Creating an effective IT security strategy amid an evolving threat landscape

The attacks, which have resulted in large volumes of personal data being released publicly, demonstrated the widespread harm that can occur. As well as financial and reputational damage for the organisations concerned, the attacks have had real-world consequences for millions of people.

It’s a problem that is only going to get worse. Research by LogRhythm shows that during 2022, there was a ransomware attack somewhere in the world every 11 seconds. The annual cost of these attacks to businesses has reached US$20 billion and this is likely to rise in coming years.

Deploying the SOC visibility triad

Faced with this increasing threat, businesses have little choice but to increase the protective measures they have in place. One strategy that is attracting increasing attention is the so-called SOC visibility triad.

This strategy involves putting in place overlapping fields of visibility within an IT infrastructure. This ensures that security teams have the best possible chance of spotting malicious activity and stopping it before damage can be done.

The SOC visibility triad comprises log monitoring using a security information and event management (SIEM) platform, together with both network and endpoint detection and response capabilities.

Log monitoring

Undertaking log monitoring provides an organisation with the widest possible view of its security landscape. It correlates multiple perspectives — from operating systems, applications, and networks — to enable visibility of the entire kill chain.

VIEW ALL

Log monitoring can also help security teams to spot attackers who have gained access to an infrastructure but are waiting for the right time to mount an attack. Long dwell times can allow attackers to examine resources across a network and determine which are of most value to them.

Network monitoring

Effective network monitoring is all about speed. It reduces the time taken to spot an attack as the majority tend to begin at the network layer.

Network monitoring also offers very effective protection as it is invisible to attackers and therefore more difficult to evade than other security techniques. It allows legitimate traffic to traverse a network without interruption while unauthorised activity is identified and dealt with.

Endpoint monitoring

As the third component of a robust security strategy, endpoint monitoring provides a security team with deep visibility into any device on which an agent can be installed. Being agent-based means monitoring can take place in isolated environments and even when devices are offline.

Unfortunately, however, endpoint monitoring tools cannot be used on every single device within an organisation’s IT infrastructure. It is not possible to install them on internet of things (IoT) or black-box devices and so alternative security measures will need to be used.

Understanding the threat landscape

When it comes to using these three components to create an effective security strategy, it is important to fully understand the threats being faced. The security team should evaluate which components of the IT infrastructure are most attractive to attackers and how best to protect them.

Once the nature of the threats is understood, customised playbooks should be created that detail the steps that will be followed if and when an attack takes place. This will ensure there is minimal delay in response and increase the chances of an attack being neutralised before damage can be inflicted.

It is worth making use of established industry frameworks such as NIST and ITIL to guide planning activity. These frameworks have been designed as a blueprint for organisations that can use them as the basis for developing their own effective security practices.

People are vital

As well as tools and frameworks, an effective security strategy also needs to have the right people in place. Security teams should comprise three groups which are responsible for initial triage of alerts, investigation, and escalation of a response when an attack has occurred.

Each group requires different training and skills. Care must therefore be taken to ensure the right individuals are employed to meet the specific needs of the organisation.

No silver bullet

When it comes to achieving effective IT security, it must be remembered that there is no silver bullet. Strong protection requires the combination of a range of tools and platforms, together with a highly trained and engaged security team.

The treat landscape will continue to evolve during 2023. Those organisations that have taken the time to assess and improve their security measures will be best placed to withstand attacks when they occur.