Reinventing security operations for the modern threat landscape
The growing pace of digital transformation has opened new avenues for attackers, making traditional security measures obsolete. Organisations must modernise their security operations to fortify their defences and navigate the evolving threat landscape
The digital age has brought unprecedented levels of connectivity, transforming how businesses operate and interact with the world. However, this interconnectedness has also created a fertile ground for cyber threats, exposing organisations to increasingly persistent attacks.
Traditional security models are no longer sufficient to protect organisations in this dynamic environment. Modernising security operations has become not just a best practice, but a necessity for survival.
One of the primary drivers pushing organisations to modernise their security operations is the growing complexity of the security technology stack brought about by the addition of more tools. This has led to an overwhelming burden on resources and talent, says Grant Bourzikas, chief security officer at Cloudflare.
The complexity is exacerbated by the rise of remote work, blurring the lines of the traditional network perimeter and making it more difficult to secure endpoints and protect against attacks targeting business applications and virtual private networks.
The shift to cloud computing, while offering numerous benefits, has also expanded the attack surface. As organisations migrate to hybrid and multicloud environments, security can become an afterthought, exposing them to data breaches and other security incidents.
At the same time, threat actors have become more sophisticated. Tony Anscombe, chief security evangelist at ESET, notes that threat actors no longer start with deploying malware at the onset. Today, the cyber kill chain often starts with exploiting a vulnerability or compromising victim systems via stolen credentials, followed by reconnaissance, data exfiltration and installation of malware such as ransomware.
Against this backdrop, companies need a comprehensive picture of what’s happening in their environments, with rich user context to effectively detect and respond to attacks, says Peter Molloy, managing director for security at Cisco in Asia-Pacific, Japan and China.
This requires organisations to move away from siloed security products towards integrated platforms that combine capabilities such as behavioural analytics, threat intelligence, and extended detection and response (XDR) to correlate data and effectively address cyber threats.
A key element of modernising security operations is the adoption of zero trust. This security model, built on the principle of “never trust, always verify”, mandates strict verification for every user and device attempting to access network resources, regardless of their location.
Bourzikas says compared with the traditional “castle and moat” security model, where anyone inside the network is implicitly trusted, zero trust ensures no one is trusted by default, enhancing security and reducing the risk of lateral movement in case of a breach.
Organisations that fail to automate security processes risk falling behind. Leveraging unique traffic patterns to automatically provide tailored mitigations that enable protection of critical applications and entire networks is key
Grant Bourzikas, Cloudflare
Automating security
Artificial intelligence (AI) and machine learning (ML) can also bolster security operations, providing unprecedented automation in incident response, says Chua Zong Fu, head of managed security services at Ensign InfoSecurity.
For example, ML models can categorise and prioritise security alerts based on severity and relevance to an organisation’s cyber security posture, enabling automated triage and response actions. This reduces the burden on security operations centre (SOC) analysts and decreases the time it takes to detect and respond to security incidents.
In future, Ensign plans to use AI and ML to enhance SOC operations by linking internal security data with external threat feeds, allowing better identification and response to threats. Additionally, ML will enable SOCs to develop adaptive defence mechanisms that adjust security controls dynamically based on evolving threats, ensuring defences remain effective against new threats.
For Cisco, AI plays a big role in assisting security teams by simplifying the management of security tools and improving outcomes, augmenting human insights and allowing teams to focus on what’s critical through automation.
“Organisations that fail to automate security processes risk falling behind,” says Cloudflare’s Bourzikas. “Leveraging unique traffic patterns to automatically provide tailored mitigations that enable protection of critical applications and entire networks is key.”
Another use of automation in security operations is driving dynamic security responses across the enterprise using policy orchestration, such as granting specific people access to a system or file. It can also be used for threat hunting and automating how teams manage their devices, security posture and configurations.
To effectively integrate automation tools into a modern SOC, Chua suggests focusing on well-documented processes, creating an inventory of security tools for enrichment, and establishing core principles and objectives for automation. He cautions against automating processes that are not clearly defined or proven, as this can lead to inefficiencies and failures.
Skills and metrics
Building a successful modern security operations team also requires specific skills. These include a broad understanding of the security landscape, the ability to manage complex security technology stacks, and effective communication skills, according to Chua.
Cloudflare’s Bourzikas says security professionals should also be curious and invest in upskilling to keep pace with the evolving threat landscape, while ESET’s Anscombe points out the need for them to be motivated to track down and respond to cyber threats. They should also be adaptable critical thinkers with strong technical skills.
At Ensign, we conduct annual exercises where automation is intentionally switched off. This forces our analysts to handle high-severity scenarios manually, ensuring that they maintain critical problem-solving abilities
Chua Zong Fu, Ensign InfoSecurity
Measuring the success of security modernisation efforts is essential for continuous improvement. Key performance indicators such as mean time to detect (MTTD) and mean time to respond (MTTR) provide valuable insights into the effectiveness of security operations.
Chua says such metrics can help organisations assess the time savings achieved through modernisation, as well as the impact on team and talent optimisation. Molloy agrees, noting that reducing MTTD and MTTR are the ultimate goals of any security operations team, as they directly impact customer downtime and experience.
Organisations embarking on a security modernisation journey should begin by developing a comprehensive plan with a clear strategy and vision. This includes evaluating their current maturity level, redefining incident response plans, and identifying the right tools and solutions, says Molloy.
Securing leadership buy-in is also crucial, as is staying abreast of emerging technologies, such as AI and ML, and investing in the necessary skills, which are all essential for long-term success in the evolving cyber landscape. Chua also advises organisations to seek expert assistance, especially when dealing with complex technologies and challenging threat landscapes.
But even as organisations modernise their security operations, they should not lose touch with the fundamental skills should technology fail, says Chua.
“At Ensign, we conduct annual exercises where automation is intentionally switched off. This forces our analysts to handle high-severity scenarios manually, ensuring that they maintain critical problem-solving abilities,” he adds. “Such practices improve their individual skills by keeping them sharp and up-to-date and help strengthen the team’s overall resilience.”
Read more about cyber security in APAC
CrowdStrike CTO Elia Zaitsev explains how the company’s multi-agent AI architecture can help enhance analyst efficiency and tackle cyber security challenges.
The National University of Singapore’s Safe initiative has strengthened the security of IT systems and end-user devices while prioritising user experience through passwordless access.
The chairman of Ensign InfoSecurity traces the company’s journey and how it is leading the charge in cyber security by doing things differently, investing in R&D and engaging with the wider ecosystem.
