It’s a tough, unforgiving threat environment out there. Organized, smart, and dedicated black hats are continuously scheming how they can penetrate your network, steal critical data, and shut your operations down until you deliver a ransom.

We hear about new victims every day.

And we know there are many more companies that settle quietly or suffer through a long, extended purge and restart, never making the news.

So how does a chief information security officer sleep at night?

We asked Dave Martin, vice president of managed detection and response for Open Systems, for his thoughts. (And, for the record, he does actually sleep quite well at night himself.) Martin shared five keys for CISOs who want to wake up in the morning well-rested and ready for a day’s work.

1. Monitor continuously

The key factor in a CISO’s fear of getting breached? The unknown, according to Martin. Plus, of course, a decades-long modus operandi in cybersecurity that has never really been effective, but is just now being fully exposed as a truly bad idea.

"That's been a set-it-and-forget-it type of mentality where we deploy a bunch of tech … and then we sort of hope it does its job. And that leads to the unknown … this idea that they're concerned about … the antidote to that of course is continuous monitoring."

The recent modernization of the threat actor economy means there can be many simultaneous sophisticated attackers focusing on your company and your security infrastructure at any given time. Only a continuous monitoring framework both protects against those threats and gives you the peace of mind that if you are attacked, you will know it quickly.

2. Know where you’re vulnerable

If you can’t see it, you can’t fix it. If you don’t know about it, you can’t maintain it. If there are black holes in your network, you won’t know what might come out of them. And sometimes it’s not just about what you don’t know, it’s misconfiguration of what is inside that black hole.

"A lot of organizations that I interface with struggle with accurate inventory, accurate state of devices, and applications that they've deployed. And in fact many attacks have been well-documented to occur not necessarily because of the failure in the security technology, but due to misconfiguration."

Most CISOs understand this, of course, but the challenge is making that knowledge actionable. Making it actionable means you can avoid a huge number of attack vectors, and the best defence against an attack, of course, is never getting attacked in the first place.

3. Prepare the response before the breach

The longer a threat actor is inside your perimeter the worse the problem you’re going to have. That’s true in units of minutes and hours, but given that the average time to detect and fix a breach is an astonishing 212 days, it’s also true about weeks and months.

"There's been many studies that have shown that time matters when it comes to a security incident: the longer a threat actor is in a network, the more damage that they will do. Identifying the threat vectors that attackers use and having a plan is by far the most important thing … you don't want to be figuring it out under the pressure of a security incident."

Having a plan means you know what to do the instant an attack is detected, as does your team. It also means that your organization and leadership know what’s going to happen – at least in broad strokes – so they can activate in aid of your efforts, or at least get out of the way.

4. Automate what you can

Time is money, and time is also risk. As we just mentioned, the longer any undesirable is inside your perimeter, the worse the potential impact. So automation is critical, especially because cybersecurity attacks are increasingly no longer just one-off pokes and proddings.

"We're starting to see much more sophisticated attacks that are really campaigns: it's not about a hit and run, it's the actors attempting to establish a foothold and escalate privileges. We've had instances where the threat actor has pivoted based on our containment response … this is why time matters. And the more automation you can do, the better able you are to minimize the risk and contain the threat actor."

In most cases, automation is faster than any human can ever hope to be. Instant responses to defined threats can contain the damage and buy time for experts to intervene.

5. Access expertise

Most companies work hard to build expertise in their domains. For most brands, that’s simply not cybersecurity, and yet they now need world-class digital defenses or risk being unable to serve clients, innovate products, or even deliver services.

That’s why accessing expertise matters.

"You have red teaming experts. You have vulnerability assessment experts, you have compliance experts in security and preventative control, and you have detection and response experts as well. You either have to hire and build that expertise in all of those areas, or you rely on experts who already have the expertise."

In other words: managed detection and response that doesn’t sleep and is always looking out for threats against your core business infrastructure.

Get our latest report

Enjoyed this post? Get our latest report on managed detection and response: The perfect storm: Why MDR is your only option in modern cybersecurity.

Covid, work from home, and bring-your-own-device have expanded our threat envelopes 1000X. Download this report to get insight on:

  • How fast real-world problems are growing
  • Why attack surface area is spiking
  • Why everything is now cloud (even on-prem)
  • Why tools aren’t the answer by themselves
  • How the most successful organizations are now protecting themselves