Over the past decade working with security leaders and SOC teams across industries, I’ve seen the same pattern repeat itself across organizations of every size: security teams may have more visibility than ever before, yet analysts are still overwhelmed trying to determine which alerts actually matter.

Modern IT environments generate enormous volumes of telemetry across cloud platforms, SaaS applications, endpoints, networks, and identity systems. Each platform produces valuable signals, but the combined volume can overwhelm L1 SOC analysts who must decide which alerts require investigation.

This challenge is something we recently discussed with Blaine Brennecke, Director of Security Operations at Bottomline, during a customer conversation about .

“Security teams today are flooded with alerts,” Brennecke explained. “The challenge isn’t collecting more security data. It’s being able to analyze that data quickly enough to identify what actually matters.”

Bottomline’s experience reflects a broader shift happening across the industry. As their security team modernized its SOC environment, they partnered with WEI and AI-driven security automation provider Simbian to rethink how alerts are investigated, triaged, and prioritized.

Their journey highlights a reality many security leaders are now confronting: modernizing the SOC requires more than deploying new tools.

How the SOC Became a “Rube Goldberg Machine”

When I first began working closely with SOC teams and CISOs, most SecOps environments were relatively simple. Teams monitored a handful of core systems using a SIEM, endpoint protection tools, and basic network monitoring. But as today’s CISO’s know, average enterprise environments are much more intricate.

Organizations now operate across hybrid infrastructures that include , remote endpoints, SaaS applications, distributed workloads, and identity-driven access systems. Each environment generates its own telemetry, and analysts must correlate signals across all of them during an investigation.

Over time, the way many SOCs have evolved reminds me of a Rube Goldberg Machine, pictured below. New tools are deployed to solve legitimate visibility gaps, but each platform introduces its own alerts, dashboards, and investigation workflows. The system is an overly complex solution to a relatively straightforward problem. It is over designed and difficult to maintain… but make it less effective. 

Some tools integrate with each other. Some share data with the SIEM. But more often than not, the real integration layer ends up being the SOC analyst sitting in front of the screen.

SOC analysts frequently move between multiple systems just to gather enough context to determine whether activity represents a real threat. Investigations that should take minutes can take far longer when signals must be correlated manually across platforms.

The Operational Reality Inside Today’s SOC

During a recent , Senior Director of Security Operations at Bottomline, we discussed challenges that nearly every SOC leader we work with across the market recognizes.

Brennecke’s experience reflects a broader reality across the industry. SOC teams now have unprecedented visibility into their environments. But visibility alone doesn’t solve the operational challenge of detecting and responding to threats quickly enough.

Security analysts must still investigate alerts, correlate signals across tools, and determine whether suspicious activity represents a real attack.

At the same time, security leaders are being asked to improve detection and response capabilities while managing constrained budgets and limited staffing. As Brennecke put it, “A lot of organizations are in the same bucket today. Do more, do it faster, and do it with less.”

To address these challenges, Bottomline began evaluating ways to modernize its investigation workflows. That included exploring new approaches to automation and AI-driven alert analysis.

Working with WEI and Simbian, Bottomline introduced new investigation workflows that help analysts start their work with significantly more context around each alert.

Instead of manually stitching together data from multiple systems, analysts can begin investigations with a clearer picture of what’s happening across the environment.

The Challenges Driving SOC Modernization

Organizations attempting to modernize their SOCs typically encounter several common challenges.

Alert Fatigue: Security analysts may receive thousands of alerts each day from multiple detection tools. Without effective prioritization, distinguishing meaningful threats from routine activity becomes extremely difficult.

Tool Fragmentation: Security technologies deployed across network, endpoint, cloud, and identity environments often operate independently. Each platform produces its own alerts and dashboards, forcing analysts to gather context from multiple sources during an investigation.

Security Data Volume: This is growing as organizations expand their digital infrastructure. Traditional SIEM architectures can struggle to scale efficiently as log volumes increase.

Staffing Constraints: Experienced SOC analysts remain in high demand, and many organizations struggle to recruit and retain the talent needed to manage increasingly complex environments.

These operational pressures are forcing security leaders to rethink how their SOCs are designed and operated.

Why Technology Alone Doesn’t Solve the Problem

SIEM platforms, extended detection and response technologies, and emerging AI-driven investigation tools are helping SOC teams analyze large volumes of telemetry more efficiently. Technologies like Simbian’s AI-driven SOC automation platform can ingest alerts from existing security tools and perform automated investigation and triage steps that traditionally required significant analyst time.

When deployed effectively, these platforms reduce the number of alerts that require manual analysis while helping analysts focus on higher-priority threats.

But deploying new technology without rethinking workflows rarely delivers the results organizations expect.

Analysts still spend significant time investigating alerts manually because the surrounding processes and architecture haven’t evolved alongside the tools. That’s why successful SOC modernization efforts focus not just on technology, but also on architecture, operations, and engineering discipline.

Moving Security “Left of Bang”

WEI’s approach to SOC modernization focuses on helping organizations move their security posture Left of Bang. The concept refers to identifying and disrupting threats earlier in the attack lifecycle so security teams can prevent incidents before they cause operational damage.

Achieving this shift requires a combination of architecture design, technology integration, and operational optimization.

Our cybersecurity experts work closely with organizations to design architectures that unify telemetry across network, endpoint, identity, and cloud environments. This allows SOC teams to investigate threats with greater context and reduces unnecessary signals across multiple platforms.

We also focus heavily on how technologies integrate with one another. Security tools deliver the most value when analysts can move seamlessly between systems during investigations rather than manually stitching together context.

Operational workflows are another critical component. Automation and AI can dramatically reduce repetitive investigation tasks, allowing analysts to focus on deeper threat analysis rather than spending hours triaging alerts.

Through WEI’s demo and integration labs, organizations can also test new security architectures before deployment. This validation process helps reduce implementation risk and ensures that new technologies deliver measurable improvements to SOC operations.

Building the Modern SOC

As organizations like have discovered, SOC modernization is no longer optional. Attack surfaces continue to expand, and the amount of security data generated by modern infrastructure continues to grow. Security teams must adopt new approaches to detection and response if they want to keep pace with evolving threats.

must process large volumes of security data, prioritize high-risk threats, automate investigation workflows, and detect suspicious activity earlier in the attack lifecycle.

For many organizations, this shift is already underway.

“You’re no longer starting from square one,” Brennecke explained. “You’re starting 80 percent of the way down the triage pipeline.”

That change fundamentally alters how SOC analysts spend their time. Instead of sorting through large volumes of alerts, analysts can focus on deeper investigation and response activities.

Achieving this kind of transformation requires integrated architecture, operational alignment, and experienced engineering guidance. Organizations that take this approach are finding they can improve threat detection while reducing the operational burden placed on their SOC teams.

See How Bottomline Technologies Modernized Its SOC

Organizations evaluating SOC modernization initiatives often benefit from seeing how other security teams have approached similar challenges.

In our recent discussion with Bottomline Technologies, we explored how their security team partnered with WEI and Simbian to improve SOC visibility, reduce alert fatigue, and accelerate threat investigations across their environment.

Watch the full conversation to learn how Bottomline redesigned its SOC workflows and how new investigation models are helping analysts begin investigations nearly 80 percent of the way through the triage process.

Next Steps: Led by WEI’s cybersecurity experts and partnering with industry leaders, our cybersecurity assessments provide the insights needed to strengthen your defenses and ensure compliance. Whether you need to identify vulnerabilities, test your incident response capabilities, or develop a long-term security strategy, our team is here to help.

Contact WEI’s cybersecurity experts today to learn more about our assessments and discover how we can support your security goals. In the meantime,  featuring WEI cybersecurity assessments.

The post Lessons from Bottomline’s AI-Driven Security Operations appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

Most security leaders rely on Mean Time to Respond or Resolve (MTTR) as their primary board metric because it is measurable and easy to track. However, if MTTR is your only benchmark, you are underreporting the true impact of AI-driven security operations.

Threat volumes are rising as adversaries leverage AI, budgets remain constrained, and of incoming alerts. As a result, MTTR often reflects performance against limited exposure rather than total enterprise risk. To properly understand how to measure SOC ROI, leaders must expand their view and adopt broader SOC KPIs that account for coverage, analyst impact, and measurable risk reduction. Modern SOC automation solutions are changing the economics of detection and response, and your metrics must evolve accordingly.

Here are five KPIs executive leaders should prioritize.

1. Alert Coverage Rate

In many enterprise SOCs, only about 30 percent of alerts receive meaningful investigation due to manual triage limits. Alert Coverage Rate measures the percentage of total alerts fully reviewed.

If your team examines only a fraction of alerts, MTTR applies only to that fraction. AI-driven SOC automation solutions can correlate and prioritize alerts across EDR, SIEM, cloud, and identity tools, enabling near-complete coverage without increasing headcount. When assessing how to measure SOC ROI, start by asking whether you are reviewing all relevant signals.

2. False Positive Reduction and Analyst Lift

Alert fatigue creates operational and business risk. When junior analysts handle high volumes of noise, important signals can be missed. False Positive Reduction measures how effectively automation suppresses non-actionable alerts. Analyst Lift measures the increase in higher-value investigative work your team performs once repetitive triage is automated.

These SOC KPIs connect automation directly to business outcomes: fewer missed threats, stronger productivity, and improved workforce retention. Instead of hiring more entry-level analysts to manage queues, organizations can focus on deeper investigative expertise.

3. Time to Contain

MTTR measures ticket closure; Time to Contain measures how quickly malicious activity is isolated or neutralized. As adversaries compress attack timelines, containment speed directly affects financial exposure and regulatory risk. If SOC automation solutions initiate containment during triage, the potential blast radius is reduced immediately. Among modern SOC KPIs, Time to Contain provides a clearer measure of operational resilience than MTTR alone because it reflects proactive defense.

4. Detection Quality and Severity Accuracy

Not all alerts represent equal business impact. AI-driven triage that incorporates business context improves prioritization. Detection Quality tracks the percentage of true positives correctly identified. Severity Accuracy measures whether incident priority aligns with actual enterprise risk. For leaders evaluating how to measure SOC ROI, these metrics demonstrate improved decision precision. High-risk threats are surfaced faster, and resources are directed where they matter most.

5. Cost Per Alert and Cost Per Incident

Security investments must be financially defensible. Cost Per Alert divides the total SOC expense by the alerts investigated. Cost Per Incident measures the total cost per confirmed incident. When AI increases coverage and reduces manual workload, cost per alert declines even as protection expands.

If your SOC automation solutions reduce cost per incident while improving containment and detection accuracy, you have a strong ROI narrative.

Why MTTR Alone Falls Short

MTTR remains useful, but it does not capture unreviewed alerts, false positive suppression, containment speed, detection accuracy, or cost normalization. Modern SOC KPIs must reflect how AI reshapes security operations. When AI becomes an active participant in triage rather than just another tool, the conversation shifts from ticket management to enterprise risk reduction.

Final Thoughts

To understand how to measure SOC ROI, look beyond MTTR. Prioritize alert coverage, analyst lift, time to contain, detection accuracy, and cost per incident. AI expands coverage, sharpens prioritization, and drives measurable outcomes. Ready to demonstrate stronger ROI? Contact WEI to start the conversation.

Next Steps: In this exclusive WEI Tech Talk, cybersecurity leaders from WEI, Bottomline, and Simbian discuss how AI is changing the future of security operations and what it means for organizations trying to modernize their SOC.

Watch the full discussion below to hear practical insights from security practitioners and technology leaders working at the forefront of modern SOC transformation.

The post How to Measure SOC ROI: The KPIs in Addition to MTTR appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

The growing complexity of cybersecurity threats makes traditional SOC methods less effective. The overwhelming volume of data and constant alerts can lead to analyst burnout and delayed response times. GenAI offers a solution by modernizing SOC operations, streamlining alert triage, and optimizing log management workflows.

Industry experts have highlighted , emphasizing how AI is driving SOC modernization through transformation, AI-driven applications, data modernization, and log management. We explore these insights and how GenAI for cybersecurity can help enterprise SOC teams be more efficient.

Watch: AI In The SOC – Cutting Through The Noise With GenAI And Smarter Logs

Transforming The SOC With AI

The constant influx of alerts makes it challenging for SOC teams to differentiate between genuine threats and false positives. Analysts often spend excessive time constructing queries and deciphering data, rather than addressing critical incidents.

AI in security operations speeds up threat detection by automating routine tasks. Rather than manually reviewing alerts, analysts can rely on AI-driven threat detection to identify patterns and prioritize incidents. This shift allows teams to concentrate on strategic security initiatives instead of getting bogged down in repetitive processes.

Key advantages of AI in the SOC include the following:

• Faster alert analysis: AI quickly reviews tons of past incident data and matches it with current alerts. This gives security analysts valuable context and actionable intelligence so they can quickly find the root cause of an alert, assess its potential impact, and determine the proper response. The result is drastically reduced investigation time and faster threat containment.
• Automated triage: AI-powered tools classify and prioritize threat alerts based on their severity and potential impact on the organization. Automating the triage process ensures that security analysts see the most critical and urgent threats first, allowing them to allocate their time and resources effectively. This reduces the risk of overlooking critical alerts and improves the overall efficiency of the SOC.
• Less alert fatigue: AI refines detection capabilities, thus reducing false positives. By continuously learning from past data and adapting its algorithms, AI more accurately identifies genuine threats and filters out noise, resulting in fewer alerts and improved threat detection accuracy.

As AI plays a larger role in SOC modernization, ensuring security data is properly processed before reaching analysis tools is essential. Without structure and optimization, analysts can become overwhelmed by raw data.

Solutions that refine data processing help SOC teams focus on meaningful insights. , for example, improves data management by filtering, routing, and enriching security data before it reaches SIEM and SOAR tools. This ensures analysts work with high-value data instead of excessive, unstructured information.

Watch: WEI Roundtable Discussion – Cyber Warfare & Beyond

Practical AI Applications In The SOC

AI is becoming an integral part of SOC operations, helping teams achieve efficiency across multiple areas. From AI-driven threat detection to smarter security logs, automation is transforming the way security teams analyze data, prioritize threats, and respond to incidents. One particularly impactful application is using GenAI to simplify query generation. Analysts frequently struggle with complex queries, slowing down investigations. AI streamlines this process by enabling a conversational approach to data retrieval.

Other AI use cases in the SOC include:

• Threat hunting: AI identifies suspicious behaviors based on past attack patterns.
• Incident response: AI-powered automation speeds up remediation actions, reducing response times.
• Policy enforcement: AI ensures compliance by monitoring deviations in access logs and configurations.

Managing and analyzing vast amounts of security data is time-consuming for SOC teams, often diverting attention from critical threats. Efficient tools for query building and log analysis can help streamline this process, making it easier for analysts to access relevant insights without unnecessary delays.

One such capability comes from Cribl, which offers solutions designed to simplify data exploration. provides intelligent search and summarization tools, enabling analysts to quickly extract key insights from large datasets without manually sifting through extensive logs.

Watch: Harnessing A Diverse Talent Pipeline For Cybersecurity Personnel

Data Modernization In Security

SOC teams generate and store massive amounts of security data, but not all of it is useful and relevant. The challenge is determining what data to retain and how to store it cost-effectively.

Rather than storing everything, AI in the SOC helps create smarter security logs by filtering out unnecessary data while preserving valuable insights. This data modernization has several benefits:

• Better governance: AI categorizes data and retains only what’s relevant.
• Efficient storage: AI-driven data summarization reduces log sizes without sacrificing critical information.
• Improved query performance: Well-structured data enables faster searches and analysis.

Organizations need reliable data processing solutions while maintaining compliance. Cribl supports this with tools like Cribl Stream and , which normalize and compress security logs before storage, reducing storage demands and helping maintain compliance.

Optimizing Log Management For Efficiency

As security data expands at an estimated 28% CAGR, organizations need to reevaluate their log management strategies. AI can play a key role in security operations by summarizing logs and reducing noise, making the vast amount of data more manageable. Smarter log management strategies include:

• Log compression and truncation: AI reduces redundant data, lowering storage costs.
• Dynamic retention policies: AI prioritizes storing logs that are critical for investigations while archiving less relevant data in cost-effective storage.
• Automated data classification: AI categorizes logs based on security relevance, making retrieval easier.

For example, AI can condense large volumes of NetFlow data from switches into a concise summary of key network activity. Cribl offers tools to support these strategies, enabling organizations to refine their log management strategies. With tools that help route logs intelligently and store high-volume logs in cost-effective locations, SOC teams can avoid overwhelming their SIEM and analytics systems while maintaining access to meaningful security insights.

Final Thoughts

GenAI is reshaping security operations by automating threat detection, improving alert triage, and optimizing data management. AI-driven threat detection reduces alert fatigue, while smarter security logs help SOC teams focus on valuable insights. As enterprises face growing cyber threats, integrating AI into security operations is now a practical requirement to address sophisticated attacks and data challenges.

WEI’s team of cybersecurity experts helps organizations implement AI-driven SOC modernization strategies. From smarter log management to AI-powered automation, we guide enterprises in optimizing security workflows. If you’re looking to integrate AI-driven solutions in your SOC, reach out to WEI today and take the first step toward a more efficient security operation.

Next Steps: Protecting your organization from cyber threats requires a proactive approach and the right expertise. 

Led by WEI’s cybersecurity experts and partnering with industry leaders, our available cyber assessments provide the insights needed to strengthen your defenses. Whether you need to identify vulnerabilities, test your incident response capabilities, or develop a long-term security strategy, our team is here to help. Click here to access our assessment services. 

The post Unlocking Smarter Security Logs And SOC Operations With GenAI appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

A guest writer of WEI, see Bill Frank’s biography and contact information at the end of this article.

Michael Lewis coined the term, Moneyball, in his eponymous book published in 2003 and made into a movie in 2011 starring Brad Pitt. Moneyball was about applying analytics to baseball. Billy Beane, the Oakland Athletics General Manager, was the first baseball executive to use analytics to increase the probability of winning games.

Baseball is obviously about the players and constrained budgets. So Beane’s goal was to use analytics to create a better roster of players.

The analytics the Athletics developed were new and contradicted all the “rules-of-thumb” baseball scouts used to select players for over 100 years.

Moneyball for cybersecurity is about applying analytics to cybersecurity to reduce the probability of material financial impact due to cyber-related loss events.

Cybersecurity is about controls – people, processes, and technologies – constrained by budgets and resources. So the objective is to create a better portfolio of controls and to improve collaboration with the business leaders who set cybersecurity budgets.

This requires a new analytical approach that calculates and visualizes the aggregate effectiveness of an organization’s control portfolio across the cyber-related loss events of greatest concern to business leaders. In other words, visualize cyber defenses in dollars.

It can be misleading to project the risk reduction value of a control improvement based on evaluating it in isolation. Yet we do this all the time. Risk reduction is about how a proposed control improvement will work in concert with the other deployed controls.

Why We need Moneyball for Cybersecurity

There is a cybersecurity paradox. Overall cybersecurity spending increases every year. New frameworks are published, and older ones are updated. In addition, various government agencies are pressuring organizations to improve their cyber postures.

Despite these efforts, the number and financial impact of cyber-related loss events continue to increase.

Some say it’s due to the increasing pace of digital transformation. Others say it’s due to the increase in remote work and cloud computing. Still others say it’s due to a lack of trained cybersecurity professionals.

While those factors may contribute, two issues are more fundamental – prioritizing control investments and justifying cybersecurity budget proposals.

1. Prioritizing Control Investments

A control’s performance when evaluated in isolation does not indicate how effective it will be in reducing risk when deployed in concert with all the other controls. This makes it difficult to select which control improvements should be funded and which should not.

The underlying issue is the complexity of cybersecurity. Organizations deploy dozens of controls. There are hundreds of threat types as defined by MITRE ATT. There are hundreds to thousands of overlapping and intertwined attack paths into and through an organization’s IT/OT estate.

Therefore, each loss event scenario involves thousands of overlapping end-to-end kill chains. Adding to the complexity, many controls appear on many kill chains and many controls appear in multiple loss event scenarios.

In addition, it’s difficult to compare controls across different IT domains. How do you compare the value of a network control to an endpoint control? How do you compare the value of identity and access controls to malware detection controls? How do you compare left-of-bang to right-of-bang controls?

2. Justifying cybersecurity budgets

Security leaders often have difficulty justifying proposed control investments to the business leaders who set cybersecurity budgets due to the security metrics – business risk gap. Security teams use a wide range of technical metrics to monitor control performance that business leaders do not understand.

Business leaders know that cyber risk is business risk. Business leaders want to manage cyber risk as they do other strategic risks. They are frustrated by the difficulties of collaborating with security leaders who don’t speak their language – money.

Business leaders want to know how control investments will reduce the probability of material financial impact due to cyber loss events. To get their budget requests approved, security leaders need a credible approach to bridge the security metrics – business risk gap.

Implementing Moneyball For Cybersecurity

Monaco Risk’s advisory services use its patented Cyber Defense Graph to make Moneyball for Cybersecurity useful to security teams and credible to business leaders.

Better control selection

Monaco Risk’s Cyber Defense Graph statistical simulation solves the exponential kill chain problem described above. All of the kill chains related to a loss event scenario are analyzed together taking into consideration the capabilities, coverage, and governance of the controls involved.

Figure 1: This is an example of Monaco Risk’s modular Cyber Defense Graphic. Threats enter from the left. Threats move along attack paths shown as arrows. Controls are shown as boxes. Loss events result from threats that are not blocked by controls.

The resulting kill graphs display the critical path weaknesses into and through the organization’s IT/OT estate.

We generate tornado charts to show each control’s current and potential contribution to the aggregate effectiveness of the control portfolio.

Figure 2: Tornado Chart example showing the contribution of individual controls to “aggregate control effectiveness.“

In addition, we aggregate control effectiveness across multiple kill graphs.

In addition, we have developed a set of standardized control parameters that enables the Cyber Defense Graph software to compare the risk reduction value of disparate types of controls. We can compare network controls to host controls, identity/access to malware prevention controls, and left-of-bang to right-of-bang controls.

This improves the decision-making process for prioritizing control selection by showing how alternative control improvements will reduce the probability of material financial impact due to cyber-related loss events.

Improved collaboration with business leaders

Better collaboration with business leaders who set cybersecurity budgets hinges on bridging the security metrics – business risk gap. The Cyber Defense Graph enables credible business risk reduction analysis, in dollars, of alternative control investments.

We generate Loss Exceedance Curve charts to show the potentially catastrophic nature of cyber-related loss events. These charts also show, in dollars, how alternative control improvements reduce the probability of material financial impact of loss events.

Figure 3: This example of a Loss Exceedance Curve chart shows how selected alternative control improvements will reduce the probabilities of dollar losses exceeding three thresholds shown as vertical lines.

Simply claiming a particular control improvement will reduce risk by X% is not sufficient. As my teachers used to say, “Show me the work!” What are your underlying assumptions? Have you evaluated lower-cost controls? How do they compare to the ones you are proposing?

Are there any controls we can eliminate to save money? Can we negotiate lower prices on controls we need for compliance but don’t significantly reduce the risk of a cyber event?

The Moneyball for Cybersecurity Analogy

I am not the first to use the Moneyball analogy for cybersecurity. It has been used to focus on cybersecurity workforce development. Since Moneyball was about player selection, clearly Moneyball can and should be applied to cybersecurity team selection and development.

We take Moneyball a step further by applying it to processes and technologies as well as people, i.e. all controls. It was also used by a cyber insurance company.

Let me know what you think!

The post Moneyball for Cybersecurity appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

Cybersecurity has become one of the most critical aspects of modern business operations, especially for IT executives tasked with safeguarding their organization’s digital assets. As cyber threats evolve in complexity and scale, understanding their progression and learning from past incidents is crucial for building resilient defenses. The insights shared during WEI’s recent event provide IT security leaders a valuable perspective on the major cybersecurity incidents of our time and how they have shaped current strategies.

Understanding Major Cybersecurity Incidents

Several high-profile cybersecurity incidents have dramatically influenced the cybersecurity landscape. Two notable examples are the SolarWinds and Colonial Pipeline attacks. These events not only exposed significant vulnerabilities but also underscored the importance of robust cybersecurity practices and the need for continuous evolution in defense strategies.

SolarWinds Attack

The SolarWinds attack, first identified in 2020 and regarded as one of the most sophisticated cyber espionage campaigns ever seen, was a stark reminder of the vulnerabilities inherent in supply chain security. In this attack, Russian hackers infiltrated SolarWinds’ software development process, embedding a backdoor into a widely used network management tool, Orion. This malicious code was distributed to thousands of SolarWinds customers, including several U.S. government agencies and Fortune 500 companies.

Although the SolarWinds event took place four years ago – an eternity in the cyber world – the lessons learned from this incident still carry heavy weight, which are explained in greater detail later in this article. The implications of this breach highlighted the need for organizations to scrutinize their supply chains and enforce stringent security measures throughout. Additionally, it emphasized the importance of having robust incident response plans and advanced threat detection capabilities. Organizations had to reassess their security postures and adopt a zero-trust approach to mitigate such risks in the future.

Colonial Pipeline Ransomware Attack

The Colonial Pipeline ransomware attack demonstrated the crippling potential of cyber threats on critical infrastructure. In May 2021, a ransomware group named DarkSide targeted Colonial Pipeline, one of the largest fuel pipelines in the U.S. The attack forced the company to shut down its operations, leading to fuel shortages and highlighting the vulnerability of essential services to cyberattacks.

This incident underscored the importance of not only protecting IT networks but also securing operational technology (OT) environments. It drove home the necessity for cross-sector collaboration between government and private entities to safeguard critical infrastructure. Moreover, it spurred discussions on the role of regulatory frameworks and the need for organizations to develop robust cyber resilience strategies, including comprehensive backup and recovery plans.

Watch: WEI Cyber Warfare & Beyond Roundtable Discussion

Key Lessons Learned, According To Cyber Thought Leader Michael Sikorski

WEI’s Cyber Warfare & Beyond roundtable discussion featured several prominent panelists to offer their take on the geopolitical landscape and how cybersecurity fits into that equation. Among them was Chief Technology Officer of Palo Alto Networks’ Unit 42, Michael Sikorski. Known as “Siko” in cyber circles, the highly respected thought leader and colleague of mine offered several key lessons from these events for IT executives to consider when enhancing their cybersecurity posture. They include:

1. Investing in Advanced Threat Detection and Response
   

Advanced persistent threats (APTs) and sophisticated ransomware attacks require equally advanced detection and response capabilities. As WEI has emphasized its “Left of Bang” approach to cybersecurity in the past, investing in next-generation security tools, such as artificial intelligence (AI) and machine learning (ML) driven solutions, can help organizations detect anomalies and respond to threats in real-time. Endpoint detection and response (EDR) and extended detection and response (XDR) solutions are becoming increasingly vital in this regard.

To expand on XDR, the solution is typically capable of working across all valuable data sources, including network, endpoint, cloud, and identity, to deliver a unified view of the attack landscape. It integrates this valuable data to help analysts expose complex attack patterns by breaking down siloes.

The solution, when optimally deployed, uses the latest threat data combined with powerful ML and analytics to provide key insights into system behavior, network traffic, and user activity. By integrating multiple endpoint security tools, it allows security teams to address the full scope of security operations without deploying additional software or hardware.

2. Importance of Supply Chain Security
   

The SolarWinds attack was a wake-up call regarding the security of supply chains. Organizations must extend their cybersecurity practices beyond their internal networks to include third-party vendors and partners. Implementing rigorous security assessments and continuous monitoring of supply chain partners is crucial. Additionally, organizations should adopt a zero-trust approach, assuming that any component of their supply chain could be compromised and planning their defenses accordingly.

“There’s another SolarWinds (breach), multiple SolarWinds out there that we don’t know about yet,” said Sikorski. “And I think that we need to think about the building of software that gets distributed to these companies as a national security issue. And until we do that and think about how to get the production, worry about the supply chain down, the risk is just going to get bigger and bigger.”

WEI Webinar: Cloud App Protection Using Code To Cloud Intelligence With Prisma Cloud

3. Need for Comprehensive Incident Response Plans
   

Both the SolarWinds and Colonial Pipeline incidents highlighted the importance of having a well-defined incident response plan. Such plans should include clear protocols for detecting, responding to, and recovering from cyber incidents. Regularly testing these plans through simulations and drills can help ensure that all stakeholders are prepared to act swiftly and effectively in the event of a breach.

Combining our mentioned left-of-bang approach with right-of-bang technologies creates a stronger incident detection and response system. The left-of-bang mindset focuses on preventing attacks, while the right-of-bang approach analyzes post-attack data to improve prevention strategies. Information from post-attack analysis, such as how the attack occurred and specific threat indicators, enhances situational awareness and helps prevent future incidents. IT security leaders should aim to disrupt any indicator of an attack early on, as early detection and prevention are the most effective strategies.

4. Embracing a Zero Trust Architecture
   

The Zero Trust model, which assumes that threats could exist both inside and outside the network, is becoming a cornerstone of modern cybersecurity strategies. This approach involves continuously verifying the identity and integrity of devices, users, and applications accessing the network. Implementing Zero Trust principles can help organizations limit the potential impact of breaches and enhance overall security.

WEI, a leader in network security, has embraced Zero Trust as a core guiding principle even before the term was coined. WEI focuses on robust segmentation and micro-segmentation strategies to minimize the impact and blast radius of attacks. While no single product can deliver Zero Trust, WEI prioritizes Zero Trust network access (ZTNA) solutions to ensure clients have secure access to critical applications.

5. Enhancing Collaboration and Information Sharing
   

Cyber threats often transcend organizational boundaries, making collaboration and information sharing vital. Public-private partnerships, like those seen in the response to the Colonial Pipeline attack, can enhance collective cybersecurity efforts. Organizations should participate in information sharing and analysis centers (ISACs) and other industry groups to stay informed about emerging threats and best practices.

6. The Role of Cybersecurity Leadership
   

For IT executives, these lessons underscore the need for proactive leadership in cybersecurity. As stewards of their organizations’ digital security, IT leaders must advocate for and implement comprehensive cybersecurity strategies that address both current and emerging threats. This involves not only investing in the right technologies but also fostering a security-first mindset across the organization.

Additionally, IT executives should lead efforts to identify and mitigate risks before they materialize into full-blown incidents. This involves conducting regular risk assessments, vulnerability scans, and penetration testing to identify and address weaknesses in the organization’s defenses. By taking a proactive approach to risk management, IT leaders can reduce the likelihood of successful cyberattacks.

7. Strategic Investment in Cybersecurity
   

Allocating sufficient resources to cybersecurity is essential. IT executives must ensure that their organizations invest in the latest security technologies and maintain up-to-date defenses. This includes not only purchasing advanced security tools but also investing in ongoing training and professional development for cybersecurity staff.

Conclusion

The evolution of cybersecurity threats demands constant vigilance and adaptation. High-profile incidents like the SolarWinds and Colonial Pipeline attacks have provided valuable lessons that can guide IT executives in strengthening their organizations’ defenses. By focusing on these proven strategies, organizations can better protect themselves against the ever-changing landscape of cyber threats.

As cybersecurity continues to evolve, the role of IT executives in leading these efforts is more critical than ever. Through proactive risk management, strategic investment, and effective stakeholder engagement, cybersecurity leaders can ensure that their organizations are well-prepared to face the challenges of today and tomorrow. Contact WEI’s proven cybersecurity experts if you would like to learn how your enterprise can conduct any of these strategies more efficiently.

Next Steps: Palo Alto Networks’ commitment to developing a groundbreaking solution for modern SOCs has culminated in the creation of a new security platform, Cortex XSIAM. This next-gen platform is designed to propel SOCs beyond the capabilities of traditional SIEM systems, setting a new standard in the industry.

o learn more about this cloud-based, integrated SOC platform that includes best-in-class functions including EDR, XDR, SOAR, ASM, UEBA, TIP, and SIEM.

The post The Evolution of Cybersecurity Threats: Lessons from the Frontlines appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

The goal of every security organization is to protect its data. This mission has become increasingly complex in the face of an expanding attack surface and increasingly sophisticated and frequent attacks waged by relentless adversaries. Effectively responding to security incidents requires the Security Operations Center (SOC) to validate alerts and provide the IR team with critical details on the scope of the threat so they can quickly and reliably remediate the issue. However, several obstacles hinder the SOC from gaining the necessary visibility to deliver this critical insight.

Today’s SOC must monitor security across a wider digital footprint that can span multiple data centers, multi-cloud, software-as-a-service (SaaS) providers, various domains and more. Gaining visibility across this enlarged IT surface can be challenging as many environments require their own tools. The lack of integration between specialized tools greatly increases the volume and frequency of alerts, making it difficult for SOC analysts to keep pace. This often results in a high burnout rate of Tier 1 SOC analysts, who typically triage alerts.

The existing three-tiered SOC structure also limits understanding of the threat landscape. Tier 1 SOC analysts manage individual alerts, without an opportunity to view them in a larger context. This restricts their ability to build threat intelligence, assess alert efficacy and deliver a comprehensive picture of the incident to the IR team. Without the necessary experience and visibility, many Tier 1 analysts escalate alerts unnecessarily to higher tiers, pulling senior analysts away from verified events that need their attention.

To manage today’s more complex security demands and provide the IR team with the intelligence it needs to address threats quickly and effectively, the SOC model needs to evolve. WEI can help organizations maximize their IR capabilities with a modern SOC.

Modernizing the SOC

When it comes to security, time is of the essence. The inherent siloes of the legacy SOC can impact an analyst’s ability to triage and tune alerts and arm the IR team with a full view of a threat. Without this thorough understanding, IR can lose precious time trying to piece this information together.

The modern SOC requires a new level of integration that speeds its team’s ability to assess alerts for efficacy and deliver the full scope of a threat, including the impacted systems, users and networks; the incident timeline; the initial access vector; identified activities and behaviors; and the tools utilized, to IR. This enhanced visibility can help IR remediate issues quickly and contain them at a micro level without impacting more systems, business units and users than necessary. It can also help IR understand root cause to ensure a threat is not lying dormant, waiting to reestablish a foothold.

To improve threat awareness, organizations must modernize three key areas of their SOCs:

• The SOC team structure
• The security platform
• The SOC-IR relationship

Integrate the SOC Team

By moving away from the tiered, legacy SOC structure, in favor of a more integrated SOC, analysts can see other aspects of the security investigation and response pipeline to help build their awareness of the threat landscape. This broader context helps the SOC more definitively verify existing alerts and provide IR with the critical details it needs to remediate the threat, identify its root cause and return the environment to a healthy state. This awareness also helps analysts fine tune alerts to improve their future efficacy.

Many organizations are also outsourcing triage duties to managed security service providers (MSSP), staffing their internal SOCs with more experienced analysts.

Utilize an Integrated Platform

The modern SOC should also employ a holistic platform, enabled by artificial intelligence (AI), analytics and automation, to aggregate alerts across disparate sources. These advanced technologies can identify alert commonalities to form a more comprehensive understanding of a potential threat. They can also group similar alerts to reduce the volume of notifications the SOC must manage. This can help temper the burnout rate of SOC analysts, helping organizations retain knowledgeable analysts.

With improved insight into a threat, the SOC can provide the IR team with a concise package of intelligence to help them more quickly contain a threat. Additionally, by automating specific security tasks, the platform helps speed responses to limit potential damage and better protect the organization.

Foster a Symbiotic Relationship Between the SOC and IR

While the SOC commonly feeds data to the IR team, IR should also relay its findings back to the SOC. This reciprocal relationship helps strengthen threat intelligence, offering a more complete, real-world security picture that bolsters alert management, IR and the overall security posture. This closed-loop feedback cycle should also extend beyond the SOC and IR teams to include cloud engineers, service providers and other IT stakeholders to ensure all reoccurring issues and vulnerabilities are addressed fully and do not continue to impact the organization.

Video: Harnessing A Diverse Talent Pipeline For Cybersecurity Personnel

Strengthening IR with Preparedness Training

To be truly impactful, the modern SOC should carry forward the best practice of preparedness training. Simulations such as tabletop exercises enable security teams to rehearse their IR, ensuring all team members recognize and can execute their duties seamlessly during a real incident. Conducting frequent simulations of specific security events also allows the team to iron out issues and adapt specific responses, if necessary.

In addition to regular exercises with the security team, an enterprise-wide simulation should be performed at least annually to encourage mindfulness that security is everyone’s responsibility. Additionally, the security team should involve nontechnical stakeholders, such as general counsel, business partners and the public relations team, in select sessions to ensure they understand their roles as well.

WEI is Your Trusted Partner

Modernizing the SOC can be challenging for organizations without deep-seated security experience. WEI’s seasoned security experts can help organizations redesign their SOCs to integrate the structure, technology and practices required to effectively triage and tune alerts in a fast-paced and ever-evolving threat landscape.

WEI partners with the world’s most lauded technology providers, yielding expertise in the modern tools designed to address increasingly complex security demands. Working as an extension of an organization’s internal team, WEI gains a thorough understanding of the organization’s goals, direction and requirements. Our knowledgeable team can help organizations navigate the full spectrum of security needs, from assessing the current environment and building an innovative security strategy to implementing the tools, platforms and processes necessary to manage risk effectively. Contact us today to get started.

Next Steps: Following a cyber incident, cybersecurity teams often resort to their data sources to identify how the incident transpired. While analyzing these data sources, a critical question must be asked –what prevented cyber personnel from stopping the cyberattack in real time? 

In this data-driven era, cybersecurity practices have increasingly focused on the prevention phase, made possible by leveraging the data already present in a cybersecurity environment. Prevention is your first line of defense, it is time to leverage its power and potential.

o learn more about this cloud-based, integrated SOC platform that includes best-in-class functions including EDR, XDR, SOAR, ASM, UEBA, TIP, and SIEM.

The post Maximizing Incident Response with a Modern SOC appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

Time is a precious commodity, something that most people wish they had more of. This includes the security operations center (SOC), as analysts are constantly under pressure to stay ahead of cyberattack methodologies to better ensure business continuity. And as sharp as our experts are, the team at WEI cannot create more hours for the day. Still, we can streamline and automate your security operations to effectively make it seem like we have done just that. Enhanced time efficiency is just one of six proven benefits that WEI, in collaboration with Cortex XSIAM by Palo Alto Networks, can offer.

1. Improved MTTD & MTTR

It may sound simplistic, but staying ahead of attackers is crucial for securing your enterprise. By reducing mean time to detect (MTTD), cyber teams are provided more time to respond effectively. Meanwhile, lowering your mean time to respond (MTTR) minimizes the impact of attacks, prevents their spread, and ensures greater business continuity. While the technology behind this is complex, let’s focus on a single impactful metric to illustrate it. One customer success story with saw their MTTR improve dramatically from 3 days to just 16 minutes. What’s more, this was achieved while handling 10 times more data to analyze. Another key metric was a 75% reduction in the number of incidents that required an investigation. All this highlights how AI-driven outcomes and an automation-first approach can significantly streamline security operations and speed up incident response.

2. Consolidation Of Disparate SOC Tools

A war chest of security tools may seem advantageous on paper, but managing a multitude of disparate SOC tools often leads to increased workload, inefficient workflows, and reduced clarity. Navigating between multiple products and consoles can and will make the difference when under serious attack, especially if your team is not proficient in all tools.

WEI’s modern SOC specialists can demonstrate how consolidating data from various security tools into a single platform like Cortex XSIAM not only offers a more cohesive view of your security landscape but also simplifies the management of these tools. Remember, a unified defense is often the most effective defense. By centralizing operations into a single platform, training requirements are reduced, and management tasks are streamlined, enhancing overall SOC efficiency.

Figure 1: Analyst Incident Management View

Figure 1: The analyst incident management view provides a full summary of actions automatically taken, the results, and all remaining suggested actions. A drill-down incident timeline is presented to the analyst if further investigation and response is required. This is also complemented by broad XSIAM intelligence from all analytics and functions.

3. Leverage Native AI And ML Models

AI and ML models are streamlining workloads across today’s organizations, making it clear that business processes can no longer depend on manual tasks. The same goes for the modern SOC. Amid intensifying attacks, it’s essential to expand your visibility into potential security threats. With so many alerts pouring in from so many tools, SOC analysts struggle to prioritize which alerts to handle first and struggle in correlating events to piece the puzzle together.

WEI believes it is time to redefine SOC architecture into an automation-first approach. This involves leveraging historical data with machine learning to anticipate potential future security threats and vulnerabilities. It also means using machine learning and behavioral analysis to profile users and entities to identify patterns that may suggest a possible threat. Even better is the predictive capability of XSIAM that allows SOCs to proactively address security gaps and strengthen defenses before attackers can exploit them. By integrating AI and ML, WEI can transform your traditional reactive SOC operations into proactive, predictive security powerhouses that are designed to significantly enhance the security posture of your organization.

WEI Podcast: Discussing The Modern SOC, IR & Threat Hunting

4. Extend SOC Visibility And Control

Has your security visibility kept pace with the expansion of your IT estate? Amid intensifying attacks, it’s essential to expand your visibility into potential security threats. If you utilize the cloud, then you need eyes in the sky as well as visibility into your remote computer edges. WEI knows how to consolidate data from various sources across the network, including endpoints, cloud environments, and third-party security tools.

This capability starts with full visibility into the logs and alerts from all your external sources. By seamlessly integrating with your existing security infrastructure, including firewalls, intrusion detection systems, and endpoint protection platforms, you gain enhanced visibility across all these layers. This integration enables more coordinated control over your security environment, allowing for a more comprehensive and effective security strategy. By centralizing data into one platform, SOCs gain a holistic view of their security posture.

5. Minute-By-Minute Threat Detection

As threat actors enhance their tactics, it’s crucial to advance your threat detection methods accordingly. XSIAM’s integrated threat intelligence platform allows it to process and analyze vast volumes of data at high speed to ensure that any anomalous or potentially harmful activity is identified in real time. Security threats are seldom signaled by a single, clear indicator. XSIAM’s intelligence capabilities are designed to piece together low-confidence events and detect patterns that warrant high-confidence alerts. XSIAM then uses predefined security playbooks and AI recommendations to initiate responses without human intervention, enabling immediate action against threats to mitigate risks. WEI can provide you with a cloud-native architecture that can automatically scale dynamically based on the volume of data and threat intensity to ensure constant security even during peak loads.

6. MITRE ATT&CK Leading Endpoint Protection

Security professionals increasingly acknowledge the importance of integrating the MITRE ATT&CK Framework into their security strategies. XSIAM features a dedicated dashboard for this comprehensive framework, providing teams with a detailed view of the protection modules and detection rules tailored to each specific MITRE tactic and technique. This integration enables XSIAM to precisely understand the techniques and tactics used by adversaries, allowing for the customization of its detection mechanisms.

This heightened sensitivity to known adversarial patterns enhances both the accuracy and relevance of incoming alerts. WEI security specialists have been guiding clients on how to effectively integrate the MITRE ATT&CK framework to achieve their desired security outcomes, and we are ready to do the same for you.

Talk To WEI

If all of this seems new to your organization, please know this is common practice for the cybersecurity experts at WEI. Contact us today to learn how our next-gen approach to security operations drives improved outcomes through integration and automation.

Next Steps: Palo Alto Networks’ commitment to developing a groundbreaking solution for modern SOCs has culminated in the creation of a new security platform, Cortex XSIAM. This next-gen platform is designed to propel SOCs beyond the capabilities of traditional SIEM systems, setting a new standard in the industry.

to learn more about this cloud-based, integrated SOC platform that includes best-in-class functions including EDR, XDR, SOAR, ASM, UEBA, TIP, and SIEM.

The post 6 Benefits That WEI And Palo Alto’s Cortex XSIAM Can Offer Your SOC appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

Imagine this: you’re a security analyst on the frontlines of your organization’s cybersecurity team. You stare at your monitor as alerts flood from various security programs, like alarms all going off at once. Then you ask: is it a full-blown attack or simply a routine update? The sheer volume of data makes prioritizing the most urgent threats a constant challenge.

This is the reality for many security operations center (SOC) teams. However, many are drowning in a sea of information overload. This constant influx of alerts, often referred to as alert fatigue, makes it difficult for analysts to prioritize critical threats. The challenge is further compounded by a widening cybersecurity skills gap. Most SOCs are siloed and understaffed, leaving team members struggling with the ever-growing workload. This creates a dangerous feedback loop: overworked analysts become less effective at filtering valid alerts, leading to missed warnings and a weakened overall security posture.

To build a strong and resilient security strategy, we need to address both alert fatigue and staffing shortages. Let’s delve deeper into the challenges faced by SOC teams and how organizations can effectively navigate these situations.

Understanding SOC Challenges

Chronic alert fatigue and staffing deficiencies create a significant vulnerability in an organization’s security posture. They are aware they are under attack but lack the resources to effectively defend themselves.

• Staff shortage and limited budget: Evasive attacks trigger a flood of security alerts. This overwhelms security staff and desensitizes them to real threats. The pressure to investigate creates a stressful environment, causing burnout and high turnover which worsens existing staffing shortages. While adding headcount to security teams can be a solution, it is often a difficult, expensive, and unsustainable approach in the long run.
• Siloed security tools and limited budget: Investigations are further hampered by siloed security tools lacking a central control point. Security information and event management (SIEM) systems may also lack the depth and automation needed for efficient analysis.

This one-two punch creates a state of perpetual anxiety for IT security leaders. The combined effect of these challenges is an overwhelmed SOC struggling to keep pace with incident response and proactive security measures. This constant pressure creates a dangerous environment where the risk of a serious security breach becomes significantly higher.

SOAR Is The Answer

In today’s cybersecurity landscape, teams face a constant barrage of threats with limited time and resources to respond. This is where comes in.

SOAR acts as a force multiplier for your security team. The secret weapon behind its effectiveness is a powerful combination of artificial intelligence (AI), automation, and complete integration.

This integrated approach delivers significant benefits:

• Faster Response: AI analyzes massive amounts of data to identify and prioritize attacks, allowing analysts to focus on remediation efforts quickly.
• Automated Threat Intelligence: This ensures you have the latest threat data to defend your systems proactively.
• Reduced Analyst Burden: Repetitive tasks are automated, freeing up analysts for complex investigations and strategic security planning.
• Standardized Workflows: Integration across security products and departments ensures a consistent approach to threat detection and response, boosting overall efficiency.

By harnessing the power of AI, automation, and integration, SOAR empowers your security team to operate more effectively and efficiently, leaving them better equipped to mitigate cyber-attacks.

Empowering Your SOC Team With Advanced Solutions

Leveraging the advantages of SOAR, FortiSOAR tackles modern security challenges for SOCs and businesses. This comprehensive incident management platform empowers the entire IT team.

FortiSOAR goes beyond powerful features. It offers a holistic approach to reduce alert fatigue, optimize staffing and collaboration, and improve operational efficiency. Here’s how it empowers your SOC team:

1. Unified Command Center For IT/OT Security

FortiSOAR eliminates the need to switch between consoles by consolidating security data from all your existing tools. This streamlined approach facilitates investigations and empowers you to deliver faster, more comprehensive responses.

For , FortiSOAR enables teams to monitor their assets, proactively respond to security alerts, improve threat investigation activities, and safeguard them from cyberattacks – all within a unified platform. Additionally, the package includes pre-defined remediation playbooks specifically designed for OT systems which integrate seamlessly with a wide range of IT/OT security products from various vendors.

2. Streamlined Workflows with Case and Workforce Management

The solution tackles chaos with effective case management tools. Analysts can create standardized workflows, assign tasks, and track investigation progress to ensure clear accountability and efficient collaboration.

3. Threat Intelligence Management

FortiSOAR integrates threat intelligence feeds and enriches security data with real-time indicators. This empowers analysts to prioritize alerts based on actual attack methods, which improves response times. Key features include built-in feeds, support for any source, a machine learning engine for threat analysis, and standardized IOC export. It even offers a collaborative workspace and ticketing system for managing threat intelligence requests.

4. AI-Driven Recommendations

Machine learning capabilities to analyze past data and patterns, which translates to actionable insights. These insights guide security analysts through investigations and recommend potential next steps.

5. Effortless Automation With No/Low Code Playbook Creation

The platform’s intuitive, drag-and-drop playbook designer automates workflows and empowers analysts to focus on complex investigations and strategic decision-making. Key features include support for both natural language and Python scripting, pre-built content, guidance recommendations, contextual reference blocks, full CI/CD integration, and simulation tools for smooth deployment.

Going Beyond The Key Features

The platform empowers teams through a comprehensive . This Hub offers a rich library of pre-built content (connectors, playbooks, widgets, solution packs) from both Fortinet’s developers and the user community. This combined approach ensures a wide variety of resources available for your automation needs.

Beyond content, the Hub also fosters collaboration. Teams can access news, discuss ideas, and discover best practices from peers through moderated forums and knowledge sharing.

Final Thoughts

SOC teams struggle with alert fatigue and staffing shortages in today’s threat landscape. AI-powered SOAR solutions offer relief by streamlining processes, prioritizing alerts, and empowering team members. This translates to both increased efficiency and reduced alert fatigue.

Here is where WEI can help. As WEI serves as Fortinet’s most comprehensive partner in the northeastern United States, our certified experts will assess your specific needs and design a custom SOAR solution like FortiSOAR to optimize your security posture. Contact us today and take control of your cybersecurity. With our expertise, your SOC team can confidently confront cyber threats and keep your organization safe.

Next steps: Given the sensitive nature of patient data and the critical importance of medical systems, it’s clear why cybersecurity is a paramount concern to healthcare executives. The expansion and non-stop merging of healthcare organizations across multiple locations necessitates scalable, manageable, and flexible access controls to ensure consistent security regardless of location. This is precisely why a cloud-delivered Secure Access Service Edge (SASE) is ideally suited to meet the unique needs of today’s healthcare industry.

This explores:

• Why healthcare is an ideal use case for SASE
• Importance of a universal cybersecurity experience
• Introduction to FortiSASE
• Importance of Zero Trust

The post Five Ways SOAR Resolves Your Organization’s Pressing SOC Challenges appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

Bad actors are waging increasingly sophisticated and frequent attacks, including ransomware, cyber espionage, zero-day malware and fileless attacks, to exploit endpoint vulnerabilities. These rapid-fire, diverse attacks are generating an average of that security teams must investigate, triage and address.

Traditional cybersecurity solutions that rely on siloed security tools cannot deliver the integrated data and powerful insights security analysts need to prevent, detect and respond to advanced attacks effectively. These standalone solutions require analysts to correlate data across multiple tools to build a full picture of an attack. This manual process takes valuable time, which is at a premium when an attack is underway or when a subsequent investigation must be expedited. It can also create blind spots that can lead to unidentified threats.

To address these diverse challenges, organizations need a comprehensive security solution that can seamlessly integrate with their existing technology environments. Yet, the technical skills shortage and speed at which attack scenarios change can handcuff organizations, making it difficult to keep pace with security demands. WEI’s security experts are certified at the highest levels by many of the cybersecurity industry’s leading providers, including Palo Alto Networks. This positions us to help organizations implement cybersecurity solutions that minimize vulnerabilities, streamline endpoint security operations, and outpace evolving cyber threats.

Cortex XDR Simplifies and Reinforces Endpoint Security

Enterprises can achieve the comprehensive visibility and speed they need to protect their organizations against advanced threats with by Palo Alto Networks. The extended detection and response solution works across all valuable data sources for detection and response, including network, endpoint, cloud and identity, to deliver a unified view of the attack landscape. Ultimately, Cortex XDR stitches this valuable data together, breaking down siloes to help analysts expose complex attack patterns.

The cloud-native platform combines the latest threat data using powerful machine learning (ML) and analytics to provide key insights into system behavior, network traffic and user activity. By integrating multiple endpoint security tools, the solution helps security teams address the full scope of security operations, without deploying additional software or hardware.

Actionable Insights for Rapid Detection and Response

Addressing continually evolving threats requires growing intelligence and the ability to act quickly. Leveraging artificial intelligence (AI) and advanced analytics, Cortex XDR creates a trusted baseline of activity that can be used to identify anomalies and speed incident detection, analysis and response.

Cortex XDR also employs AI and automation to minimize manual processes and more rapidly detect and mitigate attacks. The cloud-native platform provides a scalable database that constantly collects both internal and external threat data to continually build its intelligence. Cortex XSOAR can automatically execute a response to an identified threat, accelerating reaction time and improving outcomes.

Streamlined Cybersecurity Workloads

Security teams have a lot on their plates. Cortex XDR helps simplify analysts’ responsibilities, allowing them to assess threats from a single console, rather than navigating between multiple interfaces. The platform also consolidates and automates multiple security tasks. By grouping related alerts and eliminating duplicate alerts that occur with multiple monitoring solutions, Cortex XDR reduces individual alerts by . The solution also ranks the criticality of alerts to help analysts prioritize their efforts.

AI and automation also help ease analysts’ workloads, eliminating the need to examine threat indicators manually and automating routine tasks such as alert triage and incident response. By consolidating and automating various tasks, Cortex XDR streamlines security operations, enabling security teams to focus on other strategic initiatives.

Cortex XDR Unifies Multiple Agent-Based Solutions for Simplified, Yet Powerful Endpoint Security

To protect their organizations, analysts must prevent, detect, analyze and respond to threats. Cortex XDR integrates multiple cybersecurity solutions to offer a complete cybersecurity stack.

Firewall: Preventing unauthorized network access is a critical first step in effective cybersecurity. The Cortex XDR host firewall allows organizations to control inbound and outbound communications on their endpoints. Organizations can set host firewall policy rules to block traffic on specific devices and apply them to endpoints. The agent also natively integrates with Palo Alto Networks WildFire malware prevention service and disk encryption capabilities to further limit risk.

Antivirus: Detecting and eliminating viruses is essential to safeguard the integrity of the IT ecosystem. Cortex XDR features next-generation antivirus to block attacks.

Endpoint Detection & Response: Cortex XDR’s Endpoint Detection and Response (EDR) agent continually monitors endpoints for lurking threats. Utilizing machine learning and analytics, the module can identify covert attacks and automatically execute the appropriate response.

Forensics: Investigating an attack is time consuming. The Cortex XDR Forensics module utilizes forensics data, artifacts and event intelligence to reveal the root cause and scope of an attack. The module allows organizations to review and analyze digital evidence, hunt for and authenticate threats, simplify triage and speed response. The ease of the module drastically reduces investigation time and enables analysts of all experience levels to triage incidents.

File Integrity Monitoring: Continually validating the health and behavior of the IT environment is critical to prevent or minimize the damage a compromised file can inflict. Cortex XDR BIOC’s can be configured to continually verify the integrity of operating system (OS), database and application software files, comparing the most recent versions to expected behavior patterns.

Device Control: USB devices can unknowingly expose an organization to risk. With the Cortex XDR Device Control agent, organizations can securely monitor and manage USB access to protect endpoints from active threats that can lead to downtime and data loss. Organizations can restrict usage by vendor, type, endpoint, and Active Directory group or user.

Search & Destroy: The best endpoint security strategies proactively seek out threats. The Cortex XDR Search and Destroy agent offers insight, manual and automated threat hunting capabilities, and custom rules to enable analysts to search for and eliminate evasive threats proactively. Analysts can also create attack hypotheses and use the module’s querying capabilities to uncover and eliminate suspicious activity.

WEI is Your Partner in Devising Your Endpoint Security Solution

As a Palo Alto Networks partner, WEI can help organizations take the critical step forward to improve their endpoint security with Cortex XDR. Our experienced team of security engineers can meet organizations wherever they are in their cybersecurity journeys, offering the deep expertise to:

• Guide the planning and implementation processes to achieve specific goals/objectives
• Identify which data sources to integrate with Cortex XDR to enhance visibility
• Customize threat detection and response strategies to address unique risks
• Develop automated responses to contain malicious activity quickly

Our customer commitment positions us as a long-term partner who can help security solutions evolve to address the ever-intensifying security landscape. When you’re ready to strengthen your endpoint security, WEI is ready to help.

Next Steps: Jeff Cassidy, the Manager of Cyber Security Operations Center at , joins WEI Cybersecurity Solutions Architect Shawn Murphy for an exciting discussion about modern cybersecurity. Topics the two experts dissect include the modern SOC, incident response, and threat hunting. Listen to the WEI Tech Talk here:

The post Achieve Comprehensive Endpoint Security with Cortex XDR and WEI appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

As business leaders outside of IT continue accepting cybersecurity as a business strategy rather than just as a digital defense mechanism, there are still major vacancies in the cybersecurity personnel pipeline that require addressing. Knowing this, WEI’s advanced security solutions are complemented by a focus on helping replenish the talent pipeline. This commitment is confirmed by WEI’s partnership with CyberTrust Massachusetts, a non-profit organization working to cultivate a robust talent pipeline. The support CyberTrust receives from its higher education consortium members is paramount, especially with the all-new Cyber Range at Bridgewater State University (BSU) opening earlier this year.

Bridging The Cybersecurity Skills Gap

Fundamentally, our partnership with CyberTrust is built on the collective mission to train students to create a more diverse and qualified cybersecurity workforce. This correlates with an offering that debuted last year, The program, designed to train and develop individuals with the attitude and aptitude to learn solutions across the entire IT spectrum, is directly applicable to those learning within the Cyber Range.

The Technical Apprenticeship carries a 99% success rate in placing entry-level IT professionals into a full-time IT position, a metric WEI is very proud of. As companies starving for cybersecurity talent continue relying on heavily fished talent pools and lean on expensive third-party managed services, the apprenticeship avenue is growing in popularity. In this case, an individual gaining real-world experience as an intern at CyberTrust at the BSU Cyber Range can be eligible for the WEI apprenticeship program for meaningful job training and career development. The four-step process of the Technical Apprenticeship For Diverse Candidates is:

1. Identify Apprenticeship Plan Expectations: For the apprenticeship to succeed, WEI and the respective client will develop a custom role that is specific to the client’s existing tech stack. Once the expectations are identified and agreed upon, individuals from diverse backgrounds with the potential to excel in cybersecurity careers are then recruited. This initiative aims to tap into underutilized talent pools, fostering a more inclusive and well-rounded cybersecurity workforce.
2. Hire Apprentice: All apprenticeship candidates must complete a job suitability assessment and participate in client interviews to be eligible for hiring. While a candidate will not already possess the required entry level skills to be a full-time cybersecurity employee, their attitude and aptitude regarding cybersecurity is what drives the hiring decision. This is where WEI’s guidance to equip an apprentice with the essential technical skills comes into play.
3. Deliver Development Plan: WEI pairs trainees with experienced cybersecurity professionals who offer guidance, support, and career development opportunities. Mentors play a crucial role in shaping the trainees’ professional growth and ensuring a smooth transition into the workforce. Technical and soft skills are developed in this important stage, often lasting 12 months.
4. Transfer Apprentice To Full-time Employment: Upon successful completion of the program, the apprentice will be transferred to full-time employment under the client that the apprenticeship took place with. This commitment to job placement helps bridge the cybersecurity skills gap and strengthens the regional cybersecurity landscape. The client has no obligation to hire the apprentice, however.

BSU Cyber Range: Building the Future Cybersecurity Workforce

The state-of-the-art features a sophisticated network infrastructure that replicates real-world scenarios, allowing CyberTrust interns to utilize a next-gen security operations center (SOC). Here, students participate in simulated cyberattacks, test blue team/red team strategies, and hone their incident response skills within a controlled environment. This proves invaluable in preparing students for the challenges they will encounter in their professional careers.

The Cyber Range is not just a training ground for aspiring cybersecurity professionals, however. It also serves as a valuable resource for regional organizations. Businesses, government agencies, and non-profit institutions can leverage the Cyber Range to train their IT staff and security teams on the latest cyber threats and defense techniques. This collaborative approach fosters a more secure digital ecosystem for the entire region.

The creation of this facility serves as a catalyst for strengthening the regional cybersecurity landscape in several ways:

• Collaboration And Knowledge Sharing: The Cyber Range fosters collaboration between academia, industry, and government agencies. This exchange of knowledge and expertise is crucial for staying ahead of cyber threats and developing effective defense strategies.
• Building A Talent Pipeline: By providing students with the necessary training and experience, the Cyber Range helps to build a robust pipeline of cybersecurity talent in the region. This benefits local companies and organizations seeking to fill cybersecurity gaps within their workforce.
• Economic Development: A growing cybersecurity workforce creates a more attractive environment for businesses to attract new investors and customers. This, in turn, leads to a boost in regional economic activity and the creation of new jobs across various sectors.

Through CyberTrust Massachusetts and BSU, students and interns are gaining access to at a live SOC that monitors and safeguards the IT infrastructure of local governments, non-profit organizations, and small businesses. This immersive experience allows students to observe cybersecurity professionals in action, apply their theoretical knowledge to practical situations, and gain a deeper understanding of the intricacies of SOC operations.

By integrating advanced hands-on experience with classroom learning, BSU and CyberTrust are revolutionizing cybersecurity education, as the Cyber Range equips students with real-world skills and knowledge required for entry-level positions. These obtained skills and relationships will serve as the critical foundation for many young cyber professionals. Even more, BSU will be offering an in Fall 2024. WEI is proud to support this incredible ecosystem of education, training, and inclusivity.

Next steps: Jeff Cassidy, the Manager of Cyber Security Operations Center at CyberTrust Massachusetts, joins WEI Cybersecurity Solutions Architect Shawn Murphy for an exciting discussion about modern cybersecurity. Topics the two experts dissect include the modern SOC, incident response, and threat hunting. Listen to the WEI Tech Talk here:

The post Building The Cybersecurity Talent Pipeline With CyberTrust & The BSU Cyber Range appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

See Bill Frank’s biography and contact information at the end of this article.

[Note: This is an updated version of the original article posted on March 21, 2024. I replaced the term “Governance” Controls with “Performance” Controls to eliminate any confusion with the NIST Cybersecurity Framework 2.0 use of the term “Governance.”

I focus here on automated controls that monitor and measure the “performance” of “Defensive” controls that directly block threats or at least alert on suspicious activities.

How well are your cybersecurity controls performing? Measuring control efficacy is challenging. In fact, under-configured, misconfigured, and poorly tuned controls, as well as variances in security processes are the Achilles Heels of cybersecurity programs.

A mismatch between risk reduction potential and performance results in undetected threats (false negatives) as well as an excessive number of false positives. This leads to an increase in the likelihood of loss events.

All controls, whether people, processes, or technologies, can be categorized in one of two ways – Defensive or Performance.

• Defensive Controls: These are controls that block threats or at least detect and alert on suspected activities. Effective Defensive Controls directly reduce the likelihood of loss events.
• Performance Controls: These are indirect controls that measure the performance of Defensive Controls, highlight Defensive Control deficiencies, and/or evaluate the maturity of Defensive Controls’ configurations. Performance includes, but is not limited to, offensive security controls.

Most controls are easily categorized. Firewalls and EDR agents are examples of Defensive Controls. We categorize Offensive Controls as Performance because their purpose includes testing the efficacy of Defensive controls.

Vulnerability management (discovery, analysis, and prioritization) is a Performance Control because vulnerabilities, whether in security controls, application code, or infrastructure, are a type of control deficiency.

Patching is a Defensive Control because patched vulnerabilities prevent threats targeting those vulnerabilities from being exploited.

Manual Performance- Human Penetration Testing

Attempting to conduct Performance functions manually is time-consuming, limited in scope, and error prone. Human Penetration Testing has been the go-to Performance Control for decades. However, only the very largest organizations can afford to fund a Red Team to provide anything close to continuous testing.

Most organizations hire an outside firm to perform pentesting. Due to high costs, the scope of human pentesting is limited. In addition, it is typically performed only once a year or once a quarter. Therefore, for most organizations, human pentesting is little more than a checkbox exercise.

Note that human pen testers use a variety of tools to address many of the standard and repetitive tasks associated with pentesting. However, in general, these tools are not revealed to the client.

Have said that, I am not here to denigrate human pen testing. There are surely many pen testers that have deep expertise and creativity that goes beyond what any automated tool can provide. This is why bug bounty programs are popular.

The cybersecurity market has responded to the need for automated Performance Controls. Since no two organizations are the same, my goal for this article is to describe different types of Performance Controls to help you decide which approach is right for you.

Automated Performance Controls

There are five types of automated Performance Controls I will discuss:

1. Attack Simulation
2. Risk-based Vulnerability Management
3. Metrics
4. Security Control Posture Management
5. Process Mining.

Note that since virtually all of these tools are SaaS platforms, factors including costs, support and training, community, data security, and compliance must always be evaluated!

1. Attack Simulation

Attack Simulation is my simplified term that covers a variety of vendors who use terms like Automated Penetration Testing, Breach and Attack Simulation, and Security Control Validation.

The one thing they all have in common is executing simulations of known threats against deployed controls. However, the vendors in this space use a variety of architectures to accomplish their goals.

The key factors to consider when evaluating Attack Simulation tools are (1) the number of agents that are required or recommended, (2) integrations with deployed controls, (3) the degree to which the simulation software mimics adversarial tactics, techniques, and procedures (TTPs), (4) the vendor’s advice on running their software in a production environment, (5) firewall / network segmentation validation, (6) threat intelligence responsiveness, and (7) the range and quality of simulated techniques and sub-techniques.

Agents. The number of agents needed for internal testing. This ranges from only one agent needed to start the test to the requirement for agents on all on-premise workstations and workloads. No agents may be needed for testing cloud-based controls.

Defensive Control Integrations. Integrating Attack Simulation tools with Defensive Controls enables blue/purple teamers to better understand how a control reacted to a specific technique generated by the attack simulation tool.

Simulation. An indicator of how close a vendor gets to simulating real attackers is its approach to discovering and using passwords to execute credentialed lateral movement. Are clear-text passwords taken from memory? Are password hashes cracked in the vendor’s cloud environment (or on the vendor’s locally deployed software)? Adversaries use these techniques regularly, your attack simulation tool should too.

Production / Lab Testing. Attack Simulation vendors vary in their recommendations regarding running their tools in production vs lab environments. Of course, it’s advisable to perform initial evaluations in a lab environment first. But to get maximum value from an attack simulation tool, you should be able to run it in a production environment.

Firewall / Network Segmentation. There is a special case for testing firewall/intrusion detection efficacy. Agents may be deployed on each side of the firewall. This allows for validating firewall policies in a production environment without running malware on any production workstations or workloads.

Threat Intelligence Responsiveness. New threats, vulnerabilities and control deficiencies are discovered with alarming regularity. How quickly does the attack simulation vendor respond with safe variations for you to test against your controls? Do you need to upgrade the tool, or just deploy the new simulated TTPs?

Range and Quality of techniques and sub-techniques. Attack simulation vendors should be able to show you their supported MITRE ATT&CK techniques and sub-techniques. As to quality of those techniques and sub-techniques, it’s very difficult to determine. The data generated via the Integrations with deployed controls surely helps. We recommend testing at least two similarly architected tools in your environment to determine the quality of their attack simulations.

2. Risk-based Vulnerability Management

Vulnerability management is a cornerstone of every cybersecurity compliance framework, maturity model, and set of best practice recommendations. However, most organizations are overwhelmed with the number of vulnerabilities that are discovered, and do not have the resources to remediate all of them.

In response to this triage problem, vendors developed a variety of prioritization methods over the years. Despite its limitations, the Common Vulnerability Scoring System (CVSS) is the dominant means of scoring the severity of vulnerabilities. However, even NIST itself states that “CVSS is not a measure of risk.” Furthermore, NIST states that CVSS is only “a factor in prioritization of vulnerability remediation activities.”

Risk-based factors for vulnerability management include the following:

Business Context. What is the criticality of the asset in which the vulnerability exists? For example, production systems vs development systems.

Likelihood of exploitability. A combination of threat intelligence and factors associated with the vulnerability itself determine the likelihood that a vulnerability will be exploited. is an example of this approach.

Known Exploited Vulnerabilities. The Cybersecurity & Infrastructure Security Agency (CISA) maintains the Vulnerabilities on the KEV list should get the highest priority for remediation.

Asset Location. What is the location of the asset with the vulnerability in question? Internet-facing assets get the highest priority.

Compensating Defensive Control. Is there a Defensive Control that can prevent the vulnerability from being exploited?

3. Metrics

Modern Defensive Controls generate large amounts of telemetry that can be used to monitor their performance and effectiveness. Automating metrics reporting enables continuous monitoring and measuring the performance of a larger number of deployed controls.

While automated cybersecurity performance management platforms are not always considered an alternative to Attack Simulation and Risk-based Vulnerability Management solutions, they do have the advantage of being less intrusive because they are passive. All they need is read-only access to the Defensive Controls. There are no agents to deploy and no risk of unplanned outages.

The key factors when evaluating automated metrics solutions include the following:

Scope of Coverage. The range of metrics based on your priorities such as vulnerability management, incident detection and response, compliance, and control performance.

Integrations. Does the metrics solution vendor support integrations to your controls? If not, are they willing to add support for your controls? Will they charge extra for that?

Reporting flexibility. How flexible is the report building interface? What, if any, constraints are there to generate the reports you want? Can you build customized dashboards for different users? Is trend analysis supported?

Ease-of-Use. How easy is it to generate custom reports?

Scalability and Performance. Given the amount of data you want to retain, how fast are the queries/reports generated?

4. Security Control Posture Management

All security controls need to be configured and maintained to meet individual organization’s policy requirements, threat profile, and risk culture. The amount of time and effort needed to initially implement the controls and then keep them up to date varies depending on the control type and the functionality provided by the vendor.

Firewalls are at or close to the top of the list of controls requiring the most care and feeding. Therefore, it’s not surprising that the first security control configuration management tools were created two decades ago to improve firewall policy (rule) management. These tools eliminate unused and overlapping rules, and improve responsiveness to the steady stream of requests for changes, additions, and exceptions.

Security Information and Event Management (SIEM) systems are also at or near the top of the list of controls requiring extensive care and feeding. One critical aspect of a SIEM’s effectiveness is the extent of its coverage of MITRE ATT&CK techniques and sub-techniques. This also maps back to the SIEM’s sources of log ingestion. Furthermore, SIEM vendors provide hundreds of rules which generally need to be tailored to the organization.

To reduce the level of effort needed to tune SIEMs, consider tools that evaluate SIEM rule sets and provide assistance to detection engineers.

The variety of tools available for managing security control configurations will continue to grow, encompassing additional types such as endpoint agents, email security, identity and access management, data security, and cloud security.

5. Process Mining

Process mining is a method used to analyze and optimize business processes by collecting and analyzing event logs generated by information systems. These logs contain details about process execution, such as the sequence of activities, the time taken to complete each activity, and the resources involved. Process mining algorithms use this data to automatically generate process models that visualize how a process is executed in reality, as opposed to how it is expected to be executed.

While process mining is not a new concept, it is new for cybersecurity processes. For cybersecurity process mining to be useful, logs must be collected from non-security sources as well as cybersecurity controls.

Process mining is actually a separate class of higher-level analysis and measurement. All the others, with the exception of security operations platforms (SIEMs) here are testing, measuring, or obtaining data on individual controls. Having said that, at present, processing mining does not specifically measure the effectiveness of defensive controls.

An example of a common cybersecurity process use case is user on-boarding and off-boarding. To perform this analysis, the process mining tool must integrate with human resource systems in addition to authentication and authorization systems.

In addition to (1) improving compliance to defined processes, process mining will (2) expose bottlenecks, (3) reveal opportunities for additional process automation, and (4) make it easier for stakeholders to understand how processes are executed using visual representations of the processes.

While scalability, performance, and integrations are important, the way processes and variances are rendered in the user interface and the way you can interact with them is critical to understand the causes of variances and opportunities for improvement.

Individual vs. Aggregate Control Effectiveness

Having reviewed the types of Performance Controls available to monitor and measure Defensive Control efficacy, it’s worth noting that they all monitor and measure control effectiveness individually.

The processing mining folks might disagree with the above statement in the sense that they aggregate multiple control functions by the processes in which they play a role. However, process mining does not actually measure the efficacy of the individual controls in processes. It focuses on improving the effectiveness of processes.

While there is no doubt about the value of discovering and remediating deficiencies in individual controls, there is another function needed from a risk management perspective. That is calculating Aggregate Control Effectiveness. How well does your portfolio of Defensive Controls work together to reduce the likelihood of a loss event?

Aggregate Control Effectiveness must consider attack paths into and through an organization. A Defensive Control that has strong capabilities and is well configured will not reduce risk as much as anticipated if it is on a path that does not see many threats or is on a path with other strong controls.

In addition to discovering and prioritizing Defensive Control deficiencies, a Performance Control measurement program will improve the accuracy and precision of Aggregate Control Effectiveness calculations.

My next article will address the issue of Aggregate Control Effectiveness and its relevance to risk management. Stay tuned!

Next Steps: WEI provides enterprises with increased visibility at all touch points of the IT estate, and that includes at the edge and applications within the data center. How can we help your enterprise with its current and future cybersecurity architecture? Contact our experts today to get started.

About The Author

Bill Frank has over 24 years of cybersecurity experience. At present, as Chief Client Officer at Mr. Frank is responsible for leading Monaco Risk’s cybersecurity risk management engagements. In addition, he collaborates on the design of Monaco Risk’s cyber risk quantification software used in client engagements.

Mr. Frank is one of two inventors of Monaco Risk’s patented Cyber Defense Graph. It is the core innovation for Monaco Risk’s cyber risk quantification software which enables a more accurate estimate of the likelihood of loss events.

Prior to Monaco Risk, Mr. Frank spent 12 years assisting clients select and implement cybersecurity controls to strengthen cyber posture. Projects focused on controls to protect, detect, and respond to threats across a wide range of attack surfaces.

Prior to his consulting work, Mr. Frank spent most of the 2000s at a SIEM software company where he designed a novel approach to correlating alerts from multiple log sources using finite state machine-based, risk-scoring algorithms. The first use case was user and entity behavior analysis. The technology was acquired by Nitro Security who in turn was acquired by McAfee.

Bill Frank’s contact information:

• Email: bfrank@monacorisk.com

The post Using Performance Controls to Address Cybersecurity’s Achilles Heel appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

Inside our IT bubble, leaders are aware of the cybersecurity skills shortage that plagues enterprises. As concerning as this challenge is, it may come as a surprise to the general public despite headlines over record ransoms, data leaks, and network breaches. Simply put, there are many more position openings than individuals available to fill them. This imbalance is creating a security gap that cybercriminals are taking advantage of.

Vying for experienced security professionals is highly competitive and costly for companies and organizations of all sizes. Unfortunately, expensive recruiting campaigns can leave under sourced companies, non-profits, and government organizations left in the cold against those with greater recruiting tools. And while larger corporations may have greater access to premier and efficient cyber talent, they often find themselves repeatedly competing for the same talent pool. Still, the beat goes on with the threat landscape growing more complex by the day.

CyberTrust Massachusetts

What IT leaders are looking for is a resource to address this critical security gap by cultivating new, diverse talent pools that leverage underutilized human capital. That is why WEI is proud to announce its partnership with CyberTrust Massachusetts, a nonprofit organization focused on building cybersecurity efforts across the commonwealth through hands-on training and education. The organization is aiming to address state-wide needs including:

• Inadequate security resources/practices: Organizations across Massachusetts are facing immense challenges to identify affordable resources to help them better defend against next-gen cyber threats and sustain modern cyber resiliency. This only heightens the need for businesses, non-profits, and local government to tap into a regional hub for meaningful cybersecurity development and support.
• Skills shortage: As we’ve recently touched on, there is a shortage of trained workers available to meet next-gen cybersecurity demands. According to CyberSeek, there are currently 20,000-plus cybersecurity job openings in Massachusetts. Meanwhile, communities of color and women are underrepresented in the cybersecurity workforce. This makes this cyber workforce shortage a unique opportunity for demographics that are frequently overlooked due to a lack of opportunity to obtain hands-on cybersecurity experience.

Cyber Range Offering

To combat the challenges bulleted above, MassCyberCenter has provided grants to Bridgewater State University and Springfield Technical Community College to support the establishment of SOC and Cyber Range facilities. Students gain much more than just textbook knowledge or virtual simulation training, as these facilities are designed to equip students with highly sought-after skills. These skills are partly learned through competitive cyber war gaming – an interactive exercise that places students in a simulated cyberattack environment. This includes real-life scenarios such as a data breach, discovery of sophisticated malware, and much more. Response from participating students has been overwhelmingly positive.

WEI’s Proud Participation

At WEI, we are aware of the challenges CyberTrust is taking on. With more than 20,000 cybersecurity job openings in Massachusetts, our experts have looked for ways to close the skills gap. Just as important, however, is CyberTrust’s mission to involve students of diverse populations and backgrounds, an endeavor that WEI has committed to with its new service, the This four-step training and mentoring process is specifically tailored to customer needs, roles, tools, and tech stack. It took no time for us to realize the values of CyberTrust Massachusetts connect with those of our own. Says WEI President Belisario Rosas:

“The CyberTrust mission directly correlates with the values of WEI as we focus on building a workforce representative of a diverse community, including people of all backgrounds who are passionate about solving complex problems.”

With a proven security team anchored by some of the top security professionals in the industry, WEI is looking forward to providing invaluable insights and knowledge to these promising students. Says WEI Cybersecurity GTM Leader Todd Humphreys:

“This program provides WEI with a unique opportunity to apply its cybersecurity expertise in ways that not only help fortify the regional security landscape but to also contribute to a sustainable pipeline of cyber talent that is critically lacking right now. We believe that the next generation of security leadership is already being educated at Massachusetts’ higher education institutions. WEI can’t wait to work with them.”

Through our involvement with CyberTrust, WEI aims to contribute to an expanded and more diverse workforce that not only benefits our cyber customers, but also helps enrich the northeast region. Whether you’re a student seeking a direct path into a cybersecurity career, a business in search of emerging talent, or a company with valuable resources and expertise to offer, we welcome you to join us in this remarkable initiative.

Next Steps: WEI provides enterprises with increased visibility at all touch points of the IT estate, and that includes at the edge and applications within the data center. How can we help your enterprise with its current and future cybersecurity architecture? Contact our experts today to get started.

The post Building A Stronger Cybersecurity Future: WEI Partners With CyberTrust Massachusetts appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

As threat actors get more sophisticated and aggressive campaigns become more commonplace, it is imperative that corporations step up their game. In the age of artificial intelligence (AI), machine learning (ML), and automation, the resources for a holistic approach have never been more available. Enterprises are starting to recognize the need to modernize their security operations center (SOC) with an advanced SOC solution. Unfortunately, CISOs everywhere are finding it difficult to identify a partner dedicated enough to conduct their due diligence about customer needs, identify potential solutions on the market, and deliver the know-how to implement the best technical solutions. WEI can do that.

Legacy SOC architectures are complex with many interdependent tools and processes housed within them. Many current SOC’s were built 15 years ago when the threat landscape was very different and the threat actors being less capable. Today, these brittle and hard to maintain platforms struggle to deliver the response and resolution times that are required, which leads to SOC analyst burnout and disappointing outcomes. In an attempt to keep pace, corporations continue to try to hire their way out of this problem with little effect. It doesn’t have to be this way.

Don’t Make It A “People Problem’

There aren’t enough skilled security analysts on the planet to solve this problem. Analyst retention and burnout are very real problems. However, in what can only be described as a back-slide, many large consulting firms and Global Systems Integrators are doubling down on the “body shop” approach to security operations. For a few million bucks a year, they will set you up with a team of 30-40 tier 1 analysts to simply perform basic alert triage activities. Spending a fortune to maintain a 15-year-old model that is no longer effective doesn’t make much sense.

Forward-thinking organizations have begun to implement comprehensive automation strategies that fully automate Tier 1 activities and investigations. In many cases, much of the Tier 2 workload has been automated as well. This modern approach frees up their SOC and IR teams to focus on what is important – preventing critical incidents, hunting for threats proactively, and improving security posture.

The Modern SOC: Powered By Automation, Artificial Intelligence and Machine Learning

Ideally, all small, medium and large enterprises have some formidable solution in place for monitoring, preventing, and responding to threats. Of course, the term “formidable” has a different connotation depending on the size of the business, the industry they operate in, the type of data they store, available resources, security culture, etc. But as larger businesses are increasingly shifting to a digitalized operating model, the need for a modern SOC becomes more apparent — just ask any SOC analyst about the benefits of automation and analytics.

This cloud-delivered integrated platform reduces the duration of time between detection (MTTD) and resolution (MTTR) through the help of cutting-edge AI and ML. It combines the key functions of SIEM, SOAR, XDR, UEBA, threat intelligence, and attack surface management — essentially putting the legacy architectures mentioned above out to cyber pasture. Think about it – the traditional approach to incident response is based on the detection of a breach and conducting a historical reconstruction and root cause investigation of how the event took place…then using that new understanding to improve controls to prevent the attack from happening again.

This approach begs a serious question: If you had collected all the data needed to perform this historical analysis and to reconstruct the attack, what prevented you from detecting these attack indicators in real-time and stopping them as they were happening? You had the data. What stopped you from actively preventing the attack? Legacy SOC’s were designed specifically to support the legacy, historical investigation approach. The modern SOC is focused on automated, rapid detection, and prevention.

Components of the modern SOC:

• Functions of SIEM, SOAR, TIM, ASM in a single or tightly integrated platform.
• A single, normalized data store.
• Prevention at the core. If you have an opportunity to prevent, take it!
• Automation as the foundation – not as a last step in the IR process.
• Embedded analytics, AI, and ML models – natively provided.
• Collection of good, useful data from the network, endpoint, cloud, and user info.
• Automatic incorporation of natively provided and third-party threat intelligence.
• Profiling of device, user, and network behavior to detect anomalies.
• Case management and automated incident creation.

What are the results a customer can expect in a cloud-delivered integrated SOC platform? The key functions of SIEM, endpoint security, threat intelligence, XDR, attack surface management, UEBA, SOAR and CDR collectively offer:

• Dramatically reduced MTTD and MTTR
• Improved analyst experience by eliminating silos
• Enhanced detection of advanced attacks
• Simplified data onboarding & integration
• Accelerated investigations with intelligent alert grouping
• Reduced risk with attack surface management
• Automated response suggestions for incidents
• Extended security operations to the cloud for comprehensive visibility

AI/ML-powered SOC tools address the challenges of traditional SOC. For example, AI/ML can be used to automate many of the manual tasks that are currently performed by overburdened SOC analysts, such as alert triage and incident investigation. This frees analysts to focus on more complex tasks and improves the overall efficiency of the SOC. Personnel also experience improved visibility into their environment, including assets and data that were previously invisible. The result is detecting and responding to threats quickly and effectively.

Lastly, there is the development of new detection methods. AI/ML can be used to develop new detection methods that are more effective against new and emerging threats. AI/ML learns from historical data to identify patterns and anomalies that are otherwise difficult for human analysts to detect. It is clear why leaders are eager for an advanced SOC solution, in addition to the usual NGFW and remote access solutions. If an advanced SOC stack is too much too fast, there is SOCaaS, which WEI supports very well.

WEI’s Ongoing Mission To Deliver Premier Cybersecurity Solutions

Bottom line, WEI’s cybersecurity vision is to effectively deliver advanced solutions to help customers meet/exceed business objectives. So often, the WEI security team enters a project where serious voids are left behind by a customer’s tone-deaf partners. This is a result of partners “registering” every vendor within a given cyber category for every customer project, whether that is necessary or not. This leaves the customer with zero meaningful guidance. Still, the partner wins and makes their margin. This is a scenario WEI avoids.

Looking Ahead

2024 is here and so is the SEC’s ground-breaking adoption of cybersecurity risk management, strategy, governance, and incident disclosure by public companies Effective December 18, 2023, an Item 1.05 Form 8-K form will generally be due just four business days after a registrant determines that a cybersecurity incident is material. The security infrastructure of many large enterprises cannot support this required deadline. It is WEI’s job, as a value-added reseller, to educate customers about a better way to approach detection and response and enable them to meet these new reporting requirements.

Over the next year, WEI’s digital communications will feature a focus on cybersecurity. Content will dive into viable solution trends, prominently explain WEI’s security capabilities, and provide WEI’s take on the solutions its valued partners offer. This also includes a recap of the numerous events the cyber team will coordinate and attend.

For any questions about WEI’s robust cybersecurity practice or to discuss WEI’s next-gen solutions, please contact WEI here.

Next Steps: Following a cyber incident, cybersecurity teams often resort to their data sources to identify how the incident transpired. While analyzing these data sources, a critical question must be asked – what prevented cyber personnel from stopping the cyberattack in real time? 

In this data-driven era, cybersecurity practices have increasingly focused on the prevention phase, made possible by leveraging the data already present in a cybersecurity environment. Prevention is your first line of defense, it is time to leverage its power and potential.

to learn more about this cloud-based, integrated SOC platform that includes best-in-class functions including EDR, XDR, SOAR, ASM, UEBA, TIP, and SIEM.

The post Cybersecurity: WEI Remains Ahead Of The Moving Target appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

As the 2024 New Year has arrived, so does the opportunity to make educated predictions for what the future holds for cybersecurity. Fundamentally, a cybersecurity strategy is an integral component of business strategy because it allows the business to harness risk. Since cybersecurity is often driven by compliance mandates and overly restrictive policies, cybersecurity teams are sometimes seen as the “department of no.” However, that need not always be the case.

Often times, policies could be loosened to accelerate business objectives. For example, an organization might be inclined to block all access to generative AI services to avoid any compliance complications. But cybersecurity teams can identify the actual risks, thereby allowing the business to use these powerful tools to give them a competitive advantage over their competition. The first step to harnessing risk is capturing good metrics (like MTTD and MTTR in the context of a SOC) and driving them down.

So, what does 2024 have in store as enterprises continue to embrace cybersecurity as a business accelerator? Let’s explore.

The Integration Of AI And ML

First, let’s address the obvious: Artificial Intelligence (AI) and Machine Learning (ML) will each continue their evolution as critical components to a holistic cybersecurity practice. IT leaders and enterprise stakeholders are jumping on this bandwagon as security vendors develop and promote new AI and ML features and capabilities.

In today’s highly complex hybrid networks, comprised of many services and processes operating over vast landscapes, traditional human monitoring and intervention are falling short. AI algorithms have proven to effectively scale cybersecurity efforts without a proportional increase in resources or personnel. This is largely due to AI’s ability to analyze vast amounts of data to identify patterns indicative of cyber threats, such as malware or unusual network activity. The role of AI and ML in cybersecurity is no surprise, even for those outside the security realm.

Fight Fire With Fire: AI In Cybersecurity

On the flip side, as much as AI aids in cyber defense, it is a critical resource for threat actors as well. With generative AI and advanced language models, cybercriminals are gaining more experience in crafting highly personalized phishing attacks and sophisticated social engineering schemes. These attacks, enhanced with realistic voice and video elements, lack the typical red flags such as grammatical errors or cultural mismatches. AI also enables attackers to efficiently utilize the wealth of personal data available online, crafting convincing, individualized attacks in rapid fashion.

Rapid AI Development And Its Risks

The surge in AI’s business applications has triggered a race to market new AI-driven apps. This urgency may lead to compromised security measures, as the push for rapid market entry sometimes overshadows the need for robust security controls and privacy considerations in the development process. Businesses must establish strong approaches for evaluating the inherent security posture of AI products and services, aiming to avert the challenges previously encountered with Internet of Things (IoT) integration. This assessment is a crucial component of a broader security strategy that encompasses all aspects of operations, including supply chain members. This comprehensive approach ensures a more secure and resilient business environment in our interconnected digital landscape.

Staying Ahead With AI In Cybersecurity

With AI technology advancing rapidly, keeping pace is daunting for security teams. At WEI, we are committed to staying abreast of both the beneficial and challenging aspects of AI’s role in cybersecurity. Our portfolio features some of the most reputable cybersecurity vendors in the industry, and our certifications within those vendors reside at the expert level. We are here to guide you in selecting the right AI-enhanced cybersecurity solutions tailored to your business’s unique needs. We can also assist you in creating procedures to effectively assess the security posture of your many partners as well.

A Persistent Cybersecurity Talent Gap

Just days before 2024, there are with no suitable candidate to fill. Incredibly, 750,000 of these vacancies are here in the United States. Although the surge in job openings isn’t expected to mirror the staggering 350% increase witnessed in the past decade, filling these roles remains a significant challenge. The talent gap shortage in qualified candidates will expand through 2025, according to projections.

One reason for the continued skills shortage is knowledge requirements evolving so rapidly as candidates must fuse together a growing number of new skillsets from many disparate domains. Further complicating the issue, companies often rely on traditional talent pools to recruit for these roles. With many security directors and managers vying for the same candidates, the professionals in these pools can be highly selective, further elongating the job fulfillment process. The candidates within these shrinking pools have the luxury of being exceptionally selective – much more so than in year’s past.

Companies Will Create Their Own Talent Pipelines

In response to the pressing need for cybersecurity professionals, companies are increasingly adopting proactive approaches to cultivate their own cybersecurity talent. This involves forging partnerships with local educational institutions to create training programs tailored to their specific needs. Such initiatives often include apprenticeships and internships, providing students with the hands-on experience necessary to transition into entry level full-time positions within these businesses.

A prime example of this approach is the program. This program stands out because it not only nurtures a private talent pool of emerging professionals, but also emphasizes the inclusion of candidates from diverse backgrounds, catering to companies with diversity objectives. Furthermore, WEI manages the entire process, from understanding a company’s specific needs to the meticulous selection and daily mentoring of apprentice candidates. Participating companies have the option to offer full-time positions to these apprentices upon contract completion, providing a streamlined pathway to acquire skilled, diverse cybersecurity talent. Never has a hidden talent pipeline been so invaluable.

Security Solutions Will Further Evolve

Cyber attacks have become a big (and profitable) business. To keep pace with the quantity and sophistication of emerging attacks, companies are increasingly relying on modern security operation centers (SOCs) that are dedicated to safeguarding their organizations. To be effective, however, requires advanced solutions that SOC analysts can leverage to stay ahead of the accelerating threat landscape. Key components of these solutions include:

• Effective Preventative Controls: Many attacks can be blocked, but only if the correct preventative controls are in place, and importantly, those controls are configured properly. Integration between controls further reduces risk.
• Security Analytics: Effectively detecting and eliminating threats requires vast amounts of data collection and processing. Visibility blind spots are a problem, but so is being inundated with low value data.
• Automated Playbooks: Workflows that integrate processes across various security tools, external teams, and even end users can be automated. These playbooks handle repetitive tasks, allowing analysts to focus on critical decision-making and investigative work.
• Real-Time Threat Intelligence: Accessing up-to-the-minute, global threat intelligence feeds to remain informed about emerging cyber threats, attack vectors, and vulnerabilities.

In 2024 and the years following, companies cannot safely rely on a patchwork approach. Legacy SOC architectures are complex with many interdependent tools and processes housed within them. Many current SOC’s were built 15 years ago when the threat landscape was very different and the threat actors being less capable. Today, these brittle and hard to maintain platforms struggle to deliver the response and resolution times that are required, which leads to SOC analyst burnout and disappointing outcomes.

To keep pace, corporations continue to try to hire their way out of this problem with little effect. It doesn’t have to be this way, as WEI offers advanced security stacks designed to meet the needs of any business or SOC. Boasting a team of over 80 experienced engineers, WEI’s security division works in close collaboration with hundreds of IT companies, ensuring the delivery of customized, specific, and effective solutions for our diverse range of customers.

One Final New Year’s Trait

Alongside the annual tradition of making predictions, the 2024 New Year also offers the opportunity to set resolutions. If your company aims to enhance its security posture, achieve better compliance, or explore fresh ideas and solutions for the upcoming year, we encourage you to consult with a WEI security specialist.

Our experts are ready to understand your specific goals for the New Year and will provide insights on how WEI can help turn those resolutions into tangible outcomes to ensure that 2024 is, in fact, a Happy New Year.

The post Top Cybersecurity Trends For 2024 appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

Today’s discussion on sustainability is increasingly prevalent in ongoing dialogues, touching on varied issues from governmental budgeting practices to environmental concerns over global population growth. The state of sustainability is also a hot topic when it comes to cybersecurity as the aging reliance on human-led incident response grows flawed. The rationale for this shift is straightforward:

• Cyberattacks are escalating in frequency, severity, and sophistication.
• Modern business environments necessitate rapid IT responses, with processes required to move at breakneck speeds.
• Regulatory compliance requirements are becoming more stringent and complex.

Quickly Assess Readiness and Precision

The tightening of regulatory compliance in the financial sector is underscored by the Securities and Exchange Commission’s (SEC) recent adoption of on risk management, strategy, governance, and incident disclosure, which were announced on July 26, 2023. These new mandates apply to all publicly traded companies under SEC jurisdiction. While IT and cybersecurity leaders should familiarize themselves with the new rules, the most pertinent update is requiring cybersecurity incidents to be disclosed within four business days after an incident is deemed material. Even more, the SEC states that a materiality determination should be made without unreasonable delay.

The rationale behind this stringent timeline is founded on the potential impact that cybersecurity incidents have on shareholder value and the broader market. Timely disclosure ensures that investors are adequately apprised of risks to their investments and can make informed decisions regarding any financial exposure stemming from such incidents.

Unfortunately, the approach of placing humans on the incident response frontlines is growing more antiquated as the years tick by. That is why modern next-gen security operation centers (SOC) integrate automation into time-saving workflows to maximize operational efficiencies and better satisfy today’s shrinking disclosure windows.

The Benefits of Automation

Incorporating automation into your SOC can yield significant advantages including:

• Streamline time-sensitive manual tasks: While necessary, these tasks overburden most SOC analysts. Automation tackles these repetitive duties, freeing up your team to concentrate on higher-priority threats and strategic defense enhancements.
• Enhanced processing and response: Automation assist SOC teams in processing incidents and accelerates overall response time. Analysts live and breath by their MTTD and MTTR rates, and enterprise leaders must realize the power these metrics carry.
• Proactive, not reactive: By diverting resources from low-complexity tasks to the proactive analysis of significant risks, your staff can better focus on incidents deemed material in nature. This provides more resources at ground zero should a significant cyber incident take place.

SOAR Automation

One way to automate your SOC is to implement a Security Orchestration, Automation, and Response (SOAR) solution such as Cortex XSOAR from Palo Alto Networks. Consider the , a top-tier digital experience firm recognized in Gartner’s 2022 Magic Quadrant. After implementing Cortex XSOAR, the company achieved 90% automation of security events in their SOC with an average time to fix of only nine minutes. And here’s the clincher: With upwards of 45,000 events recorded each week, it only takes two analysts to manage all of Sitecore’s cyber incidents. Clearly, less is more when it comes to SOAR.

This level of automation not only showcases the power of SOAR solutions in optimizing security operations, but also underscores the potential for significant resource allocation and efficiency gains within any SOC. It isn’t just about stats, however. Sitecore also witnessed an improved investigation quality as their security analysts collaborated more closely, leading to quicker action and deeper learnings.

Threat Intelligence Management

Cortex XSOAR propels SOC environments into a new era of efficiency with features like automated phishing playbooks, vulnerability management orchestration, and cloud threat detection. For now, let’s focus on threat intelligence management (TIM). SOAR TIM utilizes threat feeds that then provide context for alerts as they arrive. While alerts are ingested, you can automatically enrich them with the latest threat intel from your feeds, giving you insightful context for how external and emerging threats impact your environment.

The TIM module in Cortex XSOAR goes a step further by automating indicator enrichment. This provides SOC analysts with advanced notice and a nuanced understanding of emergent threats, thereby empowering them to preemptively thwart potential attacks.

Threat intelligence is but one facet of SOAR, however. Palo Alto’s Cortex XSOAR helps transform security operations by TIM with case management and real-time collaboration. This cohesive approach enables SOC teams to consolidate alerts from disparate sources, normalize operations through playbook application, leverage threat intelligence decisively, and orchestrate a comprehensive automated response for a wide array of security scenarios.

Streamlining SEC Compliance With Cortex XSOAR

Cortex XSOAR emerges as a pivotal tool in helping enterprises meet stringent disclosure timelines set by these new SEC regulations. It streamlines the entire lifecycle of incident response from detection to remediation and reporting. Here’s how XSOAR transforms the SOC’s capabilities, making the 96-hour reporting requirement more achievable:

• Empowers SOC teams to manage incidents rapidly and at scale, ensuring timely action.
• Fosters faster incident response by consolidating alerts, incidents, and indicators from numerous sources into a single pane.
• Synchronizes threat intelligence with automated, playbook-driven responses for immediate security measures.
• Assists analysts with decision-making support and auto-generates documentation of all actions for compliance reporting.

As the SEC reshapes what is expected from cybersecurity disclosures, SOCs must adapt by integrating solutions like Cortex XSOAR to not only comply with regulations, but to also enhance their overall security posture. To learn more about the transformative power of Cortex SXOAR as well as other solutions and strategies to hep adapt to these new regulations, speak with a WEI cybersecurity specialist today.

The post SOAR Use Case: SEC Requirements For Cyber Reporting appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

Investors with significant stock in public companies expect a high level of disclosure on information concerning new market competitors, shifts in product demand, and operational disruptions stemming from either natural disasters or cybersecurity. In catering to this need for transparency, the United States Securities and Exchange Commission (SEC) has recognized that cybersecurity incidents also warrant equal attention.

As an IT professional, you know that cyber breaches can exert a substantial financial toll on a company, from the theft of digital assets to the costs associated with response measures, legal actions, compensatory payments, and potential regulatory penalties. Beyond immediate financial losses, security breaches also interrupt business operations and inflict lasting reputational damage, undermining a company’s brand in the long term, all of which affects the stock price of a company.

Recently Announced SEC Requirements

In July 2023, the concerning cybersecurity risk management, strategy, governance, and incident disclosure by public companies. Of note, there is a critical disclosure dictating that companies must report any “Material Cybersecurity Incident” within four business days of the date the incident was determined material. To be clear, the clock does not start ticking when the incident occurs or is detected, but when it is determined to be “material”. The SEC defines “material” as:

“An incident that reflects a substantial likelihood that a reasonable shareholder would consider to be important in making an investment decision, or if it would have significantly altered the total mix of information available.”

“Currently, many public companies provide cybersecurity disclosure to investors,” said SEC Chair Gary Gensler. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

When determining the materiality of an incident, a company should consider quantifiable and non-quantifiable elements, including impacts on reputation, market competitiveness, and customer relations. The possibility of consequential litigation, inquiries, or regulatory proceedings that could substantially influence the company’s standing must also be considered. According to SEC guidance, the determination of material status must be made “without unreasonable delay” upon first detecting the incident. The aim of the four-day disclosure timeline is to give investors ample and timely opportunity to reevaluate investment decisions based on the risks presented by a disclosed cybersecurity incident.

The disclosure should be submitted under new item 1.05 of Form 8-K, wherein the company is required to furnish a detailed account of the incident, including its nature, timing, and the extent of impact on the company’s operations. A deferral of the four-day notification mandate is permissible if the U.S. Attorney General advises that prompt disclosure could significantly jeopardize national security or public safety.

For effective dates, the material incident disclosure requirements would be effective by December 18, 2023. All disclosures for risk management, strategy and governance are effective for all registrants for fiscal years ending by December 15, 2023.

The SEC Is Taking Cybersecurity Awareness Seriously

Beyond the mandates for reporting cybersecurity incidents, the SEC has introduced additional regulations focused on risk management and cybersecurity governance for relevant organizations. These will not be detailed here, but it’s worth noting that one key requirement is for companies to disclose the cybersecurity expertise present on their board of directors. This requirement reflects the SEC’s emphasis on the role of cybersecurity knowledge in competent risk management.

It’s essential to understand that even companies not traditionally compelled to prioritize cybersecurity due to other regulatory frameworks must adhere to the SEC’s stipulations, irrespective of their U.S. location. Moreover, U.S. entities with international branches located in regions requiring less stringent cyber regulations are still obligated to report incidents that could materially affect the company, whether these occur domestically or abroad.

Time Is Of The Essence

Navigating the new SEC regulations can be challenging, particularly when it comes to the 96-hour directive. Although the exact timeline for determining the materiality of an incident isn’t strictly defined, the SEC’s position on delays is unequivocal, undue postponement is unacceptable. Failure to adhere to this disclosure deadline can result in serious consequences as

SOC analysts are well-versed in the measuring sticks of Mean Time To Detection (MTTD) and Mean Time To Recovery (MTTR), but these averages now take on significant meaning to those outside an enterprise’s cybersecurity practice.

WEI Can Help You Be Better Prepared

For cybersecurity teams and executive leaders, the pressing question is clear: Are you equipped to meet the new 96-hour disclosure mandate? The four-day timeframe is tight for traditional architectures and limited teams, particularly amidst the high-pressure aftermath of a cybersecurity incident. Tabletop exercises can be invaluable, shedding light on whether an organization possesses the necessary processes, strategies, tools, and know-how to act swiftly. While these simulated exercises offer a semblance of a real crisis, they cannot completely replicate the intense, unpredictable nature of a real-time breach.

For many cyber leaders managing a traditional security architecture that lacks next-gen components, this new mandate is concerning. Organizations struggling with reducing their MTTD and MTTR often are experiencing operational complexities. This includes too many products with a lack of coordination, lengthy manual processes, and a cybersecurity skill shortage that doesn’t appear to be improving.

Enter Security Orchestration, Automation, and Response (SOAR), a next-gen solution that combines comprehensive data gathering, standardization, workflow analysis and analytics to provide organizations the ability to easily implement sophisticated in-depth capabilities based on internal and external data sources. It also automates time-consuming tasks, which is essential when turnaround time for generating a comprehensive incident report is short. With automation, your organization will:

• Scale and standardize incident response processes.
• Speed up resolution times, boosting SOC efficiency.
• Improve analyst productivity and enhance team learning.
• Gain immediate ROI from existing threat intelligence investments.

With SOAR, WEI can effectively guide your organization toward a solution that transforms the stringent four-day window into a more manageable timeframe. Remember, SOAR was created under the realization that security teams lack the people and scalable processes to keep pace with an overwhelming volume of alerts and endless security tasks”¦those same alerts and security tasks that will help you determine whether an incident is material enough to be disclosed under the new SEC requirements. If your company falls under the jurisdiction of the SEC, the clock is ticking.

WEI has guided forward thinking organizations to implement comprehensive SOC automation strategies that fully automate Tier 1 activities and investigations. In many cases, much of the Tier 2 workload has been automated as well. This modern approach frees up the SOC and IR teams to focus on what is important – preventing critical incidents, hunting for threats proactively, generate comprehensive incident reports, and improving overall security posture.

WEI has been ahead of the curve of such mandates. We can dive into your current security stack and monitoring environment to provide an accurate assessment of your architecture’s strengths and weaknesses. Contact our team today if you are interested in a holistic, next-gen cybersecurity architecture.

The post Is Your Public Enterprise Equipped To Meet New SEC Disclosure Requirements? appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.

Cyber threats are in a constant state of evolution, posing a danger to organizations of all sizes, from the largest of enterprises to small and medium-sized businesses. All face heightened vulnerability to cyberattacks for several reasons, including limited resources in the SOC and a slower response to emerging threats. Even enterprises that have the budget to swiftly adopt new technologies and data transfer methods still struggle with effectively measuring ROI from deployed security tools and sorting aggregated data coming through their firewalls.

One commonly exploited entry point is misconfigured firewalls, as many firewall breaches and bypasses are attributed to misconfigurations. For that reason, it is more urgent than ever to monitor, detect, and respond to firewall issues. This increased need has led many businesses to security operations center as-a-service (SOCaaS).

The Need For SOCaaS

All organizations with a digital environment rely on some kind of SOC environment, although the depth of these environments vary greatly. For organizations lagging with a patchwork SOC architecture, a next-gen SOC powered by AI sounds like a logical next step. It can scale whenever needed, ROI is forecasted more clearly, alert responses are automated, and cyber event/incident reports can be automated, too. Still, as helpful as it is for your SOC analysts, this can be too expensive of a solution to afford upfront.

Fortinet provides FortiGuard SOCaaS as an accessible add-on for both new and existing FortiGate users. This service offers an affordable means for enterprises to enhance their network security without a substantial initial investment. Let’s explore further.

Four Characteristics Of A Reliable SOCaaS

To understand what sets a dependable SOCaaS solution apart, we’ll explore four key characteristics offered by FortiGuard SOCaaS. These characteristics make FortiGuard SOCaaS a smart choice to enhance network security and defense against cyber threats.

1. Early Detection

Fortinet’s security experts offer around-the-clock monitoring and investigation services, ensuring you are only alerted when critical issues require attention. By outsourcing tier-one analysis and SOC baseline automation to Fortinet’s security experts, you can free up your security analysts to focus on more strategic tasks.

Fortinet’s continuous monitoring is backed by and a team of experienced security professionals who perform in-depth investigations through:

• Alert triages.
• Incident analysis and validation.
• Customizable out-of-the-box SOC use cases and reporting to identify areas for improvement and track progress.

This comprehensive approach to security monitoring and management streamlines your operations and enhances your security posture.

2. Quick Response

Fortinet Security Experts can promptly alert the affected party within 15 minutes. Each alert includes:

• A comprehensive incident report.
• Causative factors of the incident.
• Practical recommendations for containment and mitigation.

This method helps smoothly hand over the problem to local IT teams for resolution.

Furthermore, Fortinet’s consultation services assist in remediation and containment efforts. By efficiently integrating Fortinet’s expertise, organizations enhance their SOC-effectiveness, reducing the threat actors’ window of opportunity. Patchwork architectures cannot deliver the MTTD and MTTR averages that like an automated SOC solution can.

3. Comprehensive Management

Fortinet SOCaaS provides an intuitive dashboard, through which IT analysts gain access to a seamless and automated user experience. Two standout features of this dashboard include:

• On-demand reports without having to spend a lot of time searching for data. Here, analysts keep tabs on what’s happening and stay organized in their security work.
• Quarterly meetings with security experts to discuss specific incidents, report progress, and provide advice to enhance overall security posture.

Furthermore, the platform maintains logs for a full year, ensuring that historical data is readily available for analysis and auditing.

A notable advantage of the Fortinet SOCaaS solution is it takes in different types of data. Apart from FortiGate logs, the solution also includes data from other Fortinet Security Fabric services. This flexibility keeps the SOCaaS solution up-to-date and useful in a constantly changing security world. This improves configuration and security, which in turn makes the SOC more effective.

4. Scalability

Enterprises can benefit from a streamlined and scalable subscription model tailored to their FortiGate device. This gives IT teams the flexibility to choose between co-management or full outsourcing of services. Fortinet offers additional customization through an extended array of SOC services that integrate supplementary features and functions.

Building upon the customizable subscription model, Fortinet’s extensive control over SOC technology encompasses a seamless integration of security orchestration, automation, and response (SOAR) capabilities across cloud-based and on-premises models. This is further enhanced by a team of SOC experts and direct access to FortiGuard Threat Research Lab, guaranteeing access to advanced threat intelligence and quick response options.

Final Thoughts

As seen in the projected growth of the SOCaaS market, estimated to reach $11.4 billion by 2028, this solution presents a promising opportunity for organizations to enhance their cybersecurity defenses. While other competitive options may provide more extensive support and vendor-agnostic features, they often come with a higher price tag. Fortinet SOCaaS stands out as a cost-effective and efficient choice.

Get in touch with our experts to learn how Fortinet SOCaaS can help you retake control of your organization’s security operations.

Next steps: Managing and securing data, applications, and systems has become more arduous and time consuming with the rise of cloud adoption and the expansion of the digital attack surface. To help remedy this, FortiAnalyzer offers a powerful log management, analytics, and reporting platform that features a single console to manage, orchestrate, and respond. Download our free tech brief below to read. 

The post How Fortinet SOCaaS Strengthens Cybersecurity Defenses appeared first on IT Solutions Provider - IT Consulting - Technology Solutions.