3 Ways to Evolve Your Cybersecurity Operations
To meet the expectations of today’s digital enterprises, cybersecurity operations need to modernise in three key ways: by optimising extended detection and response (XDR), adopting proactive cyber risk management, and moving to a unified security platform.
Explore more SOC best practises: Three Ways to Evolve Your Security Operations
As enterprises continue to pursue digital transformation, cybersecurity operations teams are taking on new responsibilities—not just protecting corporate data but also helping ensure business continuity. To succeed, they need to adopt new approaches and solutions that will make them more agile, more proactive and less overwhelmed: optimised extended detection and response (XDR), proactive cyber risk management, and a unified security platform.
As enterprises continue to pursue digital transformation, IT and security teams are taking on new business-enabling responsibilities. To succeed, they need to modernise their cybersecurity operations by enhancing their ability to correlate and prioritise alerts, to deal with threats proactively instead of just reactively, and to streamline their toolsets so they can see more and scramble less. All of these can be attained with optimised extended detection and response (XDR), proactive cyber risk management, and a unified security platform. Check out our report Three Ways to Evolve Your Security Operations to learn more.
There is no question that digital transformation has given cybersecurity operations an expanded role to play in today’s enterprises. Security teams are not only expected to protect company data but also to ensure business continuity and safeguard brand reputations. Boards and senior leaders see cybersecurity as critical but, as McKinsey puts it, they aren’t sure how to create a strategy that will “address the threats, in all their forms, today and in the years ahead.”
What’s increasingly clear is that any such strategy requires a modernised approach to cybersecurity operations—one that combines the latest technologies and best practises in a holistic system of defence. Three ingredients are key: optimised extended detection and response (XDR), proactive cyber risk management, and a unified security platform.
What’s driving cybersecurity operations to evolve
Moving IT into the cloud, adopting as-a-service business models, and supporting hybrid work have all changed—and grown—the enterprise attack surface. Instead of the classic network perimeter, identity is the new boundary that has to be protected. These shifts have made it harder for security operations centre (SOC) teams to block threats and respond to incidents when they occur. Many SOC leaders say their staff can’t keep up: they’re overloaded with alerts and have too many tools—and still some parts of the enterprise remain uncovered.
What SOC teams need most are better ways to correlate and prioritise alerts so they can isolate the ones that truly matter while getting in front of threats instead of reacting to them. They also need to streamline their toolsets so they can manage more effectively. As a result, optimising XDR, assessing risk continuously and shifting away from point solutions are critical.
Step 1: Optimise XDR for stronger cybersecurity operations
Most cybersecurity operations teams rely on security information and event management (SIEM) solutions to log and analyse alerts. But because SIEM doesn’t provide correlation, and given the sheer volume of what has to be monitored today, SOC teams end up bombarded with tens of thousands of alerts and have no way to triage them.
XDR, on the other hand, automatically correlates data across multiple security layers, speeding up threat detection, investigation, and response. It streamlines workflows, expedites or eliminates manual steps, and provides greater visibility and richer analytics than have been previously available.
Combining XDR with SIEM optimises the capabilities of both: SIEM data enriches XDR detection and investigation while XDR’s correlations give context to SIEM logs for better threat identification over time.
With optimised XDR, SOC teams can prioritise incidents more easily, knowing clearly where to focus and what actions to take. They gain visibility into cloud workloads, across the network, and down to the level of endpoints and applications like email. Optimised XDR also makes it possible to prevent and address the misuse of enterprise credentials, extending cybersecurity operations out to the ‘new perimeter’ of identity.
Get more Trend Micro perspective on XDR in this Guide to Better Threat Detection and Response.
Step 2: Adopt proactive cyber risk management
The data, analytics and integrations provided by optimised XDR directly support continuous risk assessment, allowing cybersecurity operations teams to be proactive, not just reactive. It reduces the likelihood of an attack or breach while helping get out of ‘firefighting mode’.
Proactive cybersecurity is increasingly seen as imperative by many enterprise leadership teams and governance bodies. “A sustainable security programme that provides data-driven risk decision making and measurable treatments as an outcome is essential to manage the new normal,” according to Gartner’s 2022 Planning Guide for Security and Risk Management. “Up-to-date risk assessments and risk communication practises are the driving forces for improving the current state, as indicated by our recent interactions with clients.”
Managing risk with zero trust
Achieving proactivity requires new, detailed ways of assessing risk and enterprise security posture, across a wide range of factors related to identity, user and device activity, applications, vulnerabilities, and device configurations. It also requires a zero trust approach to cybersecurity that regards any connection, whether from inside or outside the corporate network, as untrustworthy.
In a zero trust system, even once a user, device, or application is authenticated, they are assigned the least degree of privilege possible. Zero trust is also dynamic: no user is trusted in perpetuity. Even within a single connected session, risk status is continuously reassessed.
Given the sheer number of entry points and potential connections—from bring-your-own-device equipment to remote work environments, cloud elements, and as-a-service solutions—operationalizing zero trust can be complicated. Integrating risk management with the threat detection and response capabilities of optimised XDR helps, along with deployment of secure access service edge (SASE) tools.
Collaboration is also critical
The best security outcomes depend on functional collaboration between IT and cybersecurity operations—breaking down silos, increasing visibility, and ensuring seamless handoffs between proactive risk management and reactive threat detection and response. This in part is why it is so important to shift from high-level, point-in-time risk assessments to continuous risk management. When risk evaluation is an ongoing activity, it is more dynamic and extends more easily across functional lines.
Read more about proactive cyber risk management in this Trend Micro blog post on Attack Surface Management Strategies.
Step 3: Converge solutions within a unified platform
Even with optimised XDR and continuous risk management in place, SOC teams are still susceptible to overwhelm purely due to the number of tools and controls they need to protect the entire enterprise environment.
For the last 10 years or so, organisations concerned about the rapid evolution and increasing sophistication of cyber threats have invested in best-of-breed point products, aiming to protect themselves with the most compelling technologies available. The result a decade later is a proliferation of disconnected security solutions that end up ineffective or underused. More than half (55%) of SOCs have security infrastructure they don’t use, according to Trend Micro Research, and the top reason why is lack of integration.
This is driving growing numbers of organisations to seek a unified platform that can bring their tools and activities together for more seamless cybersecurity operations. They want integration that will enhance visibility, improve analysis and strengthen control while increasing protection, scalability and performance across multiple security layers and data sources, including hybrid and multi-cloud environments.
Importantly, moving to a unified cybersecurity platform is not a ‘rip and replace’ proposition. Organisations can keep the point solutions they’ve invested in and mesh them together in ways that resolve longstanding pain points. Sixty-six percent of organisations are actively consolidating the number of security operations tools they use, according to ESG.
While unified platforms have historically been within the means of only large organisations—ones able to build their own cybersecurity ecosystems—that’s no longer the case. Enterprises of all sizes can obtain a readymade platform from a vendor and customise it relatively easily to meet their specific needs.
For further perspective on the growing movement toward a platform approach, read our blog post, Unified Cybersecurity Platform: Why CISOs are Shifting.
Cybersecurity operations are business-critical
For cybersecurity operations to keep up with the demands of today’s (and tomorrow’s) threat environment and meet the business needs of the enterprise at the same time, the status quo cannot hold. SOC teams need new tools for detection and response, more integration, a more proactive approach to cyber threats, and greater consolidation of the solutions they rely on so they can move faster, with more precision and confidence.
Modernising cybersecurity by taking the three interrelated steps of optimising XDR, managing risk continuously, and moving to a unified platform will give SOC teams what they need while boosting the value they deliver to the business.
For more Trend Micro thought leadership on how to modernise cybersecurity operations, check out the SOC series: