Charting the course of my career, transitioning from a cybersecurity webmaster to chief information security officer (CISO), has given me unique insights (and scars) into the multifaceted nature of cybersecurity. Where prevention and incident response focus on what you need to do in order to avoid or handle cyberattacks in order to minimize fallout, a resilient SOC focuses on how to create efficient and repeatable processes. It not only ensures your ability to withstand an attack without catastrophic consequences, but also ingrains the idea of anti-fragility.
The transformation I’ve seen in cybersecurity over the past 15 years has been incredible. The idea of what to secure has expanded as the cloud, mobile devices and IoT has evolved. Multifactor authentication (MFA) and stronger encryption have become the norm rather than exceptions. And, more emphasis has been placed on continuous and holistic cybersecurity awareness, including through Zero Trust, real-time threat detection, attack surface management, vendor risk management and user education.
However, while the technology, adversarial tactics and security practices have changed quite a lot, the underlying philosophy within the security operations center (SOC) is still primarily focused on prevention and response alone. There needs to be a third pillar of cybersecurity philosophy – resiliency.
Every security incident should be a learning opportunity to build stronger defenses, and sometimes it may require a complete rethinking of how security works.
When I began my journey as a cybersecurity webmaster, the internet was in its nascent stage. Websites were becoming digital storefronts, and the role of a webmaster was pivotal. Beyond ensuring the site was up and running, my task was to safeguard it from emerging cyberthreats.
Luckily for me, cyberthreats were relatively unsophisticated at this time. Simple distributed denial of service (DDoS) attacks, website defacement and basic malware were the primary concerns. The tools at our disposal were rudimentary. But, as online transactions and data sharing became more commonplace, the need for advanced security mechanisms became apparent.
Taking the helm as a CISO, the strategic dimensions of cybersecurity came into sharper focus. Beyond merely ensuring technical safeguards, it became crucial to integrate cybersecurity into the very fabric of business strategy. The purview now encompassed risk management, crisis communication, regulatory compliance and, most importantly, aligning security imperatives with business objectives.
CISOs had to stop wondering whether security was strong enough if an attack happened. Instead, they needed to ensure processes were in place when an attack inevitably arrived. This is the foundation of building a resilient SOC – building efficient and easily automated processes to mitigate attacks as they come, minimizing the fallout, and finding ways to strengthen security with each hard lesson learned.
Over the years, there have been instances where a new technology or strategy completely rethinks how security operates and greatly improves resiliency:
However, in the ever-evolving world of cybersecurity, one glaring challenge that many organizations continue to face is the duration it takes to detect and respond to cyber breaches. Threat actors can live off the land, using legitimate system tools to maintain persistent access and avoid detection.
Despite advancements in technology, many breaches still go unnoticed for weeks or months and, subsequently, take as long to prevent and contain. Even worse, the evidence of these breaches can be pulled together easily, but only after the fact. In a resilient SOC, those indicators of compromise should be surfaced automatically before the impact occurs.
This transformation has been stymied, primarily due the existence of the legacy SIEMs that we have all been forced to rely on. These legacy SIEMs have numerous challenges, including scalability issues, limited analytics capabilities, integration challenges, slow search and query performance, alert fatigue and lack of cloud-native support, among others.
Last year, we decided to take up the challenge and transform our detection and response program with resiliency in mind. We discovered, you can build a more resilient SOC by rethinking automation, data analytics and where security analysts fit into the process. This meant building a SOC platform that was automation-first, could intelligently filter through alerts to surface true threats and could adapt to detect and stop even novel attacks. So, a vital component was shutting down our legacy SIEM and moving to the newly launched Palo Alto Networks XSIAM SOC platform.
We were able to complete this XSIAM transformation journey in a short 6 months. This provided us with an in-depth picture by pulling data from endpoints, network, cloud and identity systems, then normalizing and stitching it all together. We then applied our machine learning models to reduce our alerts, achieve a mean time to detect (MTTD) of 10 seconds and a mean time to respond (MTTR) of 1 minute for critical and high alerts.
Are you up to transforming your detection and response program? If so, start your journey with building your resilient SOC. This new asset is an interactive digital experience where we feature seven chapters on security issues, such as supply chain risks, ransomware, automation and more, including a chapter on our Cortex portfolio. The future looks bright, and we’re proud to be creating a safer version of it with the innovation we’re providing today.