Cybersecurity: The Challenge of Scaling Operations

We all hear about the challenges companies face when dealing with cybersecurity. For most, it looks like a very complex subject, not just because of its technical nature but much more because of the scale and the wide range of angles or vectors in which threats and risks materialize.

The intent of this article is to help security teams make sure executives understand the size of the security operations duel so together they can define a unified and efficient strategy, as one of the main challenges security operations teams encounter is understanding the scale of the activities they must address. While there are several other tasks that also require attention, like managing the volume of alerts that infrastructure generates, we will focus on vulnerability management and understanding threat intelligence information, which are the most demanding tasks operations teams face today.

Vulnerability Management 

Vulnerability can be defined as a weakness in a system that allows malicious actors to harm IT infrastructure. This can be done in many ways; for instance, it can provide unauthorized remote access to a given system, allowing injection of malicious code, or, as is commonly known, infect end users’ PCs, installing malware, ransomware, and many other forms of threats.

While many companies rely on their IT systems and infrastructure for their daily operations, common sense tells us that those multibillion-dollar IT vendors would develop their products so they are bulletproof against cybersecurity threats, but, unfortunately, that is not the case. Everyday, thousands of vulnerabilities are revealed and published by technology vendors. The daily list of uncovered vulnerabilities is large and so important that the US government developed the National Vulnerability Database (NVD). This platform receives notifications from all vendors of newly found vulnerabilities as well as their severity score (CVSS). Just to provide an idea of the size of the challenge, we can observe an NVD summary of published vulnerabilities in January 2023.

Once vulnerabilities are announced, vendors provide software patches that remediate weaknesses, transferring the responsibility of its installation to operations teams. These tasks on many occasions demand a great deal of manual activity, including coordination with IT teams to provide maintenance windows (typically performed late at night or during the weekends) to avoid system outages, potentially impacting business operations.

IT has many different components, some of which are clearly understood and visible, but many others are software components embedded into their systems’ architecture. The first challenge is building a detailed inventory of all hardware and software components running in their infrastructure. To achieve this task, security teams must understand in detail all the subsystems inside IT infrastructure. For example, in December 2021, a critical vulnerability was announced in a component that lies on many websites. It is a piece of open-source software known as the Apache tomcat project. Even though you don't buy this piece of software, it comes embedded into many software solutions. This vulnerability, named log4j, allowed threat actors to run small pieces of software to gain access to systems without the use of a password, “stealing” Christmas of 2021 for many security teams as no one was really sure on which systems Apache tomcat software was present. After resolving that first hurdle, everyone had to work on remediating the weakness, applying the published patch. So, while reducing the attack surface, it is important that security teams have technology and processes to manage vulnerabilities and prioritize those that are critical to business continuity.

Dealing with this problem requires that IT and security operations teams work hand in hand. We all know that to be competitive, companies need to install new applications at a very fast pace and evolve their digital transformation strategy. However, it is critical to perform a vulnerability analysis to assess the impact it has on security operations and it must be analyzed prior to launching in production. When a critical vulnerability appears, both teams must focus on its remediation.

Threat Landscape and Cyberintelligence

In Mexico, many security teams rely on threat intelligence embedded into their security infrastructure, while firewall and antivirus/EDR vendors publish information on common threats and allow users to connect and download such information; however, this just provides a piece of a great universe of threats that appear every day.

FIRST, the forum for incident response and security teams, brings together security practitioners from every country with the aspiration of ensuring a safe internet for all. Through this forum, security experts share threat information on incidents resolved by operations teams worldwide. This kind of intelligence has proved to be very effective when dealing with new threats. To provide an idea of the number of threats security teams face, Mnemo’s Cyberdefense platform, which is connected to FIRST, published a bit over 4 million different threats just last January. Imagine the task security teams must deal with monthly.

Facing this scale of threats requires security teams not just to look and store reports on threat intelligence, but also to ingest this information into the security architecture. Many companies in Mexico today are not doing so; therefore, security infrastructure is not necessarily up to date with the latest threats. The question is, how can security teams consume and integrate such a large volume of threat information?

Conventional wisdom tells us that digital transformation emphasizes three pillars of change: leveraging technology to enhance business capabilities, building operational efficiencies, and constantly improving customer experience. Well, guess what? The same process is required to improve security operations. Surprisingly, a process that is born digitally, like cybersecurity, involves a great deal of manual processes. Companies must include cybersecurity operations as one of those critical business processes that have to go through a digital transformation strategy. This strategic move is particularly critical when including the problem of finding and hiring qualified security engineers available in the market. It is inevitable to conclude that a connected and automated security infrastructure is required to meet the scaling challenge of responding to cyberattacks.

In summary, C-level executives must understand the challenges that security operations teams face and encourage security leaders to balance investments not just in security tools, but also in developing a scalable architecture that allows security operators to rely less on manual activities, leveraging process automation and potentially improving both vulnerability management as well as threat information.