By Filippo Cassini, Global Technical Officer, SVP of Engineering.
Increasingly, new laws and regulations are designed to help guide companies in structuring their cybersecurity strategies. For example, the U.S. Securities and Exchange Commission (SEC) has become very strict on what organizations have to report. The European Union General Data Protection Regulation (GDPR) and other regulations like the NIS 2 Directive—an EU legislative act that aims to compel a higher and common level of cybersecurity across all the organizations within the union—are driving structural changes in cybersecurity. Ultimately, it all boils down to adhering to the rules to protect organizations and, by extension, citizens from cybercriminals.
From an executive vantage point, the central questions to be addressed are: “Is my company safe? Is my IT organization doing a good job of protecting us? And, as a leader, am I making sure we’re doing what is required by the SEC, or the EU government, or whoever else is creating the regulations?” In this post, we discuss how top-level managers of organizations can best navigate the intersection between their business needs and cybersecurity requirements.
Indicators of Compromise
Executives rely on their cybersecurity teams to give them an accurate and unvarnished view of the organization’s security posture. When leadership asks, “Are we safe?” the team needs to respond in a way that they can be easily understood and is honest. Cybersecurity managers should frequently check the pulse of their networks. When they come upon a concern, they need to provide executives and board members with timely reports about attacks, threats, and indicators of compromise (IOCs).
Typically, an IOC is something new or abnormal that is occurring. This is often a sign that your organization has been compromised. An example of an IOC might be that some devices in the network are connecting to somewhere never witnessed before. Or, it might be an unusual rate of connection or an unusual amount of data being transferred to or from certain locations that are geo-based. Anytime you experience something you would not expect, proceed carefully and be suspicious.
Are You Ready?
Organizations need cybersecurity technology, but they also need to consider their readiness, which requires a strategy. Organizations can acquire pretty much any product or service that they want to protect against this or that particular threat, but the job doesn’t stop there. Each of these new tools will generate information logs and reports. When the tools generate data, a dedicated individual or group must be ready to process all the new information.
If your organization is not processing this new security data, some intrusion that could have been prevented invariably happens. Often, the IT team discovers the initial attack occurred months before, despite all the relevant devices doing their job of generating data logs. However, with no one analyzing all the information, a preventable hack can easily occur. If your organization wants to maintain its security posture, you must be able to do the triage.
When the triage has pinpointed an attack, your organization needs to have a plan in place. And that means, you have to proactively know what tools you have, who the players are, and who needs to be doing what. This is not the time to say, “Let’s call a meeting and figure it out!” Most hackers are using tools that are automated and execute at computer speed. If your organization tries to respond at human, Zoom-meeting speed, you’re in big trouble. So, you must have your processes documented and prepared in advance. Also, you should proactively employ some software technology, like a SIEM or SOAR solution, that enables you to respond to threats immediately.
The Platform Approach
At Fortinet, we believe good collaboration requires moving from a best-of-class approach to a platform approach. With a platform, you can use multiple technologies that can exchange information between themselves and in an open way with other systems. The platform approach is more efficient. It allows multiple technologies to “talk to each other” and extract information that can be used proactively, effectively, and automatically.
For example, when you analyze every confirmed threat and build a model for responding to it, you may end up building hundreds of models. These models are often referred to as playbooks. Eventually, you realize that the playbooks can be condensed and automated. That process is a lot easier to do with a platform of products that have already been designed to work together.
Conclusion
Board members and C-suite executives should have more than a basic understanding of cyberthreats and cybersecurity. If one of their primary goals is to keep the business well-protected, they need to be aware that a platform approach to cybersecurity is the best way to keep their organizations secure. Having a cybersecurity platform allows for the automation of defensive tasks and the ability to respond to attacks in milliseconds. Automation is the key because it allows for essentially synthesizing and automating tasks in a timely way. Responding to cyberthreats with a Zoom meeting or a manual process is never going to be adequate.