As we all know, the coronavirus pandemic has affected CISOs and other security and risk-management leaders worldwide. Some of these leaders are developing and implementing security projects which are designed to simultaneously minimize the risk as well as support remote workers. In talking with our customers, here is what they are saying are the top goals for 2021, based on the lessons we have learned from 2020.
Security Operations Center (SOC) Automation
The first customer goal is SOC automation. Many CISOs talk about increasing their spend on unconventional security controls to let data science drive some of their security controls. No one has ever said that they have enough people to hunt threats manually and triage all the alerts. This is especially true with policy-based security solutions because they generate a lot of false positives. So SOC automation and repurposing the SOC team for more intelligent modeling and advanced threat detection is a common theme that we have seen across multiple industries and geographies.
Remote Workforce Monitoring
Most of the workforce has moved from working from office buildings to working from various different remote locations. Some of the challenges with monitoring the remote workforce is getting real-time insights into your data with a remote workforce, which is not easy. Also, identifying users who are prone to phishing attacks is a significant issue. Organizations need to identify users who are accessing resources from untrusted or unsecure locations, because now they are not working in one secure location behind a corporate firewall. Employees might be accessing corporate assets directly through some of the cloud service providers, such as Microsoft or Amazon or Salesforce, or even using virtual meeting software like WebEx or Zoom. You no longer know what machines are connected to your assets. Where are they really coming from? And who is connecting from where? You need to be able to collect context, establish normal patterns, and then look for the things that are outside of the norm, which is a huge challenge.
Access Analytics and Risk-Based Access Controls
The next customer goal, which is an interesting one, is access analytics and risk-based access controls. Due to the pandemic, there has been an acceleration of cloud option. This has posed challenges in terms of providing visibility into access risks. How are you dynamically provisioning access for temporary workers? How are you managing privileged access? The challenges in terms of risky account discovery and clean-up, risk-based access certifications, as well as risk-based authentication has become a critical area for our customers. Especially now that they have so many users logging in from various different locations on different devices.
Detecting and Preventing Insider Threats
The next critical customer goal is around detecting and preventing insider threats. Everyone is concerned about insider threats, especially with what’s happening with the pandemic. Insider threats include malicious as well as negligent insiders. It also includes outsiders impersonating insiders. Are insiders committing fraud? Are they stealing company data? Are they looking at records they shouldn’t be looking at? These are some of the key aspects that our customers want to know from an insider standpoint. Insider threats come in various flavors, from espionage to theft, to sabotage, fraud, and competitive advantage. We normally put insider threats into three major categories: access misuse, data exfiltration, and account or host compromise. What we are seeing with our customers is that all of the changes to work from home is what is driving the need to detect and prevent insider threats.
The next to customer goal is cloud transformation. We’ve been hearing about cloud transformation and adoption for quite a few years now. And customers have started moving in that direction. With the pandemic, customers who were planning for cloud transformation in five years have moved their timelines up. The key idea is that customers are looking to ensure they have a safe cloud option. They need visibility into cloud applications and infrastructure – from Amazon AWS to Azure, to Box, Office 365 and more – as well as mitigating controls for any threats in the cloud. They also want to discover any cloud privileged access because that’s the keys to their kingdom.
Extended Detection and Response (XDR)
XDR is an emerging technology and customers are looking to adopt that fairly quickly. One of the key aspects for embracing XDR is to improve advanced threat detection accuracy by linking together all the security telemetry across the organization. Endpoint, network, application, and identity telemetry are integrated for real-time threat detection. In addition, XDR delivers faster incident response with rapid incident correlation and causation. Automated response actions trigger orchestration playbooks and automation workflows, which ultimately lowers operating costs.
What we’ve learned from our customer initiatives is that work from home is here to stay. It’s going to be a permanent change for a long time. Insider threats are on the rise. Automation is critical for SOC efficiency. Cloud visibility and security is even more critical than ever. And machine learning is the foundation to model driven security, which will help with all our various customer initiatives.
Saryu Nayyar is CEO at Gurucul.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.