FEBRUARY 2021 Sponsored by

INSIDE:
Building the SOC of the Future >>

Security as Code: How Repeatable

Policy-Driven Deployment Improves Security >>

10 Benefits of Running
Cybersecurity Exercises >>

Building the SOC

Can’t Afford a Full-time CISO? Try the
Virtual Version >>

Building the SOC of the Future: Next-Gen

Security Operations >>

of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed
the way business works and the way security teams operate. There is no going back.

Next
FEATURE
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past
year has changed the way business works and the way security teams operate.
There is no going back.
By Rob Lemos
I
n April, health insurance provider Blue Cross
Blue Shield of Kansas City had to scramble.
Its third-party provider of workstation man-
agement services, Cognizant, had notified the
company that a spate of technical problems and
service outages had been caused by a ransom-
ware attack, reportedly by the notorious Maze
ransomware group.
The security operations center at Blue Cross
Blue Shield of Kansas City — or Blue KC, as it
is known — scrambled to determine whether the
ransomware group had jumped from Cognizant to
healthcare firm’s network, a possibility since the
managed services provider typically runs software
agents on its clients’ workstations to allow patch-
ing and updates.
Even though the attackers were likely in Cognizant’s
system for days, if not weeks, they apparently were
not able to capitalize on their access, says Yaron
Levi, chief information security officer for Blue Cross
Blue Shield of Kansas City.
“When a company like that gets hit, and they
have so many clients, and they work on the cli-
ent side and on clients’ systems, the question is
whether we had been hit,” he says. “We had to
respond to the issue, and we had to distance
our systems from them.”
The incident, which cost Cognizant $50 mil-
lion to $70 million and presaged the current
supply-chain crisis involving network-man-
agement firm SolarWinds, is one of many that
made 2020 a chaotic year, especially for se-
curity operation teams tasked with protecting
corporate data and employees’ systems.
February 2021 2
Previous Next
Building the SOC of the Future

Figure 1. The Importance of SOC Activities

Last March, the coronavirus pandemic forced companies

84%
to send workers home, leaving IT professionals to adapt Minimization of false positives
88%
to a mostly remote workforce. Security operations centers
(SOCs) had to not only secure remote workers but deal 73%
Agile DevOps
85%
with their own virtual operations. At the same time, attack-
ers continued to become more stealthy and — because of 83%
Threat intelligence reporting
the availability of cybercrime services — the average cam- 83%

paign became more sophisticated, using evasion tech- Use of technologies such as automation and 72%
niques to avoid detection and transitioning to the tactical machine learning 80%

use of third parties and supply chains as a vector of attack. 77%

Monitoring and analyzing alerts
No wonder, then, that the complexity in managing today’s 79%
security operations centers has spiked. In its Second An-
77%
nual Study on the Economics of Security Operations Cen- Intrusion detection
79%
ters, the Ponemon Institute found that 81% of companies
69%
considered managing a SOC to be highly complex. More- Cyber forensics
75%
over, that complexity is leading to workforce problems in
71%
the SOC: mainly, increasing workload, always being on Threat hunting
73%
call, and information overload.
Between the proliferation of security tools, threats, and
FY2019 FY2020
alerts, the security team is getting overwhelmed — espe-
cially as they try to adapt in-person processes to remote keep efficiency metrics high without adding new cost, new nesses, the technology that needs to be secured, and the
work, says Eric Parizo, senior analyst for security at Om- complexity, or simply burning out staff even more quickly by impact of current threats.
dia, a business intelligence firm. creating more hoops to jump through,” he says. As we move into 2021, the future of security operations
“When combining these and other challenges, CISOs and Creating a next-generation security operations center is becoming clearer: Virtual, cloud-based, automated, col-
SOC managers are no doubt struggling to determine how to (SOC) requires looking at the forces that are driving busi- laborative, and proactive threat and vulnerability hunting.

February 2021 3
Previous Next
Building the SOC of the Future

In addition, security professionals should be treated as val- stuff,” he says. “It is not like it is something that is sophis-
ued resources, have the desire to learn, and be given the ticated, or crazy, or new. Compromised credentials, ex-
opportunity to advance their careers. posed ports, unpatched systems — it is kind of the same
things we’ve been seeing.”
Forces of Change Instead, changes that have impacted businesses have
The major attack trends of 2020 included the rise of ran- caused greater disruption for those organizations’ security
somware as the dominant financial crime — accounting for operation centers.
81% of all financial-focused attacks, according to Crowd- The primary force for change: The pandemic, which ac-
Strike; the massive nation-state attack that used third-party celerated the move to remote work.

In March, the coronavirus pandemic forced companies to send workers home, leaving IT
professionals to adapt to a mostly remote workforce. Security operations centers (SOCs)
had to not only secure remote workers but deal with their own virtual operations.

software provider SolarWinds as a vector for compromise;
and the continued focus of attackers on using credentials
for compromise.
While these attack trends were significant — the mas-
sive SolarWinds attacks allowed nation-state attackers,
purportedly Russia, to infect thousands of systems and
compromised dozens, and perhaps hundreds, of govern-
ment agencies and private companies — they were not
surprising, says Blue KC’s Levi.
“The reasons for the compromises are still the same old
Because security teams have had to deal with a distrib-
uted workforce, they have not had adequate visibility into
network traffic and threats, while security controls also
have suffered. In addition, many SOC analysts and secu-
rity team members are working remotely as well, revealing
weaknesses in the knowledge management processes in
many SOCs as information is not always passed along as
efficiently as it is with in-person conversations, says Mi-
chael Hamilton, founder and chief information security offi-
cer at CI Security, a provider of managed security services.

February 2021 4
Previous Next
Building the SOC of the Future

Figure 2. What Makes Working in the SOC Painful?

“Monitoring their environments was previously predicat-
More than one response is permitted
ed on buildings full of people behind a variety of preventive
controls,” he says. “But that rapidly changed to home net-
works with unknown controls that access corporate and 75%
Increasing workload causes burnout
80%
government networks using a variety of methods – some
69%
demonstrably insecure.” Being on call 24/7/365
73%
More than a third of SOCs have changed to remote work, 65%
Information overload
and more than half of security analysts and incident re- 71%
65%
sponders have experienced a decline in performance, ac- Too many alerts to chase
64%
cording to the Ponemon’s Study on the Economics of Se- Lack of visibility into the network and IT 68%
curity Operations Centers. infrastructure 63%
64%
Even before the pandemic, however, business changes Inability to recruit and retain expert
personnel 61%
were already impacting SOCs. Digital transformation ini- 53%
Inability to capture actionable
tiatives — key among them, moving to agile DevOps-style intelligence 61%
development and operations — had already forced securi- Complexity and chaos in the SOC
54%
60%
ty teams to contend with the speed of innovation.
58%
In terms of SOC priorities, agile DevOps gained the most Inability to prioritize threats
55%
momentum in 2020, gaining 12 percentage points, to be- 49%
Losing to adversaries
come second place in the list of SOC priorities, right after 51%
Inability to effectively collaborate with 44%
the minimization of false positives, according to Ponemon’s IT teams to manage threats and risks 49%
report. Using automation and machine learning — another 52%
Lack of resources
SOC focus — gained the second most momentum, rising 49%
1%
8 percentage points. Other
0%
The key is to use the automation and development-to-
production focus of DevOps to create a self-checking system FY2019 FY2020

February 2021 5
Previous Next
Building the SOC of the Future
of deploying devices and applications that result in cleaner
environments, says CI Security’s Hamilton.
“If customers are more secure, the SOC has fewer events
to investigate,” he says.
Another trend that has resulted in greater complexity for
security operations centers is the proliferation of connect-
ed devices and operational technology (OT) whose securi-
ty now has to be managed. Security analysts have to figure
out how to integrate products outside their expertise into
the security portfolio. Often, such steps result in the adop-
tion of technology that — such as Internet-of-Things and
OT asset discovery products — is completely new.
One other trend has stymied SOCs as well: Keeping the
security team fully staffed.
While salaries grew significantly in 2020 — with the av-
erage salary for a Tier 1 analyst growing from $102,000 to
$111,000 in the past year — on average, three analysts
are expected to resign or be fired in the next year, while
only five will be hired, according to Ponemon’s report. The
average analyst only remains at their job for a little over
two years, the survey found. Without companies retaining
knowledgeable and skilled workers, security will continue
to be elusive for businesses.
All of these issues — while disruptive — will likely leave
companies better prepared for the future, says Roselle
February 2021 6
Safran, founder and CEO of KeyCaliber and former leader
of cybersecurity operations for the Executive Office of the
President during the Obama administration.
“The upside of both of these problems is that organiza-
tions have been forced to solve them [in 2020] when they
could have put them off in the past, and dealing with these
problems will improve SOC operations,” Safran says.
Evolving the SOC
Companies are taking steps to address all these concerns
because security operations centers and capabilities have
become a very important part of many organizations’ goal
to establish a strong security posture, says Larry Ponemon,
founder and principal analyst at the Ponemon Institute.
“A lot of companies are developing SOCs, making major
modifications to their technology mix, or hiring people who
are specialists,” he says. “We noticed this around the last
two or three years, but in the last year, things have really
changed, in part because of the pandemic.”
The result will be a security operations “center” less fo-
cused on a physical space and more on the capability,
says KeyCaliber’s Safran.
“Security operations entails so much more than just triag-
ing and responding to alerts these days,” she says. “Creat-
ing separate, non-SOC units for the various functions that
Previous Next
Building the SOC of the Future

need to work in concert with detection and response —

such as vulnerability management, threat intelligence, et
cetera — just leads to silos and inefficiencies.”
A key characteristic of the next-generation SOC is a fo-
cus on the endpoint.
Because of the expanding remote workforce, security op-
erations will focus on the endpoint and less on the firewall.
Even with employees working from home, endpoint detection
and response (EDR) — or extended detection and response
(XDR), as some call the technology — should be consistently
deployed, says Ed Hunter, chief information security officer
of InfoBlox, an automation and security company.
“If you have the right tools on the endpoint, you can
have as good visibility as you had on premise,” he says.
“You have to look at where you are getting your data and
where you are getting your alerts over time. If you have a
next-generation firewall, and you put all your eggs in that
basket, you are blind.”
Part of this focus is moving to a zero-trust concept for se-
curity, attesting to the security of each transaction between
a user, device, business data, and corporate infrastructure.
More than 70% of organizations are considering a move to
a zero-trust model for security, according to one report.
Because remote work has not just impacted the de-
vices that the security team needs to protect but also

February 2021 7
Previous Next
Building the SOC of the Future
the infrastructure that is used to protect them, two other
characteristics are needed in the next-generation SOC:
It should be cloud-enabled — or better yet, cloud-na-
tive — and use mature communication and collaboration
platforms.
With more than half of cloud workloads and data expect-
ed to be in the public cloud in 2021, security operations
need to adopt the same infrastructure. Yet, securing busi-
ness infrastructure in the cloud is the most consistent chal-
lenge for companies, with 83% of firms having trouble se-
curing their workloads in the cloud, according to Flexera’s
State of the Cloud 2020 report.
Security operations needs to be cloud aware and cloud
native, says Omdia’s Parizo.
“There simply is no longer tolerance for SOC technolo-
gy that isn’t cloud-enabled,” he says. “Organizations need
to have consistent performance and functionality from the
SOC tools they use, especially their high-dollar commer-
cial solutions, and to ensure that in a distributed environ-
ment, solutions must be delivered from the cloud.”
In addition to working in the cloud, security operations
needs strong knowledge-management and collaboration
capabilities to offset the isolation caused by remote work.
Automation is essential to reduce work and connect
the security events that might otherwise escape notice.
Yet, with the broad proliferation of automated technolo-
gies comes concerns that unsupervised automation tak-
ing major response actions could cause problems. This
means that businesses need human oversight for their
SOC systems.
“I believe there is going to be more and more usage of
that technology to drive better outcomes,” says Levi. “I
think [that approach] is over-marketed right now. We have
to figure it out first, and then we can automate a bunch
of things—weird connections and things that people can
think of.”
High performing security operation centers (SOCs) are
able to limit the impact of security operations on their
workers. Only 42% of respondents who categorized their
SOC as high performing had analysts burning out because
of the high pressure environment, compared to 75% for all
respondents. In addition, only a quarter of high-performing
respondents considered the SOC’s return on investment
to be getting worse, compared to more than half overall.
Getting to Next-Gen Security Operations
While not every business will have a physical security op-
eration center, every organization should be consolidating
and improving their security operations in 2021 to reduce
cost and improve effectiveness, says KeyCaliber’s Safran.
February 2021 8
Previous Next
Building the SOC of the Future

“Not every organization needs an internal SOC, but ev-

ery organization needs to have SOC functionality,” she
says. “For small organizations it usually makes sense to
outsource the capability to a reputable managed securi-
ty-service provider because they don’t have the resources
to build a program internally.”
Experienced security analysts are key. Basic Tier 1 func-
tionality should be automated, but companies should have
the staff to focus on higher level operations, such as threat
hunting, vulnerability management, threat modeling, and
identity and access management, she says.
Security teams should resolve to include business deci-
sion-makers more often in deliberations. Companies have
generally not managed cyber risk very well: Take sup-
ply-chain risks. Business leaders are usually the ones that
determine who a company does business with, but security
operations should have input as well. The solution lies not centives, understand the exposure, and educate the busi- likely be necessary, not just in the face of the epidemic, but
with business executives or security professionals but with ness based on those risk decisions, he says. to better monitor and protect the endpoints.
the two groups working together, says Blue KC’s Levi. The business discussion is important because more than “We are focusing on zero-trust monitoring and rapid
“As an industry we have failed miserably to manage risk half of companies of companies see the return on invest- quarantine – using the assumption that the new distributed
properly,” he says. “We focus too much on compliance of ment (ROI) of their security operations centers growing workforce isn’t going back to commuting when they get a
third parties, but what do we do when we contract a third worse. Yet, among high-performing security teams, only vaccine,” says CIS’s Hamilton.
party? We send them a questionnaire; but as a control, se- a quarter of companies believe the ROI is getting worse, In 2020, the average organization surveyed by the Pon-
curity questionnaires are completely ineffective.” according to Ponemon’s study. emon Institute spent $183,000 on security information and
The security team needs to understand the business in- From a technology standpoint, a zero trust approach will event management (SIEM) systems, $345,000 for security

February 2021 9
Previous Next
Building the SOC of the Future
orchestration, automation, and response (SOAR) platforms,
$285,000 for managed detection and response (MDR), and
$333,000 for extended detection and response (XDR), ac-
cording to the Ponemon findings.
Yet, simplification is important as well. Making all those
tools work together and work well takes time and mon-
ey, according to the Ponemon Institute. The average ex-
penditure on security engineering is $2.7 million, which
includes merging and integrating security data for use by
the various tools, creating rules to detect threats, auto-
mating security processes, and hunting for threats. De-
spite all that, only 23% of security professionals rated
their efforts as effective.
Finding tools that already work well together is import-
ant, says InfoBlox’s Hunter.
“We have so many different tools, everyone ends up
being a portfolio manager,” he says. “That is the bane of
security people’s existence. Basically, whenever there is a
new threat, the answer is ‘here is a new tool.’”
One critical factor will stymy the evolution of any SOC:
Security workers with the right knowledge. About a third of
companies plan to increase their security team by at least
six analysts, according to Ponemon’s report.
“There are plenty of candidates who are trying to break
into the field but are not being given the chance because
February 2021 10
they don’t have prior experience,” KeyFactor’s Safran says.
“Considering how much needs to be learned on the job for
any SOC hire, there’s no reason why some of the open
positions can’t be filled by rookies with strong potential.”
The best approach is not just to train security profession-
als but to work on retaining the ones that you have, says
Omdia’s Parizo.
“The best SOC staff-retention programs feature common
themes,” he says. “Such as competitive salary and bene-
fits, reasonable goals and expectations, opportunities to
conduct a variety of tasks, ongoing skills and career devel-
opment opportunities like paid trainings and conference
attendance, and real chances to make an impact and in-
fluence cybersecurity strategy decisions.”
The next-generation SOC will also feature better collabo-
ration environments to replace the valuable interaction and
information exposure that an analyst would otherwise have
when working in a physical security operations center. For
some security professionals, the potential loss of that in-
teraction is the worst aspect of going remote.
Having security analysts in the same room allows easy
access to expertise and frictionless learning, says Chris
Triolo, vice president of customer success at Respond
Software, a security incident response firm.
“You want to put analysts in the same room together,” he
Previous Next
Building the SOC of the Future
says. “You want to layer junior and senior people together.
They can do on the job training. They do the whiteboard.
They will discuss whatever is currently significant.”
Finally, SOC analysts need to not only remain up-to-date
on attack techniques but also their company’s weakness-
es. Red teams and penetration testers frequently test the
defenses at Blue KC to make sure that a security weak-
ness has not inadvertently been opened in the company’s
defenses, says CISO Levi.
One critical factor will stymy the evolution of any SOC: Security workers with the right
knowledge. About a third of companies plan to increase their security team by at least
six analysts.
“We don’t just sit and wait to see who is attacking us —
we are attacking ourselves,” he says. “We have a set of
defenses in place that we have invested in — EDR,
anti-malware, others — but how do we know they are
working? So we are attacking ourselves and we are con-
tinuously looking at where could we be compromised,
where there are the gaps.”
If the COVID-19 pandemic had occurred a decade ago,
the technology and security maturity would not have been
ready to make the transition to the type of security op-
erations now possible with advancements such as cloud,
automation, and proactive threat and vulnerability hunting,
for example. Today, however, those changes are here to
stay, says InfoBlox’s Hunter.
“Our SOC used to be a physical SOC where everyone sits
in one area, and that is the way we did things,” he says. “If
this had happened 10 years ago, the rush back to the office
would have been quicker. Now that we have proven that they
can work remotely and effectively, there is no going back.”
About the Author: Rob Lemos is a veteran technology journalist of
more than 20 years. Former research engineer. Written for more
than two dozen publications, including CNET News.com, Dark
Reading, MIT’s Technology Review, Popular Science, and Wired
News. Five awards for journalism, including Best Deadline Jour-
nalism (Online) in 2003 for coverage of the Blaster worm. Crunches
numbers on various trends using Python and R. Recent reports in-
clude analyses of the shortage in cybersecurity workers and annu-
al vulnerability trends.
February 2021 11
Previous Next
COMMENTARY
Security as Code: How Repeatable Policy-
Driven Deployment Improves Security
The SaC approach lets users codify and enforce a secure state of application
configuration deployment that limits risk.
By Dan Hubbard
T
he adoption of infrastructure as code (IaC) practices to
help automate and accelerate IT operations has really
taken hold in recent years — even more so during the
pandemic.
With IaC, organizations are moving away from a model where
humans are required to make manual changes in order to con-
figure and deploy application infrastructure, both on-premises
and more often than not, in the cloud. IaC offers the promise
of automation and repeatable predictable patterns for software
infrastructure deployment. There are multiple popular models
and services used today for enabling an IaC approach, in-
cluding Terraform, Chef, Puppet, Ansible, SaltStack, and AWS
CloudFormations.
While the approach has many benefits, traditional security
approaches typically slow down the software development
life cycle and can evaporate the benefits of using IaC. That’s
why there is a real need for organizations to take a “securi-
ty as code” (SaC) approach to fully recognize the benefits of
automation that composable, repeatable, and fully auditable
infrastructure can provide.
IaC Requires A New Security Approach
Simply put, securing automation code is critical because in many
cases it literally runs our businesses. IaC systems are automatical-
ly deploying resources and applications. A vulnerability or a mis-
configuration in an IaC workflow could have a cascading impact,
across multiple workloads and deployments that could enable a
potential attacker to cause a lot of damage. IaC is very powerful,
so when mistakes happen, they happen fast, and exponentially.
One of the challenges with securing automated workflows is
there can often be multiple paths into a system or service for
executing an action. There could also well be multiple people
February 2021 12
Previous Next
Security as Code: How Repeatable Policy-Driven Deployment Improves Security

from different parts of the organization that have access to the various entry points for IaC.
Adding further complexity is that some organizations might not be effectively communicat-
ing about objectives and required changes across a distributed organization.

Core Security Principles

A primary foundation for securing infrastructure created and managed by IAC templates is
by first establishing a source of truth for configuration. There needs to be a codified version
of configuration, usually in a Git software repository, that defines the desired state of con-
figuration. It’s an approach that some refer to as GitOps, which helps to enable IaC. With a
defined source of truth, it’s time to implement access, audit, and review processes.
• Access control. With a defined source of truth for configuration, secure controls
can and should be applied. There needs to be access control that strictly defined
who can access and make changes to the configuration code
•Auditing and compliance. Controlling access is only the first part of security IaC. All
changes need to be audited and monitored for compliance with corporate policy and
regulatory compliance frameworks.
• Review. Even with auditing and access controls, changes that might not be ideal can
still slip through the cracks. That’s why it’s imperative to also actively have a change
management and review process to further validate the state of IaC configuration and
any changes.

Define a Single, Secure Path to Production

To fully secure IaC, there also must be a well-defined single path to production, so that
all stakeholders in the organization, including developers, operations, and security are
involved.

February 2021 13
Previous Next
Security as Code: How Repeatable Policy-Driven Deployment Improves Security
Defining the path to production is often about breaking
down silos within the company and focusing on cross-
team collaboration. More often than not in the past, de-
velopers have viewed security as a blocker and not as
an enabler. The security-as-code approach can help to
change that mindset by working with developers in a lan-
guage they understand: code.
A key concept that we have seen work well is the use of
guardrails, rather than gates, as part of the SaC process.
Rather than implementing a gate, where code cannot
pass through unless it is approved by security, a guard-
rail keeps code within certain defined boundaries, that
limits risk.
Guardrails can help developers and organizations to
focus on speed, in a way without sacrificing security.
Security as Code in Practice
How does it actually work to improve security? The real-
ity is that with continuous visibility you can ensure cor-
rectness, alert and then correct any divergence in a re-
peatable, auditable, secured approach.
Here’s just one example where this approach can help.
The issue of unsecured cloud storage buckets, often
on Amazon S3, is one that is well documented and has
been reported on extensively at Dark Reading and other
February 2021 14
places. The SaC model can help to effectively eliminate
that risk.
By running continuous compliance assessments of
cloud environments, an organization can be alerted when-
ever an S3 bucket has been inadvertently provisioned with
public read or write access. An administrator can then go
to the Git repository where the configuration code for the
IaC service is defined and make the required change to
eliminate the risk. After the change has been committed,
it can get through the approval process, and once accept-
ed, the IaC pipeline can execute the code to remediate the
issue across all deployments. The entire process is logged
and auditable as well.
Mistakes happen, and vulnerabilities seem to come
from new places all the time. But with the SaC approach,
it is possible to codify and enforce a secure state of ap-
plication configuration deployment that limits risk.
About the Author: Dan Hubbard is CEO at Lacework, driving innova-
tion and expanding the company’s security strategy for public and
private clouds. A pioneering force in Internet security, Dan’s exper-
tise spans from reputation and advanced classification systems to
large-scale security data mining, and cloud security. Prior to Lace-
work, Dan was CTO at OpenDNS, helped deliver the world’s largest
cloud security network that led to the $600M acquisition by Cisco.
Previous Next
COMMENTARY

10 Benefits of Running
Cybersecurity Exercises
There may be no better way to ascertain your organization’s strengths
and weaknesses than by running regular security drills.
By Steve Durbin

K
eeping information secure is a difficult task, even if you have bountiful resources.
With companies like Nintendo, Twitter, Marriott, and Zoom all suffering high-profile
data breaches recently, it’s clear that no one is safe from cybercriminals. While most
organizations understand the need to build defenses and develop policies to reduce the
risk and potential impact of a successful cyber attack, many fail to rigorously test those
defenses.
Cybersecurity exercises are useful simulations of specific cyber attack scenarios that
enable organizations to gain valuable insights into their real-world response. From basic,
small-scale, brief tests to complex, wide-scale, sustained attacks, cybersecurity exercises
can provide verification that your defensive strategy is effective or highlight weaknesses that
require immediate attention.
Despite their importance, 74% of respondents to the ISF Benchmark stated that they do not subject
critical systems under development to cyber attack simulations or exercises. This may be because cyberse-
curity exercises are perceived as time-consuming, expensive to run, and potentially disruptive. If planned prop-
erly, there’s no reason that should be the case. Cybersecurity exercises can deliver some truly compelling benefits.
Consider these 10 examples of how.

February 2021 15
Previous Next
10 Benefits of Running Cybersecurity Exercises

Identify Your Strengths Define Costs and Timescales

There’s a lot of focus on uncovering weaknesses and problems during cybersecurity exer-
cises, but there’s also major value in identifying what’s working well for your organization.
Robust strategies can be emulated elsewhere, smart policies can serve as templates, and
effective employees can help to train others.
Improve Your Response
Perhaps the most obvious benefit of running a cybersecurity exercise is that it gives you
an opportunity to improve your response to future attacks. An exercise may back up the
theory behind your defensive strategy with evidence, or it might point to the need for a
fresh approach. Either way, it will drive you to improve.
In preparing for attacks, many assumptions and estimates are made about what resourc-
es are required to handle different scenarios and how long it will take to resume normal
operations after an attack. Cybersecurity exercises paint a clearer picture of the costs
and timescales involved, giving you hard data to help you build greater resilience, or use
for any financial justification that might be required.
Determine External Needs
It’s unrealistic, even for many major organizations, to maintain a team capable of
handling any attack scenario without external assistance. Which attack scenarios re-
quire external help? How quickly can external expertise be secured? How much will it
cost? Running security exercises can help to answer these questions.

Collect Metrics
Practice makes perfect. It’s common sense to accept that
Setting expectations for how swiftly different aspects of an attack should be handled and
rehearsals serve an important function in readying people for
how effective defensive actions should be is vital in defining your strategy. But you can
the actual event. Cyber attacks are inevitable, but it’s how
only prove that they are being met when an attack occurs, or by employing a security
you respond that will dictate the impact on your business.
exercise. This data should inform future strategy and guide your approach.

Identify Your Weaknesses

Train People Whether there are technical vulnerabilities lurking on your network or weaknesses in se-
There’s no substitute for hands-on experience. Cybersecurity exercises provide employees curity controls, cybersecurity exercises can expose them. They may also reveal the need
with practical experience of dealing with an attack, they boost awareness of the possi- for better training or new talent. Identifying specific weaknesses enables you to craft re-
bilities, and they can teach people all about the right way to respond. Learning is always mediation plans and act immediately to improve.
more effective with a practical component.

February 2021 16
Previous Next
10 Benefits of Running Cybersecurity Exercises

Update Your Policies nature of cyber-attacks and the scale of

If your current policies, standards, and the threats they pose can be catastroph-
guidelines aren’t effective then it’s time to ic. Failure to recognize the risk and react
revisit them. Effective incident response accordingly always exacerbates the prob-
policies will drastically reduce the poten- lem, making a bad situation much worse.
tial damage and disruption a cyber-attack Practice makes perfect. It’s common
can wreak. Regular policy revision is im- sense to accept that rehearsals serve an
portant and security exercises can provide important function in readying people for
useful evidence to guide that revision. the actual event. Cyber attacks are in-
evitable, but it’s how you respond that
Find Non-Compliance Risks will dictate the impact on your business.
The potential cost of breaching legal, Not only do cybersecurity exercises help
regulatory, or contractual requirements to build awareness and understanding
is enormous, even if that breach is un- across your organization, they test your
witting. Exposing compliance issues can defenses, identify strengths to build on
prove difficult, but that does not mean and weaknesses to mitigate, and offer in-
they don’t exist. Cybersecurity exercises valuable practical experience.
can help to uncover areas of non-com-
pliance, giving you an opportunity to fix About the Author: Steve Durbin is CEO of the
them and avoid unnecessary legal – and Information Security Forum, an independent,
financial – exposure. not-for-profit dedicated to investigating, clar-
ifying and resolving key issues in information
Increase Threat Awareness security and risk management. He is a frequent
From entry-level employees to the board speaker on the Board’s role in cybersecurity
of directors, lack of awareness about the and technology.

February 2021 17
Previous Next
COMMENTARY
Can’t Afford a Full-time CISO?
Try the Virtual Version
A vCISO can align a company’s information security program to
business strategy and budgeting guidance to senior management.
By John Roman
E
nsuring the confidentiality, availability, and integrity of
a company’s, their users’, and their customers’ infor-
mation must be top priority for organizations, but it’s
easier said than done. Data security breaches and cyberat-
tack threats are occurring more frequently – according to a
recent Information Systems Security Association and Enter-
prise Strategy Group survey, 63% of cybersecurity profes-
sionals have seen an increase in cyber-attacks related to the
pandemic – which means businesses today need to take
additional steps to remain secure.
An organization’s in-house chief information security offi-
cer (CISO) is critically responsible for establishing and main-
taining the enterprise information security vision, strategy,
and program to ensure information assets and technolo-
gies are adequately protected. However, the reality is, some
companies (particularly small- to mid-sized businesses and
nonprofits) do not have a need for a full-time CISO or the
financial resources to add another member to the C-suite,
not to mention their 6-figure salary. For those organizations,
there’s another option: a virtual CISO (vCISO).
For a fraction of the salary of a full-time CISO, companies
can hire a vCISO, which is an outsourced security prac-
titioner with executive level experience, who, acting as a
consultant, offers their time and insight to an organization
on an ongoing (typically part-time) basis with the same skill-
set and expertise of a conventional CISO. Hiring a vCISO
on a part-time (or short-term basis) allows a company the
flexibility to outsource impending IT projects as needed.
A vCISO will work closely with senior management
to establish a well communicated information security
strategy and roadmap, one that meets the requirements
of the organization and its customers, but also state
February 2021 18
Previous Next
Can’t Afford a Full-time CISO? Try the Virtual Version
and federal requirements. Most importantly, a vCISO
can provide companies unbiased strategic and opera-
tional leadership on security policies, guidelines, con-
trols, and standards, as well as regulatory compliance,
risk management, vendor risk management, and more.
Since vCISOs are already experts, it saves the orga-
nization time and money by decreasing ramp-up time.
Businesses are able to eliminate the cost of benefits and
full-time employee onboarding requirements. Also, if an-
other employee had been handling the responsibilities of a
CISO, a vCISO frees up some of their workload, enabling
them to take on other priority tasks.
As an example, I am currently the vCISO for four compa-
nies ranging in size from 40 employees up to 15,000. My
typical responsibilities include ensuring compliance with
state cybersecurity guidelines such as New York’s SHIELD
Act or Massachusetts’s Cybersecurity Regulation – both
of these regulations require companies to have a CISO. As
a vCISO, I prepare annual information security budgets,
identify key security initiatives for the coming year, perform
annual risk assessments, work with technology vendors
on behalf of my clients, and provide advisory services
to senior management on the latest information security
threats. In any given month, I spend 4-20 hours per client.
Many in-house IT departments are multi-faceted and
February 2021 19
may not have the time or resources to properly manage all
IT functions, especially as they relate to information secu-
rity. A vCISO can align a company’s information security
program to a business’s overarching strategy to provide
predictive budgeting to senior management.
For organizations that already have a CISO, a vCISO is
particularly useful as a trusted information security advisor
to the present CISO. If you’re a growing organization, or
between CISOs, then a vCISO will help avoid rushing the
long process of hiring the right full-time CISO.
There are also disadvantages to hiring a vCISO. One is
that the vCISO most likely will need time to understand the
culture and business operations of a company. Second,
depending on the contractual arrangements made, a com-
pany can have unrealistic expectations that they are get-
ting a full-time person for the cost of someone who works
less than 20% of the time. The truth is, vCISOs most likely
have other clients who they are involved with, so unless a
company is hiring a vCISO full time, his or her time may be
split between multiple companies.
Finally, those who market themselves as vCISOs may lack
the current knowledge of the industry. While these vCISOs
may have 30-40 years of technical experience, they may
lack managerial security experience. They may also have
been out of the industry for several years due to retirement
Previous Next
Can’t Afford a Full-time CISO? Try the Virtual Version

or downsizing and have not kept up with security industry trends,

rules, regulations, and models. Therefore, care must be taken to
properly vet a vCISO’s experience.
Information security is complex and everchanging. New vul-
nerabilities and threats are identified daily. Keeping up with
threats, risks, and vulnerabilities is often a full-time job in larger
organizations. Developing a strategic information security plan
and program is a difficult task, and not everyone has the skills or
the time to do it effectively. The right vCISO can provide a busi-
ness with quality executive level information security experts by
collaborating with executive management to make smart deci-
sions on various security, privacy, and compliance requirements
and issues.
A seasoned vCISO will have had the advantage of seeing hun-
dreds of companies struggling with many of the same challeng-
es, and knows which policies, procedures, and technologies are
best for solving specific problems. Overall, the main objective of
a vCISO is to act as a bridge to the business and its technology
team by providing a long-term framework that can be continu-
ously modified as information security goals and threats evolve.

About the Author: John Roman is President and COO of The Bonadio Group’s
Information Risk Management and Cybersecurity Division, FoxPointe Solu-
tions. In his role at FoxPointe, he is responsible for all aspects of the oper-
ations of a national cybersecurity consultancy.

February 2021 20
Previous Next
SPONSORED CONTENT
INFOBLOX PERSPECTIVES
Building the SOC of the Future:
Next-Gen Security Operations
By Bob Hansmann
I
n only three decades, cybersecurity has grown from firewall and
desktop antivirus products to a complex array of tools and ser-
vices. To manage it all, the SOC was created and continues to
evolve with some impactful changes on the horizon in the areas of
visibility, cyber threat intelligence (CTI), and automation.
Mining the Gold Beneath Your Feet
There is a story of a farmer who sold his farm to search for gold,
while the buyer of that farm noticed things that led them to discover
gold under the farm. Similarly, security teams are finding that core
network services provide a rich source of metadata that can improve
detection of increasingly evasive threat activity and provide valuable
context to speed more confident incident response (IR).
Everything, including malicious activity, interacts with these ser-
vices and leaves a trail. The SOC of the future needs greater visibility
into network data like DDI (DNS, DHCP, and IPAM), Active Directory,
and other resources to help detection and IR capabilities keep pace
with increasingly evasive threats. This need persists even as the shift
to cloud continues.
Maximizing the Value of CTI
Many large enterprises have used a multi-vendor approach to security
for decades, believing that no single vendor could always be first to
detect an emerging threat. A dozen universities across Europe
and North America validated this approach recently
through separate CTI comparison studies that
highlighted that there was a minimal amount
of overlap between threat feeds.
Beyond detection support, CTI helps pro-
fessionals understand an attacker’s motives
and thought processes and can be broken down
into strategic, tactical, and operational categories. As
February 2021 21
Previous Next
Building the SOC of the Future: Next-Gen Security Operations

the threat landscape continually evolves, SOC teams need to choose solutions or as part of a broader security platform.
and continuously monitor a blend of open source, paid for, vendor-pro- But a 2020 SANS survey found that forensic platforms were among
vided, and even internally generated CTI data. The SOC of the future the least automated, particularly in gathering and moving data be-
will require vital CTI programs that include exchanging pertinent threat tween systems. SOC teams need to tackle this deficiency with tools
intelligence with other organizations. that automatically gather and filter network and other metadata to
present analysts with only the data they need at the start of their
Using Smart People Wisely investigation. Security leaders have reported that automating these
In an industry already suffering from information overload, the SOC of essential functions can help reduce average investigation times by
the future will need to embrace automation to take full advantage of half or more.
this additional visibility and threat data and to free skilled personnel
to focus on those tasks that require their experience. Get Security Tools Talking
Overall threat defense will improve as CTI data is automatically col- Vendors are introducing more significant support for APIs and tech-
lected, normalized, and distributed across the entire defensive secu- nologies like STIX/TAXII to better coordinate and automate critical
rity stack, including remote worker protections. In times of crisis, this functions with other security tools, even from different vendors.

Today, a potentially malicious DNS request can trigger an endpoint

vulnerability scan or automate other common troubleshooting tasks before
escalation. Or a well-understood alert could be automatically routed to
trained but less experienced personal through a support ticket system.

process can be used to quickly deploy critical IoCs across multiple Today, a potentially malicious DNS request can trigger an endpoint
solutions after entering them into one system. These capabilities are vulnerability scan or automate other common troubleshooting tasks
available in threat intelligence platforms (TIPs) offered as standalone before escalation. Or a well-understood alert could be automatically

February 2021 22
Previous Next
Building the SOC of the Future: Next-Gen Security Operations

routed to trained but less experienced personnel through a support ticket

system. Capabilities such as these can free your hard-to-find, highly skilled
analysts to focus on those things that only they can do and that they do best.

The SOC of the future needs to detect

breaches faster and accelerate IR to stop
increasingly evasive attacks and reduce
dwell-time.

The tools to provide these automation and integration capabilities will contin-
ue to range from scripts to Security Orchestration, Automation, and Response
(SOAR) solutions. More vendors will be part of ecosystem partnerships to
directly offer a greater range of “make-sense” automation features to reduce
the complexity of incorporating greater levels of automation.

Time Is the Enemy

The SOC of the future needs to detect breaches faster and accelerate IR to
stop increasingly evasive attacks and reduce dwell-time. It starts with ex-
panding visibility into core network services and leveraging a blend of CTI to
improve threat detection and provide context for faster IR decision making.
To improve operational efficiency while ingesting more data, and with an on-
going skill shortage, the SOC will need to embrace automation by demanding
tools with greater integration and automation capabilities.

February 2021 23
Previous Next
Building the SOC of the Future: Next-Gen Security Operations

Infoblox enables next-level network experiences with its Secure

Cloud-Managed Network Services. As the pioneer in providing the
world’s most reliable, secure, and automated networks, we are re-
lentless in our pursuit of network simplicity. Infoblox has over 8,000
customers, including 350 of the Fortune 500, and is recognized as
the industry leader in the DDI networking market.

About the Author: Bob Hansmann has over three decades of security
experience having worked in everything from engineering and threat
research to product management and marketing, including launching
a number of security industry firsts. Working with global enterprises
and government agencies to uplift their cyberthreat prevention, detec-
tion, investigation, and response capabilities has given Mr. Hansmann
a unique perspective on overcoming the challenges of balancing
security needs with an organization’s success requirements.

Learn more at infoblox.com

February 2021 24
Previous