As we approach the end of the year, many security leaders are starting to plan their strategic initiatives for 2022. This piece details three key security projects to consider: adopting zero trust concepts, modernizing the security operations center (SOC)
through extended detection and response (XDR), and expanding the security program’s influence to include custom application and product security.
Security Initiative #1: Zero Trust
“Zero trust” has become a buzzword in the cybersecurity industry. However, the fundamental concepts of zero trust are sound and need to be understood in a product-agnostic fashion.
The truth is, there is no single product or vendor that provides a comprehensive zero-trust solution; zero trust is a combination of many types of technologies and processes, interwoven and thoughtfully planned out. Strategists should consider educating
themselves using vendor-neutral sources like NIST, and then conduct thought-exercises within their organizations about how to address real-world issues with zero trust concepts.
When planning for zero trust, it’s important to understand that zero trust is:
- A multi-year journey that has nearly no upper limit with how far it can be taken.
- Not solely a technical solution, but a collection of processes built on top of strong IT capabilities, such as asset management, identity management and authentication.
- Successful only with tight integration: It’s zero trust only when all your security signals and enforcement capabilities are working in harmony to enforce your organizational risk tolerances.
Depending on your current maturity, you could expect to spend a year or more building a strategy and working to ensure future IT investments are aligned.
Security Initiative #2: XDR and Data Pipeline Management
XDR is really a modernized take on the SOC. Practically speaking, XDR technically involves a tight integration between EDR, SIEM and security orchestration, automation and response (SOAR). It enables rapid detection and response, and offers benefits like:
- EDR that acts as a SIEM on the endpoint. In years past, more aggressive security organizations looking for high-acuity alerting would ship endpoint telemetry data to their SIEM and write complex rules to analyze it. Modern EDR allows for the same thing,
without the high SIEM expense and noise-to-signal ratio.
- Making logging strategies more efficient. Cloud SIEM is prohibitively expensive to treat as a data dumping ground. Most organizations are on their first iteration of cloud SIEM, likely having migrated from an on-prem SIEM before that. The mistake some
organizations make in this transition is not updating their data management processes to coincide with the cost structure change, resulting in exorbitant and unexpected costs. Organizations employing XDR concepts are building more detections at the
edge (as opposed to within the SIEM) and are carefully analyzing the cost/benefit of sending high-volume logs to their SIEM (e.g., sending every firewall allow to your SIEM may cost $200,000 per year but have little return on investment).
- Enabling security data lake/warehouse efficiencies. These big data repositories help cut costs without losing the ability to get the data you need. Having a strategic plan to identify which logs are critical to alerting vs. which logs are important for
investigation can give you an idea of how and where data should be logged. Carefully look at every log source and type of log and determine whether that log type is essential for contributing to an important detection. If not, it should go to the
data lake. This can pay huge dividends for cost containment and allow you to reinvest resources into other areas.
- Making automated remediations easy to accomplish. Integrations for common incident response techniques are often built into XDR and can be configured in an “if this, then that” style. The trick to being successful is to test your detections
through purple team style activities, and gain comfort in your detection fidelity. Then, carefully align your SOAR responses to meet your risk tolerance.
Security Initiative #3: Integrating Application and Product Security
One area sometimes overlooked by cybersecurity teams is around getting deep integrations into product or application security. Security teams are often well versed in protecting enterprise resources, such as domain controllers, shared drives, endpoints,
servers, etc., but can sometimes lack visibility and response capabilities with custom products or applications.
As a third initiative, consider strategically pushing to build security logging, analytics and response capabilities into your applications and products. It’s best to start with the end goal, and work backward from there.
For example, what kind of actions could security take to neutralize threats? Locking accounts, rate limiting, changing user roles and blocking IP addresses are all highly effective techniques that help neutralize potential threats. With a set of response
techniques in mind, what types of scenarios would you want to trigger them? An excessive number of 400 errors, web application firewall (WAF) alerts or impossible travel are all good options. Once you have your ideal alerts, identify what log sources
you might need to actualize them – and then get them in place.
Security Initiatives for 2022
Building a strategic and tactical roadmap is critical to the success of any security program. Going into 2022, next-level initiatives for good security organizations can vary widely, but the most common trends center less around buying new tools, and
more on tightening and deepening the integrations between your tools and corporate information assets.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.