Cybersecurity Visibility: The Key for Business, Security and SOC Alignment

It has become obvious that visibility is one of the critical pillars for the success of any organization’s cybersecurity program. Research by ESG found that nearly 80% of organizations with a lack of visibility into their assets report roughly three times as many [cybersecurity] incidents.

That sobering statistic is cited in a recent report from SANS, Making Visibility Definable and Measurable, that examines the issue from multiple perspectives. Devo sponsored the SANS report because we built the Devo Platform and our Security Operations application on a foundation of providing cybersecurity visibility into all aspects of an organization’s data, to help align the business, its security strategy, and its security operations center (SOC) team.

Effective cybersecurity is a vital component of the overall health of a business, and the job of the security team and its leaders is to develop and execute a plan — including identifying and deploying the right tools — to ensure the organization’s security is robust and effective. The heartbeat of a healthy cybersecurity program is visibility.

Identifying Stakeholders for Visibility

The SANS report sets up its discussion of cybersecurity visibility by examining the expectations of three key stakeholder groups — senior management, operational security teams, and security operations center (SOC) analysts — regarding organizational security. Not surprisingly, expectations correlate to the roles and responsibilities of each stakeholder group.

Senior management, according to SANS, needs a “concise view of threats and risks, both current and trending.” They need answers to the following questions:

• Is security risk on the rise in my industry?
• Is my organization sufficiently prepared to detect, protect and defend against threats that frequently hit my industry?
• Is the risk my organization faces increasing? Is it decreasing?

Operational security teams need “a high-level (near real-time) view of vulnerabilities, events and threats,” along with the capacity to “see all the details quickly.“ Questions for this group include: 

• Are there signs of malware in our systems? 
• Can we detect whether workforce members are misusing their access? 
• Are we going to pass PCI compliance?

SOC analysts, consistent with their training and job requirements, “concentrate on the baselines of what is considered normal behavior, generally using techniques similar to those used in business analytics.” Key questions for analysts include:

• Which devices are trying to communicate with known malicious sites on the internet?
• What systems are probing our networks?
• Are we seeing any indications of [latest threat]?

Use Cases for Cybersecurity Visibility

Now let’s take a look at the various use cases for each of these groups, how they differ and, most importantly, how they intersect.

A business use case is — not surprisingly — a need identified by senior managers of the business. In the context of security, business use cases most often correlate with one or more security use cases that identify the technical/security needs. For example, keeping proprietary information safe from cyberthreats is the business use case that the security team needs to achieve through their overall cybersecurity program.

An operational security team use case is a technical or security need that supports business goals and objectives. A security use case is designed to mitigate a business risk, improve processes or technology, or facilitate people improvements. Security use cases map to business use cases either directly or indirectly and can have a one-to-many or many-to-one relationship. For example, having a well-planned and executed data security program will help the organization achieve many of its business use cases.

A SOC use case is a technical or security need that supports both business and security goals. It is often quite similar — and often identical — to a security use case. Security use cases will often include a broader definition that encompasses several departments or business units, whereas the SOC use case is very specific and tactical.

Building a Roadmap for Full Visibility

The SANS experts summarize the importance of effective cybersecurity visibility for effective security with these important points:

“Even with the subjective nature of visibility, organizations can take steps to define and then measure it. …SANS has presented an objectives approach—a road map— to help organizations establish a strategy. Given that visibility in a cyber world remains data-driven, here’s some basic advice for moving forward: 

• State your objectives and any assumptions/constraints.

• Decide on your objectives. What questions do you need to answer? What processes must you monitor? Which trends do you want to track? 

• Understand the roles of each audience. The C-suite may not have the same issues (or attention span) as your SOC director or analyst.

• Identify what you need to achieve your objective. What sources and data do you need to monitor the processes or track trends? 

• Frame your outcomes so that your questions have objective answers. Establish meaningful metrics that measure how well things are working and can be used to identify important trends. But be careful to guard against expectation bias. 

• Don’t get caught up in the analytics or presentation/visualization “art.” Let the data and the information speak for itself.

Above all, keep in mind the success patterns for visibility as your organization moves from no visibility through reactive to proactive and ultimately predictive security practices.”