Jeff Brown | April 16, 2021
Studies have shown that time is critical when it comes to containing a security breach.
The longer a threat lives on a network, the more damage it does to an organization. Cybersecurity Ventures estimates that the per-minute global cost of cybercrime will exceed $11 million this year.
This means that once you realize you’re under attack (and in today’s world, you should always assume that you’re under attack), you need to contain the threat — and fast.
But containment is not as simple as just dropping a rule on a firewall. Often, especially in the case of an advanced threat, there’s a litany of things that you have to do. For example, sometimes you have to disable multiple user accounts or lock out and isolate a physical host.
That requires orchestrating containment across multiple IT systems. Security orchestration, automation and response (SOAR) can help you with that. SOAR enables you to plan out containment actions in advance and automate those actions so you can contain threats quickly.
A growing number of organizations are calling on cybersecurity experts that use SOAR to help them address growing cyberthreats. That way, these organizations can get out of the cybersecurity business, focus on their core business and lower their cyber risk.
But what if you’re a company with 60 to 100 locations, multiple departments and 10,000 users? Trying to automate a response when you control all these resources is nearly impossible, and it gets even more complex when you invite a cybersecurity service provider into that world.
However, it is possible to conquer that complexity, move fast to contain threats and limit damage. In this article, I’ll provide a few best practices to help you make that happen.
Invite Your Cybersecurity Service Provider Into Your Business Process
There can’t be a wall between you and your cybersecurity service provider. Embrace your service provider as your trusted partner. Think of that partner as an extension of your team.
You may ask yourself, “How do I do that when the service provider is a third party?” I understand your concern. After all, the individuals at your service provider are not your own people, and there are legal and compliance implications to working with a third party.
But there are approaches and tools that you can use to bridge the gap.
Adopt An Authorization Framework So Your Trusted Partner Can Act Fast
Work with your cybersecurity service provider to create an authorization framework.
This will identify specific actions that your service provider is preauthorized to take in the event of a cyberthreat. For example, if the cybersecurity service provider has a 95% confidence level that a machine has been compromised, there’s no reason this partner should have to call you.
If you authorize your service provider to act on your behalf in such situations, your trusted partner can contain the threat immediately. Rather than getting an urgent call in the middle of the night, you’ll get an email in the morning letting you know that one of your machines was compromised but that your cybersecurity service provider immediately took it off the network.
Understand That You Don’t Need To Boil The Ocean
You don’t have to boil the ocean. Simply start by identifying what resources you’re most worried about being breached and automate the response to those things first.
Automating the response for that one thing will get you moving in the right direction. If you don’t take this approach, you may find automated responses too daunting of a problem.
Choose Wisely In Deciding Which Actions Should Be Preauthorized — And Which Should Not
Be aware that preauthorization is not that cut-and-dried if it involves a sensitive machine. For example, you probably don’t want to grant preauthorization on a CEO’s or other VIP’s laptop.
Collaborate with your cybersecurity service provider to decide what you should preauthorize. As you do this, consider the regulatory and governance models with which you need to comply.
Focus your preauthorized containment efforts on commodity resources. That way, if the service provider is wrong for whatever reason, the action won’t do too much damage to your business.
Give Your Provider The Appropriate Level Of Permission
You need a way to delegate; and to delegate, you’re going to need to grant permissions.
Give your cybersecurity service provider the appropriate level of permission and use the principle of least privilege required for the task. Never provide your cybersecurity service provider with actual credentials and instead grant permission using tokens where you have the appropriate level of auditing and control.
Retain administrative control of everything in your IT environment. And make sure that you are able to revoke your cybersecurity service provider’s access at any given time.
Be Prepared To Use Your Influence With Your Peers
Often the security orchestration aspect of SOAR touches systems that chief information security officers (CISOs) don’t own. This means you may have to convince your organization’s CIO or director of IT to provide your cybersecurity service provider with access to those resources.
This can be tricky.
Take the time to consider how you can get your peers to support your cybersecurity initiative. And work to bolster your position of influence with your colleagues to make that happen.
Lock Out Threat Actors Fast With SOAR, Containment And An Authorization Framework
Much of the attention in cybersecurity focuses on threat detection. That’s important because detection is where everything starts. But detection will only take you to the 50-yard line.
You have to take your cybersecurity strategy over the goal line. The goal in this case is to lock out the threat actor. And you’ll need to reach that goal again and again because threat actors will be back again and again. There’s no question about that, so containment is critical.
With an authorization framework and SOAR, you and your cybersecurity service provider will be ready to take fast, effective action any time that a threat actor surfaces in your IT environment.