CISOs Need Real-Time Threat Analytics to Keep Up With Attackers

Security threats are too fast-changing and too numerous for companies to get ahead — and stay ahead — of attackers. In these uneasy times, threats are outpacing response capabilities.

The problem is manual processes, lack of quality data and a talent gap, according to a ServiceNow survey of chief information security officers (CISOs).  Nearly half of CISOs (47 percent) say insufficient data is a barrier to effective security, while 70 percent find it difficult to prioritize security threats based on business criticality.

RTInsights.com recently spoke with Sean Convery, vice president and general manager, Security Business Unit, ServiceNow, to better understand the impact that the results of the survey will have on the market.

CISOs should focus on when data breaches occur

CISOs keep spending on preventing and detecting data breaches, but response is where they should focus,” said Convery. “It’s not a question of if you’ll be breached, but when you are, how quickly and reliably can your security team respond?

What’s more, most security practitioners know that is a problem that can’t be simply resolved by increading head count; the security market is already at negative unemployment. Those security practicioners are wondering if threat intelligence sharing and automation bridge the gap and solve today’s security woes.

[ Related: IoT Security Vulnerabilities May Drive People Away ]

Automating security tasks — both routine and strategic — is becoming a necessity. Two-thirds of CISOs in the ServiceNow survey plan to automate more security tasks in the next three years. With automated security response, companies can investigate every alert, prioritize them based on impact to the organization and trigger requests for remediation without human intervention.

Security pros slow to share threat intelligence

Convery said there is also power in being able to collectively fight back. Sharing threat intelligence can help organizations to act more quickly and better defend against emerging threats. Yet companies have not been eager to raise their hands, admit to a security incident and exchange information, which puts attackers at an advantage.

Attackers are a step ahead because they share information. The dark web is built for just that —completely anonymous communication to trade and sell information. It’s time to take a page from the attackers’ handbook and start sharing information.

Convery says the focus cannot be solely on what to share, but rather how to share threat intelligence. “Controlling the way you share, including being fully anonymous, and whom you share with is mandatory.”

ServiceNow’s own Trusted Security Circles is built around this concept of anonymous threat intelligence sharing. The cloud-based application gives enterprises the capability to share and receive threat intelligence in near real-time.

[ Related: Why Putting the IoT Into Docker Containers Will Unlock It ]

Covery explained how Trusted Security Circles works. A security team may see suspicious activity in its network and will want to know if others in their defined community have also seen it. An anonymous query goes to other members of the chosen circle, and a sightings search is performed against the specified suspicious observables.

Customers now know if a security incident they’re investigating is happening to any peers, partners or suppliers. If the number of sightings exceeds a set threshold, a security incident can be automatically opened.

Security analysts don’t need go it alone

“We all need timely intelligence to sound the alarm as new attacks happen, but securely and anonymously sharing active threat data with trusted peers has simply not been possible,” said Convery. “Now, security analysts are no longer alone. ServiceNow enables enterprises to apply the power of collaboration to proactively avert and shorten the useful lives of attacks.”

One things is certain, security is an increasingly collaborative exercise that requires constant work. Automation and threat intelligence sharing may very well be the missing link enterprises need to ensure their response capabilities keep up.