Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Just Enough Insider Threat Defense
Just Enough Insider Threat Defense
At a recent conference for IT leaders, I addressed the theme of, “How much cyber security is enough?” We all probably have had to answer the broad question of how much budget is appropriate relative to our peers, but a discussion about risk and value should quickly follow.
This one dimensional question of “how much?” is necessary at certain times, but it should not be where the conversation on security investment ends. This sort of thinking arises out of necessity or lack of focus for a variety of reasons, and usually gets answered in the following ways:
These are all attempts to simplify the problem and externalize as much of the analysis as possible to outside parties. Most of these solutions are actually more complicated to execute than they first appear. It is not that these strategies are bad in and of themselves, but they lack a willingness to think more in-depth about security risk. In the end, they will not relieve the burden of needing to think about a risk adjusted portfolio of security investment.
Two-dimensional thinking begins when we start to ask, “What sort of information security investments should I make?” This is that transition we often make when talking to a personal financial advisor. At first, it is a chore, and we just want to know, “How much do I have to save every month?” The advisor’s reply is usually some version of, “It depends.” One of the things it depends upon is the composition of your portfolio and what sort of results you can expect with different investments.
Three-dimensional thinking about security begins when we start to ask, “What combination of security investments will reflect my desired risk appetite?” This is where we start to understand that there is a trade-off between investment and performance.
Let’s look at the diagram for a hypothetical example. You could invest in something relatively less expensive like building awareness content to be distributed utilizing current training resources, and because of your receptive culture, see substantial security gains in security performance metrics. You would be placed in the upper left hand corner and above the curve. Likewise, you could spend a relatively large amount on a new solution, but not have the right maturity in place to maximize that investment and end up in the lower right hand corner.
One way to determine where you want to be on the investment/performance curve is by establishing goals on a maturity matrix. A maturity matrix will outline maturity levels on an x-axis and technical and governance elements on a y-axis. A maturity matrix inherently represents a total package of investments and performance metrics you measure as you progress towards goals and spending. Determining how each organization should shape their security programs along a maturity roadmap is the craft of security leadership.
Consider this question from the perspective of insider threats and developing an appropriate response to insider threats in your organization. Security leaders realize the damage that insiders can do, but they have a hard time imagining a cost-efficient strategy to deal with the issue directly.
Very often I hear, “I’m not dealing with insider threats exactly, but we have a suite of holistic controls and they are covering insider and outsider threats.” The problem with that is that insider threats are often operating below the radar of normal technology controls. Insiders have all the permissions they need to do most of the things they want to do. Their activity is very subtle and hard to detect, and beyond the reach of most controls.
Alternatively, some security teams try to simply purchase an “insider threat” tool, like user/entity behavioral anomaly (UEBA) detection to solve this problem of finding subtle activity. The challenge with this is that UEBA tools require a certain level of process, technology and skill maturity in order to get the most out of them. Log management should be in place, including application logs. Role management should be developed in order to create meaningful baselines. Case management teams should be trained on how to handle insider investigations. This investment in UEBA technology alone is not sufficient.
We focus on coordinating a security team’s current assets into a strategy based on deep knowledge of critical assets, threat modeling, and goals of the organization.
In our research we develop a maturity matrix, based on a list of functional elements, to provide a capability and outcome roadmap. Each organization is different in terms of its target levels of maturity, but the result is essentially a risk posture. At the end of the day, you should end up with something like this:
But how do you know what levels your organization should target for each of the four functional elements listed on the y-axis of the above matrix?
Leaving the insider threat example and thinking again more broadly about all parts of a security program, there is a consistent set of themes we’ve found in our focus groups that dictate how enterprises shape their programs and shoot for different maturity levels:
Once these questions are answered, and maturity targets selected, choosing metrics should not be difficult. There are plenty of catalogs with applicable metrics available. The hard part is making the metrics relevant to your customers by putting them in terms that are important to your organization. This usually involves putting measures into a ratio, with a denominator that is meaningful for your organization. While the metrics need to be tailored, they also need to be general enough so they can be trend-able and benchmarked over time. A metric that is tailored to be relevant for one quarter is less trend-able than a metric that can be observed for years. This is a difficult task when the data is coming from your dynamic IT ecosystem.
Asking the question of, “How much cyber security?” is a place to start a conversation. Eventually though, you want to be able to measure the success of managing a risk adjusted insider threat strategy that balances people, process and technology to secure your environments.
Let us know what you need, and we will have an Optiv professional contact you shortly.