediction and analytics to protect against new, as yet unseen attack patterns. With prebuilt integrations to over 900 cybersecurity products, XSIAM allows companies to remediate incidents in near real-time, using the richest, context-aware playbooks in the industry.

XSIAM produces staggering improvements in outcomes. Historically, the Palo Alto Networks SOC analysts spent most of their day triaging alerts, with each analyst manually investigating about 13 incidents per day. After deploying XSIAM, those same analysts now spend 70% of their day threat hunting and running attack simulations because they enjoy 100% alert coverage from AI and automation. Manual incident investigations are down to eight per day and, most crucially, the SOC has reduced its MTTD to less than one minute, and its MTTR to a few minutes. And, in the last three years, the average number of events presented per day has increased from one billion to 36 billion.

That is the power of XSIAM – true, machine-scale AI applied to analyze large amounts of data in real-time to protect against known and unknown threats. This automated solution will facilitate an organization’s determination of whether an incident is “material” and dramatically reduce its remediation window from days and hours to minutes.

Finally, a full reimagining of your security operations requires additional strategies:

• Proactive Cyber Offenses – A Better Offense Makes for Better Defense: Organizations need the foundational components for an industry-leading cybersecurity program, including an automated attack surface management solution that accurately inventories their global internet-facing assets, to allow for discovery and mitigation of risk. On average, our Cortex Xpanse customers find 35% more assets than they previously tracked. Attack Surface Management is also an integrated module of the XSIAM platform.
• Reconsider Your Governance Model – Managing cybersecurity risk is not exclusively the responsibility of CISOs and IT teams. Corporate boards are key players in the effort. Consider establishing a separate security committee for the board. After all, ensuring that effective plans are in place to mitigate cyber risks, which can shut down a business, is as important as the work of audit committees to address financial risks.
• Get That Incident Response Plan Battle Ready and Test – Companies should prioritize the development of a comprehensive incident response plan that includes how to engage key experts from across the enterprise and then simulate events to test the organization’s readiness to respond and remediate effectively.
• Call in the Experts – CISOs should prioritize assembling a team of dedicated incident responders and cybersecurity experts. These professionals are primed to spring into action when a cybersecurity incident arises, armed with a deep understanding of the organization's unique landscape and regulatory requirements.

The SEC’s new incident reporting rules reflect one of the core challenges of our age – protecting our digital way of life from persistent, tenacious and ingenious cyber attackers. A marriage of smart, next-generation security platforms and sound corporate governance practices will be a powerful means to meet this challenge.