There’s little question that the technology world is changing quickly. 2020 was a great accelerator in many ways, with the pandemic leading to rapid changes in working habits and the structure of consumer demand.
In 2021 companies will continue to scramble to catch up with the speed of change – adjusting operations to meet new challenges, expectations, and opportunities.
But in the dash to adapt new technology some key areas can be left behind as aspects of a company’s technology estate matures faster than others. Security operations (SecOps) is one aspect that does not always adapt at a sufficient pace.
And SecOps matters.
In this article we discuss how today’s changing technology environment is affecting the threat landscape, outline what the implications are for your enterprise, and point to best practice both in terms of planning, and day to day practical SecOps aspects.
The Current State of SecOps
A changing technology world means changing threats. Arguably, the more technology we deploy – think about the rollout of 5G and IoT, for example – the more vulnerabilities emerge, and the more opportunities for malevolent actors to take advantage of security risks.
Vulnerability reports are skyrocketing
Indeed, the number of vulnerabilities in the wild is rapidly growing. Looking at the statistics for the National Vulnerability Database, the vulnerabilities reported per year has been reasonably stable over the last decade at about 4,000 to 8,000.
However, from 2017, the listed vulnerabilities started growing rapidly – with a 127% jump in that year, to over 14,000. It has kept to an elevated level since – with 2020 seeing over 18,000 reports.
Just think about it for a moment: almost 20,000 vulnerabilities reported in 2020 alone. The odds are high that the software or hardware you depend on is affected. Consider, for example, that the Linux kernel alone was affected by 170 vulnerabilities in 2019, which in turn trickles down to every Linux-based OS.
Skyrocketing vulnerabilities are not just theoretical reports that have a low probability of leading to a breach. According to Imperva, almost half of vulnerabilities have a publicly accessible exploit that hackers can use. It is a wealth of opportunities for everyone from the common criminal to the politically motivated.
Who is to blame for a lack of preparedness?
With a growing tidal wave of vulnerabilities affecting every aspect of computing, the challenges of mitigating the threat of cybercrime is growing too, but for most organization’s SecOps is simply not keeping up.
In part, it is a lesson in reactive behavior – often, an organization will only take SecOps seriously once a damaging compromise has illustrated the costs of lax cybersecurity. After all, when the benefit of SecOps is the absence of risk rather than the visible introduction of a benefit it can be tough to motivate spending the resource on SecOps.
To be fair, hackers are persistent, almost infinite in volume – and aided by automation. Mounting defenses against such a broad spread and formidable threat will never be easy. That said, it’s common for companies to miss out on even simple strategies.
For example, according to a survey the Ponemon Institute completed for ServiceNow, 60% of cyber breach victims suggested that a breach was due to a vulnerability that had an effective patch – but where the patch was never applied. In other words, the attack could have been stopped with a simple action: applying a patch.
Why are companies’ security response so lackluster given the very obvious threat? We suggest that there are a few key issues:
- Conflicting roles. SecOps is often left in the hands of technology teams, which creates a conflict. Tech teams are there to make technology readily available, whereas SecOps inherently closes and secures. In the drive for results, tech teams can downgrade the priority of SecOps. A lack of dedicated security teams is a significant issue.
- A lack of cybersecurity culture. Companies readily promote a corporate culture where there are obvious benefits, or where there is a legal requirement. Think of a growth-first culture, or a customer-first culture for example. Or, consider compliance – mandated by the law. Cybersecurity posture is typically not at the top of the list.
- Absent leadership. Closely tied to the lack of a cybersecurity-first culture, SecOps must be driven right from the top – through the boardroom, the C-Suite, and right down to middle management. But often it does not happen because cybersecurity is mistakenly seen as an IT issue and consequently leadership and team structures simply do not reflect mature SecOps.
- A lack of thoroughness. The patching example we listed above illustrates how organizations are simply not thorough enough when it comes to managing cybersecurity threats. It comes down to a lack of leadership, missing SecOps teams, and perhaps simply not taking the threat seriously enough.
- Not using available tools. One of the best ways to combat automated hacking is by using automated defenses. This includes automated, rebootless patching via a tool such as KernelCare, alongside automated penetration testing, for example.
While the above list reflects the typical shortcoming in the approach many companies take, we don’t mean to imply that organizations are ignoring the cybersecurity threat. Most companies practice some degree of SecOps. However, it is cybersecurity practices that are present but immature.
So, what are the risks of immature SecOps?
The Enterprise Impact
There is always the chance that your organization takes an immature approach to cybersecurity and never sees the consequences. But doing so would be irresponsible and could likely breach your compliance obligations too. And, there is the risk that a cavalier attitude to SecOps can turn out very costly.
Real-world examples of cybersecurity lapses
To put the real risks into perspective we outline some of the most prominent examples of cybersecurity breaches, including their repercussions.
Let’s start with Yahoo. In two revelations through 2016 the company announced that it was the victim of a data breach that affected a staggering three billion user accounts – with everything from real names, to DOB and phone numbers lost. It knocked USD 350 million off the price that Verizon paid when acquiring Yahoo.
Next up, financial services company Capital One who in 2019 suffered an attack that affected over 100 million of its customers. The company is expected to spend between USD 100m and USD 150m to remediate the effects of the attack.
IBM’s 2020 Cost of a Data Breach Report sums up the potential costs. According to the IBM study, the average cost of a data breach is USD 3.86m – while it can take up to 280 days to identify and to contain a successful data breach, driving remedial and reputational costs.
What are the risks that drive these costs?
A full explanation of the risks of lax cybersecurity is beyond the scope of this article, but we’ll outline the breadth of risks your company can face as often organizations assume a very narrow view of cybersecurity risks – it’s not just about, say, stolen data. Potential damaging effects include:
- Damaged reputation. Companies that suffer from a cybersecurity breach often do so in a very public way. Compliance obligations can compel organizations to report a breach. It’s not good news and it can steer customers and clients away.
- Loss of revenue. Downtime to deal with a breach is where revenue loss starts, but the real harm comes in due to reputational damage. There is no way to know how much trust is lost due to a cyberattack – and what that means to the bottom line.
- Compliance risk. A company that suffers a cyberattack may find that it is on the receiving end of fines – or a ban. Establishing and maintaining key cybersecurity principles are built into compliance standards such as SOC 2.
- Increased costs. Cyber breaches are expensive to remediate, while undiscovered attacks such as cryptominers can add to IT bills. Organizations also need to repair the damage and restore public trust. And even where no expenses are spared in fixing a breach, the hidden costs can last for years.
All of the above comes over and above the more obvious and clear costs of service disruption and data loss.
Building a mature approach to SecOps
Clearly, leaving SecOps to chance is not worth the risk. That said, building really robust security operations isn’t that simple. In fact, we’d suggest that there are two key aspects to building secure operations.
First, you need to configure your security operations in a manner that ensures ongoing resilience year in, year out. However, you also need to ensure that you deal with the practical aspects of security operations – ticking the right boxes throughout.
Configuring mature, enterprise-grade SecOps
A mature approach to cybersecurity requires influence from the top and a supporting organizational structure. The practical elements matter too, and we’ll get to that in the next section. But, from an organizational perspective, we recommend the following:
- Get the C-suite on board. Mature SecOps require sustenance – and that can only come from the top. Companies that take cybersecurity threats seriously will instill a security-aware culture at senior management levels.
- Dedicated SecOps teams. We alluded to the conflicting motivations between technology teams responsible for delivery, and the restrictions inherent to a cybersecure approach. Convenient and accessible operations will always clash with secure operations. Both aspects matter, but to avoid neglecting security you must have a SecOps with distinct responsibilities.
- Red Team, Blue Team. Likewise, we’ve alluded to thoroughness earlier in this article. Testing and challenging cybersecurity measures are part of being thorough. Consider the Red Team, Blue Team approach. A Red Team to imitate an attacker, performing penetration testing and to detecting vulnerabilities, a Blue Team to mount fixes and responses to account for Red Team findings.
- Outside expertise. Your internal approach can drive a large degree of security, but your approach will inevitably be colored by groupthink to some degree. Augment your internal efforts with outside help – from cybersecurity consultants through to subject matter experts. Think about cloud access security brokers, for example.
These are some of the key steps your organization should take to instill a culture of cybersecurity. With these aspects in place, practical measures will follow.
Day to day practice: checkboxes you need to tick
A security-first posture will naturally lead to practical measures – but it’s nonetheless easy to miss key aspects of cybersecure operations. We think you should consider the following:
- Sufficient resources. Whether it’s staff or funding for cybersecurity tools, ensure that your SecOps is adequately funded. Beware penny-pinching – you don’t want to try and save a few dollars on security operations only to be hit with hundreds of millions in losses due to a breach.
- Security monitoring. Continuously monitoring your networks and hardware can help you to spot an intrusion at the early stages. In turn, fast action can prevent a more complex intrusion, can help you limit the damage of an intrusion in progress or, at the very least, ensure that you meet compliance obligations.
- Software and hardware management. Getting a grip on your technology estate is key. To establish where potential risks are you need to know what’s in use – and who is using it. Establish where you are using legacy tools too.
- Continuous patching. We hinted at patching earlier: patching matters. It is simple in theory, but the resources required and the associated downtime can reduce patching to something that’s done inconsistently. Make sure your organization prioritizes patching, and makes use of available tools such as live patching that can smoothen the patching process.
- Persistent processes and policies. Culture matters, but eventually, it comes down to policy. Clarifying processes and policies that boost security will help your organization to push secure use of technology right down to the staff level – reducing the opportunities for hackers, including through human-focused routes such as phishing.
Practical measures matter, but it is the structure of your SecOps that can drive these practical measures year in, year out – to deliver a consistency that provides maximum protection against cybersecurity threats.
To summarize, companies are at risk of leaving SecOps to the IT team – and that simply won’t work. Tech teams are likely to pay minimal attention to cybersecurity – only as far as preventing the most egregious and obvious security risks.
Mature SecOps requires much more – leadership, dedicated teams, and consistent practical measures. It also requires the right tools – such as KernelCare for automated, rebootless patching.
It is not just the IT department that suffers when security or data breaches occur. These incidents affect the whole company. C-level leaders in all functions must take SecOps seriously – and help drive a mature, effective cybersecurity function in their organization.