Knowing When to Move Threat Detection, Investigation and Response (TDIR) to the Cloud
By Tyler Farrar, CISO, Exabeam
The pandemic spurred digital transformation unlike anything we have ever seen since the dawn of the internet as we know it. While organizations faced an unknown road ahead, they were quick to adapt. Unfortunately, so were cyber adversaries.
In the face of challenges never seen before, businesses have evolved, many having changed radically since the beginning of last year. Early in the pandemic, some shifted focus to help manufacture the emergency equipment needed to address a public health crisis. Others have adapted to lockdowns and remote working to embrace new opportunities or simply as a matter of survival. In almost every case, technology has played a vital role in facilitating and supporting these changes.
Unfortunately, the methods employed by cybercriminals have also evolved to exploit the broader importance of digital tech. Seeing the opportunity presented by the near overnight closure of office spaces, for example, the volume of targeted phishing attacks skyrocketed. Adversaries also took advantage of relatively lax home network security to gain access to corporate networks, and there has been a dramatic increase in ransomware attacks––a 10,000% increase in late 2020 according to a ResearchandMarkets.com report––that have crippled businesses and critical infrastructure the world over.
In response to this challenging security landscape, investment trends have also changed. Gartner recently reported that there has been a 41% increase in cloud security spending by CIOs over the past year. It’s interesting to note, however, that across all the investment categories, cloud security was both the smallest amount of investment dollars spent, yet the fastest growing area of security spending.
On the one hand, these are encouraging developments. Organizations clearly see the need to protect the cloud-based apps and services now in ubiquitous use across every industry sector. More investment is also being directed at enhancing the security stack with ‘cloud first’ strategies instead of traditional on-premises spend. It makes sense that security budgets should follow to help protect these increasingly diverse and flexible architectures.
But on the other hand, why does cloud security represent the smallest level of spend? What’s preventing organizations from allocating more funds to technologies that will make it easier to define, implement and operate effective threat detection, investigation and response (TDIR) programs? The key to this apparent contradiction is the role played by legacy tech and the limitations of security solutions designed before the cloud era.
Leaving The Legacy
In most scenarios, CISOs have three choices when considering a move away from legacy tech:
1.Take their security capabilities and extend them to cover new cloud locations and services.
2. Buy a new set of tools that is laser focused on threat detection.
3. Opt for new, packaged security services with native capabilities built-in.
These choices can raise some challenging questions. Security teams may, for instance, be concerned about whether specific tools will work in their environment or whether they could be at additional risk in adopting something that is completely new. Similarly, do some of their existing cloud-based services come with security services already baked in, so is there actually a need to add a further layer to absolutely everything? It’s perhaps understandable, therefore, that the variety of choices can bring some inertia to the decision-making process that may explain the relatively low levels of investment.
So, what needs to happen to enable organizations to deliver better threat detection, investigation, and response at a level commensurate with its importance to their infrastructure? The key to the process is evaluating what’s currently in place.
In making a transition from legacy tools, the first questions to ask are why are you making the transition in the first place, and what makes an existing solution ‘legacy’? Granted, tools can be older but still very functional, so organizations need to understand which of their tools still have relevance.
Next, is the organization consuming its current security tools in the right way? In the same way people are using public cloud or Office 365 because they are now more feature rich than when they first appeared on the market, security is going through that same maturity curve. But by sticking with a security on-premises solution while tools mature, IT teams could be spending more time maintaining it than getting the value it was designed for. Ultimately, organizations need to assess the operational burdens inherent in their existing approach, especially if still primarily on-premises.
Security In a Digitized Future
Whichever situation applies, the momentum behind modern, cloud-centric tools that are built for purpose is growing. For instance, ESG recently revealed that over a quarter (26%) of enterprises reported the need for a dedicated SIEM focused on the cloud environment, while another 25% want more advanced analytics to enable faster response to cloud threats.
That’s why it’s important to focus on evaluating your security stack to ensure it can keep pace with the significant changes occurring across the IT landscape. In building more effective strategies, organizations can also look to initiatives such as The XDR Alliance, a group of security and IT technology providers who have organized to help customers more easily define, implement and operate effective TDIR programs and technology stacks.
As the post-pandemic norms continue to play out, it seems certain that the challenges faced by organizations since early 2020 have served to accelerate the importance of cloud infrastructure and services across the globe. To ensure security keeps pace with the speed of change, security stacks must evolve with business needs and provide the levels of protection that organizations desperately require.