Public-sector institutions are at high risk from a variety of threats, everything from nation state reconnaissance to data theft and ransomware. In fact, our latest M-Trends report revealed that government is in the top three targeted industries.
Addressing these threats can be a huge challenge for any organization. Many deploy up to 70 different security tools, and this complexity only ends up reducing visibility for security teams that are likely already stretched thin. On top of that, it’s difficult to know if the technologies being used are actually working and providing value.
Never Assume, Because When You Assume…
In a recent webinar on security effectiveness strategies, we spoke about assumptions—notably how organizations assume products work as promised, that they are deployed correctly, and that teams know how to properly use the tools.
Making these types of assumptions can easily lead to potential issues being overlooked. For example, misconfigurations and default settings can result in security vulnerabilities. Also, incorrect data that is fed into a security information and event management (SIEM) solution can lead to false positives.
These problems can have nasty consequences. In our recent Mandiant Security Effectiveness Report 2020, we revealed that:
- 68% of the time security controls did not prevent or detect detonation in organizations’ environments
- 53% of attacks successfully penetrated organizations’ infrastructures without their knowledge
It is clear that organizations are at high risk of missing the threats that matter. Part of that could be due to a lack of visibility into security effectiveness, which makes it difficult to properly assess risk.
The Need to Measure and Validate Security
Effective security means being able to quantifiably demonstrate that tools are working as they should. For example, with automated testing and validation of security controls, government agencies and public institutions can quickly identify:
- Gaps and vulnerabilities
- Overlaps in security tool capabilities
- Tools that provide the most and least value
When security is automated and quantified, organizations get actionable insights.
For example, threat intelligence can be automatically ingested and tested against threats that are industry-specific—such as ransomware attacks against colleges and universities, and espionage-related threats directed at government agencies. This enables institutions to better assess and contextualize risks.
Another benefit is the ability to rationalize investments. By gaining visibility into which tools have overlapping functionality—and which ones are delivering expected value—CISOs can reduce the number of tools in use, improve integration across the security stack and rationalize spending. This also frees up internal resources to focus on higher-level security initiatives.
Government agencies can also gain visibility into their SIEM effectiveness, rather than assuming the solution works as promised. Validation removes blind spots to reduce false alerts coming out of SIEM. That not only saves security teams’ time, it also goes a long way to ensuring the real threats are detected.
Where to Start
In our work with customers, we have found that a solid first step toward validating security effectiveness is to build a cyber threat profile. We recommend taking into account industry-relevant threats such as nation-state espionage, hacktivism, or ransomware, as well as gaining a clear understanding of current security posture.
Government agencies and public-sector organizations have a significant responsibility to protect private citizen data and services, while also complying with increasingly stringent regulatory rules. The stakes are too high to rely on assumptions that security tools are working as they should or as promised.
Today, organizations have access to capabilities that will enable them to use quantifiable data to demonstrate security effectiveness on a continual basis. Find out more, and read about why security controls are not meeting expectations, by downloading the full Mandiant report.