In 2020, the number of victims of cyberattacks who requested ANSSI’s help has quadrupled, and many companies are now realizing that the question is no longer whether they will be attacked. , or even if criminals will manage to penetrate their systems, but how to minimize the consequences.
It’s all a matter of time. It’s unthinkable that ransomware could cripple business for days, and when the offensive strikes, every second counts. The defense must therefore erect protections, but also establish remediation and rapid reconstruction plans.
Shared with all the actors concerned, who will have to act in a coordinated manner in an emergency, these plans must be tested, rehearsed and constantly updated. To do this, it is essential to anticipate threats in order to be able to prepare for them. In other words, move from a logic of reaction to a logic of anticipation. This paradigm shift is the one that leads from SOC (Security Operation Center) to SIC (Security Information Center).
“When the offensive comes, every second counts. The defense must therefore erect protections, but also establish remediation and rapid reconstruction plans. “
SOC, overtaken by complexity
As typically designed and implemented, SOCs are increasingly less able to cope with the rapidly changing threat landscape. On the one hand, the information system is increasingly complex, heterogeneous and open, with the rise in particular of teleworking, the Internet of Things and hybrid and multi-cloud environments. On the other hand, the attacks are more and more numerous and, for some, particularly professional and sophisticated. All in all, the SOC is inundated with information. Add to this the cybersecurity skills shortage, it becomes nearly impossible to separate noise from real threats and then respond to each adequately. An end-to-end integrated device, from intelligence to remediation, the CIS proposes to exceed these limits by adopting a proactive posture that allows to stay ahead of threats rather than suffer the floods of surveillance data. For this, the CIS is based on four complementary pillars: Threat Intelligence, automation and orchestration, artificial intelligence, and organization.
To protect yourself and prepare, you must first identify the threats and understand them. This is why Threat Intelligence is at the heart of CIS. Threat Intelligence is organized into four levels: strategic (high-level analysis of assets, perimeters and risks), tactical (study of attackers’ modes of action), operational (development of mitigation plans) and technical (definition compromise indicators and system settings). The collection of information on which everything is based must be as broad and decompartmentalized as possible: internal to the company, on the web, deepweb and darkweb, from partners, peers and authorities as part of cooperation programs and ‘exchange (ISAC…), or even provoked by means of deceptive security.
To give teams the time to collect, analyze and use this information despite limited resources, automation is essential. In particular, it makes it possible to process noise and considerably reduce the number of false positives, which are very time-consuming. In addition, it makes it possible to reduce costs, and therefore to free up the means for processing. Finally, automation (of tasks) must be associated with orchestration (of action plans) .As a rule, analysts welcome these developments because automation relieves them of unrewarding tasks, and allows them to concentrate on the most interesting cases and to improve their skills.
Artificial intelligence/Machine Learning
Artificial intelligence appears to be an essential link in the functioning of the CIS, both for the early detection of attacks (behavioral analysis of the UEBA type) as well as for enrichment, contextualization, help with prioritization or even support ( coupled to SOAR) of a first level of response. Without it, and machine learning in particular, it seems difficult indeed, to identify the weak signals characteristic of threats in the middle of the noise and to immediately launch the appropriate actions taking into account the context.
While the SOC is most often organized in a pyramid fashion, to escalate the most serious threats to increasing levels of expertise, the SIC is built on a concentric model, where CERT (Computer Emergency Response Team) specialists, in the center, disseminate the knowledge of Threat Intelligence to the analysts around them. One possibility is to combine this organization with a specialization by technological perimeters (IoT, cloud, etc.) in order to further strengthen skills, and therefore anticipation.
Today, most large companies have a SOC, but very few have yet switched to a CIS, as this requires a certain level of maturity beforehand. To achieve this, and to be able to initiate the transition process, you must start by increasing your knowledge of the threats (who, why, how), of the potential targets (systems, critical assets) and of their security (Continuous Security Assessment). . Finally, the performance of the SOC must be measured through its detection capacity and its defensive coverage (by relying, for example, on the open benchmark Miter Att & ck).
While there is still a long way to go until CIS, more and more companies are realistically recognizing the relevance of this model of active defense, based on intelligence, anticipation and preparation. Quite simply because the facts – and the threats – give them no choice.
3 key points to remember:
- Realism requires admitting that the company will not be able to ward off all cyber attacks, and that it must adopt a defense that allows it to minimize the damage.
- Based on Threat Intelligence, the CIS makes it possible to anticipate threats, and therefore to better guard against them and prepare for their consequences.
- Automation, artificial intelligence and a redesigned organization to promote the exchange of information are the keys to the system.
About the Authors
Business Development Director,
Pre-Sales Commercial, Global Cybersecurity Practice Capgemini