Forcepoint Flash: From The Office Of The CSO

Top Five Security Capabilities I Wanted 10 Years Ago [Part Five]

By Doug Copley, Forcepoint Deputy CISO

It’s finally here, the #1 security capability I wish I had 10 years ago.

You will quickly see the view of the CISO in this last entry. CISOs are accountable for helping their organization manage information risk. As part of that responsibility they need to be able to communicate risks, action plans and security program maturity to the board of directors, C-level executives, audit committee and other executives. Ten years ago, the reporting tools available lacked maturity and lacked a truly risk-based focus.

#1 – I wanted REPORTING that was valuable and risk-based

If I think back to the security tools and methods being leveraged 10 years ago, security and IT teams understood the need to retain log files, but very few groups I talked to actually took time to review log files and look for suspicious activity. SIEMs existed but weren’t mature in their ability to correlate and alert in an automated fashion. From my viewpoint, reporting was still in its infancy. We could get reports of activity volume, but nothing I would consider very meaningful in helping drive risk reduction across the enterprise.

If I ponder the evolution in this area, it went from separate log files across different systems to log aggregation in SIEM tools. Things got better with prioritization of events into Critical, High, Medium or Low categories, but even so events were still not intelligently grouped into potential incidents. What I’ve started to see in 2015-16 is the next evolution. Vendors have come to realize that security controls are mitigation activities within a cyber risk management program. For organizations to get the most value out of reporting, it needs to present data in terms of risk to the organization. This is not only important for the organization to understand its risk, but it’s critically important to operational teams who use this information every day, so they can focus their limited resources on those risks that are most important to the organization at that particular point in time.

To effectively present security event data in risk terms, organizations need to understand and be able to articulate what data and what systems are most critical to the organization. This can be done via an activity such as a business impact assessment. By incorporating such information into the security event reporting processes, events can not only be grouped by source or target, but the activities can be correlated with the risk posture of the assets involved and dashboards can present a view of activity that identifies the most important risks to the organizations assets at that point in time. As risk incidents are investigated and addressed by relevant groups, they will fall off the dashboard and the next most critical risk will rise up on the dashboard. If you haven’t seen any of these dashboards yet, they will present data in sections such as Top Threats, Top Riskiest Assets and Top Riskiest Users. I can’t underscore how important these real-time risk-based dashboards are to organizations with limited security resources, as this allows them to stop spending time on non-value-add activities of trying to sift through SIEM data and lists of DLP items to determine what needs to be remediated. This allows them to focus on risks that are most critical to the organization at that moment in time. Management can then be sure resources stay focused on risks most important to the security risk posture of the organization.

Well, there you have it.  My Top Five desired capabilities from 2006 that are a reality today. I’m not claiming these were necessarily the most important five, and I’m sure some readers may have a different list of what they most wanted in 2006. It’s fair to say security technologies have advanced significantly since then, and I anticipate the speed of capability advancement to continue to accelerate into the foreseeable future. I feel fortunate to have the technological capabilities we have available to us today, and with the amount of innovation taking place, I’m truly excited about what’s to come.

To learn more about a technology that delivers these security capabilities, visit: https://www.forcepoint.com/solutions/need/unified-content-security