Clearly, this approach hasn’t worked. As analysts continue to get inundated with alerts, not to mention calls from management every time a global cyberattack is in the news, CISOs are looking for ways to make better use of the investments they’ve already made in people and technology. This is where collaboration comes in. Collaboration holds the key to improved time to detection and response, so teams can better address the concerns that permeate the organization when a large-scale attack happens as well as improve how they handle the daily stream of threats that don’t make the headlines.
Collaboration, however, can be a nebulous concept to implement. Who should be collaborating and how? The “who” part is fairly straightforward. Most organizations have Security Operations Center (SOC), Incident Response (IR), Risk Management, Vulnerability Management, Endpoint and Network teams – plus more. Each of these teams must be able to collaborate better within their team. But these teams also need to be able to collaborate across teams for the collective good, ultimately improving the security posture of the organization.
The “how” part is next. Collaboration is defined as the action of working with someone to produce something. I’ll call this active collaboration. But there is a second form of collaboration: passive collaboration, which I define as the sharing of information that at some point will further another person’s work. Let’s take a look at both.
Active collaboration. This form of collaboration focuses on engaging with another person to accomplish a shared goal through tasking and coordination. It’s what typically comes to mind when we think of collaboration, but traditionally has been extremely difficult and time-consuming for security professionals to do. The challenge is that most security operations or investigations are rife with chaos as teams act independently and inefficiently with limited visibility into the tasks other teams or team members are performing. With different people or teams working on independent tasks, key commonalities are missed so investigations take longer, hit a dead end or key information just falls through the cracks.
What’s needed is a single collaborative environment that fuses together threat data, evidence and users, so that all team members involved in the investigation process can collaborate. Rather than working in parallel, they can automatically see how the work of others impacts and further benefits their own work. Managers of all the security teams can see the analysis unfolding, which allows them to act when and how they need to, coordinating tasks between teams and monitoring timelines and results. Embedding collaboration into the investigation process ensures that teams work together efficiently to take the right actions faster to more effectively mitigate risk. When investigations and remediation take longer than a typical workday, coordinated efforts can continue because hand-offs across teams and time zones is seamless.
Passive collaboration. The heart of passive collaboration is information sharing. Often, when one team member researches an event or alert and doesn’t find information that is relevant to them, they tend to put that information aside and move on to the next task. Or they may take action based on the information and consider it no longer important. Information sharing requires letting go of assumptions that if something isn’t relevant or no longer important it can be discarded. The reality is that the information could still be important to someone else working in a different context. Even if you recognize this truth, security teams are organized into silos and each use their own tools so sharing information across teams to take advantage of potential synergies is complex.
With a central repository that contains all your global threat data, augmented and enriched with context from internal threat and event data, individual team members and different security teams can access the intelligence they need to do their jobs as part of their workflow. Collaboration just happens – no additional effort is required to actively share or directly communicate amongst teams. As they use the repository and update it with observations, learnings and documentation of investigations, they get consistent threat intelligence. The repository can serve as a centralized memory to facilitate future investigations. Everyone can operate from a single source of truth, instantaneously sharing knowledge and using their tools of choice to improve security posture and reduce the window of exposure and breach.
Collaboration dramatically changes and improves how teams and team members detect and respond to threats. For example, in most security operations it’s fairly standard practice that when the SOC detects something malicious, it pushes it to the IR team to manage. But with better active and passive collaboration this scenario no longer exists. Instead, the SOC shares the indicator with the rest of the security operations team for deeper investigation and correlation with other activities. The endpoint and perimeter teams can check hashes and reputation lists to block for anything that is known to be similar or associated with the attack campaign. Teams can also conduct retrospective analysis to see if an attack is in process or a breach has already occurred and quickly take steps to mitigate risk.
Ultimately, people collaborating by sharing information and engaging with each other to accomplish a shared goal is essential to improve security posture. Not another point product.