Companies want to protect themselves well against cyber threats, but too often they focus on protection. Other essential steps are pushed into the background. An integrated SecOps approach is required.
Good security cannot be achieved with a good firewall or a phenomenal endpoint solution. The CCB’s CyberFundamentals Framework defines good security in the same way as the NIST in the US. A safe house is based on five pillars: Identify, Protect, Recognize, Answer And Recover.
“Too often the focus is only on protection,” says Patrick Commers, cybersecurity evangelist at Fortinet Belgium. “And then organizations often rely on that Point solutions. They pile up with a lot of logs, alerts and data. They are secured, but IT teams are overwhelmed and unable to respond to notifications from security solutions.”
SecOps: more than just protection
In his opinion, the solution lies in Security Operations, or SecOps for short. “SecOps encompasses the first four pillars of the framework and not just protection,” says Commers. The approach is also integrated. Good protection is related to detection ability and the ability to act efficiently when something is discovered. Commers sees three major challenges that are pushing companies to adopt a SecOps approach:
- The attacks are increasing more demanding. According to the Verizon 2023 Data Breach Investigations Report, 74 percent have a human element, enabled in part by our hybrid way of working. There is less social control. In addition, according to the latest findings, it holds up Costs of a data breachToday, it reportedly takes up to 204 days for an organization to realize that an attacker is on the system. The ever-evolving attack landscape also means your security strategy must evolve.
- Also the Attack surface is changed. Users are everywhere and use applications from anywhere, which in turn are distributed between their own infrastructure and the cloud. The network as we knew it has changed and new technologies have introduced many additional access points.
- After all, there are simply too many Notifications. IT teams are drowning under the flood of notifications. In addition, they often lack the IT knowledge to see the forest for the trees and set priorities. Logging and alerting solutions theoretically provide visibility, but you need to be able to interpret the data and assign actions to it.
Combine them into an overall approach
Staying afloat requires SecOps. Commers points out the usefulness of an overall suite. “Identification is done by looking at the external attack surface. What’s happening on the Dark Web? Do criminals register fake domain names? This gives you a proactive idea of what’s coming.”
Protection is the most well-known pillar. “Here, for example, there are endpoint protection, firewalls and sandboxing,” says Commers. “This also includes a secure mail gateway.” These solutions aim to stop threats at the front door.
“When we look at the network, NDR solutions come into focus. Then there are the EDR tools. Here we are shifting from pure protection to detection and response,” explains Commers. The abbreviations stand for: network And Endpoint detection and response.
“It is important to build a coherent whole with solutions that take into account different aspects of overall security,” generalizes Commers. “Ideally, these solutions communicate with each other across their domains.” This is the case with Fortinet: “They all work together and share threat intelligence.” Beyond that, you have one single pane of glass necessary, which provides transparency via a dashboard.”
Be careful with the Christmas tree
Commers has mixed feelings about the role of SIEM (Security information and event management) and SOAR (Security orchestration automation and response). “These solutions certainly have value,” he says. “But if the IT team is too small, then SIEM is a plaster on a wooden leg.” The messages about these solutions are then too numerous, which means that the dashboards light up like Christmas trees.
If the IT team is too small, then SIEM is a plaster on a wooden leg
Patrick Commers, cybersecurity evangelist Fortinet
You shouldn’t always look for the solution within your own IT team. “For several years now, companies have been thinking about outsourcing their SOC (Security Operations Center),” says Commers. “This is really a huge trend. It is often the job of such an external SOC to select the reports. Experts review the logs and alerts and provide feedback to the internal IT team if something needs attention.”
A role for AI
Such an approach can dramatically reduce the time to detect a cyberattack. “Organizations want to focus heavily on this,” Commers says. “Automation, AI and machine learning can also significantly help identify issues across all protocols. It is not for nothing that AI is increasingly being integrated into security solutions. In some cases, detection and response can occur at the speed of an algorithm.”
“In general, it is important to shorten the detection time,” says Commers. “We must avoid waiting for human intervention as much as possible. For example, SOAR technology allows you to automate repetitive actions.” In Fortinet’s SecOps suite, detection, response, and remediation can be partially automated thanks to automation and AI.
Fortinet itself recently introduced generative AI to its SecOps solution with Fortinet Advisor. This tool helps interpret incidents and identify causes. Like many tools, Advisor aims to help IT teams take timely action given their limited capabilities. Fortinet Advisor is included in the manufacturer’s SIEM and SOAR solutions, which is intended to simplify the interpretation of logs and notifications by these tools.
From days to hours
The numbers show that an integrated SecOps approach makes sense. Fortinet itself has examined the impact of this approach when implementing various components of its suite with customers. Before implementing SecOps, Fortinet customers needed approximately 168 hours to detect a threat, 12 hours to contain it, six hours to investigate it, and another 12 hours to remediate it. That’s a lot less than before Costs of a data breachThe report notes that the time is average, but still more than long enough for an attacker to cause serious damage.
After implementing solutions from the SecOps suite, detection time dropped to less than an hour. “That’s by far the biggest win,” agrees Commers. Investigations and remedial action are also much quicker. Commers: “These steps together used to take about eighteen hours, but now they take ten minutes. That’s a huge difference.”
Go, then go
Should we all embrace a SecOps approach? Yes and no. “Implementing SecOps is a journey, not a big bang,” explains Commers. “You shouldn’t run before you can walk.” Commers advocates a sequence of steps:
- Actually start protecting, including a firewall, application and email protection;
- Then you can detect advanced attacks through machine learning and sandboxing;
- Next, you need to look at endpoint protection. They include SASE in this story;
- EDR, NDR and XDR have a detection shutter but also a reaction. Here you can automate;
- Now you can work across domains and look at behavior. SIEM and SOAR are emerging and large-scale automation with AI and ML is possible;
- If you can’t do everything yourself, you can outsource things.
“SecOps is much more than just protection,” summarizes Commers. “Everything comes together, from identification to protection to detection and response. So SecOps means more than just throwing your logs over the wall to a managed SOC. All solutions from all domains must work together. This is the only way you can really benefit from AI and ML, identify problems quickly and implement solutions quickly.”