How does your org structure impact your cyber response capabilities?

Cybersecurity professionals are critical to an organization’s cyber defense, but how can you set them up for success?

Background

Does your organizational structure influence your company’s ability to respond to a ransomware attack? Sophos recently published a paper with insights from nearly 3000 IT/cybersecurity leaders considering how to best structure an organization’s cybersecurity function in order to achieve the best outcomes. We’ll take a look at some of their findings, and discuss how you can better align your organization’s data security tools to gain advantage in the rapidly-evolving cyber threat landscape.

Overview

How can your organization better support your security tool investments and response to a cyberattack? We’ll look at some of the pros and cons around various security organizational structures and how they might influence better outcomes while improving your security posture. While the Sophos report covers the survey details, in this post we’ll look at how – depending on your current organization model – you can best protect your data.

Typical Org Structure Models

• MODEL1: The IT team and the cybersecurity team are separate organizations
• MODEL 2: A dedicated cybersecurity team is part of the IT organization
• MODEL 3: There is no dedicated cybersecurity team; instead, the IT team manages cybersecurity

Key Takeaways

One of the takeaways from the survey suggests that an integrated security approach as described in MODEL 2 had the best outcomes when facing a cyberattack. This can be a result of several factors:

• Centralized decisions help ensure consistent policies for operations, configuration standards and integration with monitoring tools.
• Infrastructure has security settings and tools like Security Incident and Event Management (SIEM), Security Orchestration and Response (SOAR), and endpoint protection that must be registered or otherwise enabled.
• Cyber Incident Response – with Disaster Recovery falling under a single leader – helps ensure that both are operationalized and tested regularly and consistently.
• Integrations from all security tools with bi-directional capabilities allows for playbook automations across host, user, and storage.

Recommendations

• Incident response starts with aggregating indicators of compromise and a coalescing function that can combine events from different detection inputs and allow SecOps to see the bigger picture.
• Centralizing the response to a security incident and ensuring that active data protection steps are included in the response
• Ensure that protecting storage-layer data is foundational to your incident response, because data storage is becoming, more often than not, the primary target of cybercriminals.

Let’s use a real-world example of an incident response that can be ecomes streamlined if all layers of the security infrastructure – including the storage layer – are thoughtfully integrated.

Phishing Scenario Example

In this scenario, a spam gateway confirms the likelihood that a user account has had their login credentials phished.

• The end-user threat is processed by a SOAR platform and an incident is created.
• SecOps assessment flags the incident as a High Severity Risk of data exfiltration or possible ransomware attack
• SecOps uses the SOAR platform to respond to the threat and take action.
  • Runs the Active Directory playbook automation in the SOAR platform, disabling the user’s AD account to prevent new logins
  • Runs the Endpoint Protection playbook to isolate the workstation from the network, helping to ensure that the host can not launch additional attacks on other hosts.
  • Runs the Superna Zero-Trust Data Snapshot playbook to create an immutable snapshot of all critical data on corporate storage platforms. This will provide a foundation for data recovery, if required.
  • Runs the Superna Zero-Trust User Lockout playbook to help ensure that the data to which the user had access is now protected against the attacker.
• Risk to corporate data has been mitigated
• Desktop host remediation actions are initiated
• Forensics investigation launched, with Superna Data Security Edition analyzing user account activity for the previous 60 days to identify the initial compromise timeline.

Summary

This real world scenario shows how a SIEM or SOAR platform can combine automation from different security platforms to help identify risks and respond without ever leaving the security platform. It also demonstrates the value and importance of storage-aware security integration that allows you to bring cyberstorage capabilities into your incident response workflows.

Cybersecurity takes a lot of time and effort, and many organizations feel that dealing with threats gets in the way of other key initiatives. The conclusions in the Sophos report make it clear that organizations in which the cybersecurity team is embedded within the wider IT team tend to report the best cybersecurity outcomes are achieved, relative to the other structures considered.

Consider how incident response process and tool integration can influence how the security function and incident response sit within your IT organization.

Prevention is the new recovery

For more than a decade, Superna has provided innovation and leadership in data security and cyberstorage solutions for unstructured data, both on-premise and in the hybrid cloud. Superna solutions are utilized by thousands of organizations globally, helping them to close the data security gap by providing automated, next-generation cyber defense at the data layer. Superna is recognized by Gartner as a solution provider in the cyberstorage category. Superna… because prevention is the new recovery!