Evaluating Success in Adversary-aligned Security Operations
In our last post, we explored why CISOs need to expand and evolve their thinking around what — and who — constitutes an adversary. In this final part of our series on adversary alignment, we will explore three lenses through which a CISO can evaluate the success of an adversary-aligned security operations team and the value it delivers to the organization.
In this article:
The risk lens
The risk lens focuses on the capacity to preempt, manage, and mitigate problems before they occur. Best practices involve ranking and tallying deviations in normal user behavior, device behavior, or network activity, taking action when a risk score exceeds a designated threshold, and prioritizing the response. This lens demonstrates the crucial role of defenders within the organization.
The event lens
The event lens focuses on optimizing tools and technologies to ensure that the right behaviors trigger the right responses. The main proof point lies in the accuracy and efficacy of alerts, as well as the meaningful triage of identified threats. These best practices help assess alerts and events and their impact on the organization’s security posture.
The hunt lens
The hunt lens focuses on fully comprehending the range of actions and reactions an adversary may attempt. This involves active threat hunting and adopting an “assume breach” mindset. Defenders analyze intelligence reports and breach details from other organizations, pursuing a creative, iterative approach to playing out hypothetical scenarios.
These lenses function as a continuous feedback and improvement loop, each enhancing the other, ultimately leading to a more effective security operations team.
Adversary alignment: a summary
Adversary alignment represents a comprehensive rewiring of how CISOs and senior decision-makers perceive their security posture. It involves understanding adversaries as not only cybercriminals and malicious insiders but also internal actors and factors that create vulnerabilities.
By aligning with how adversaries think and act, the security operations team can anticipate behaviors, reduce risks, and continuously refine security processes through powerful insights and analytics.
Embracing adversary alignment empowers CISOs to create a culture of:
- Risk awareness — “Security as a shared responsibility” is embraced by everyone.
- Empowerment — Encouraging a critical, creative, and proactive security operations team while helping the organization avoid threats to their credentials, data, and reputation.
- Communication — Security leaders and teams can speak candidly about the organization’s security capabilities and confidently hold decision-makers accountable.
Adversary alignment is an essential strategy for any organization seeking to improve its cybersecurity posture. By understanding the different types of adversaries and using the three lenses to evaluate the success of an adversary-aligned security operations team, CISOs can drive meaningful change within their organizations, fostering a culture of risk awareness, empowerment, and communication.
To learn more, read the complete CISO’s Guide to Adversary Alignment
Adversary alignment is the ability to understand your organization’s visibility and capability gaps to detect threats across the entire cyberattack lifecycle. The adversary-aligned CISO has the power to profoundly shift their organization to create a culture of risk awareness, empowerment, and communication, where security leaders and teams can speak candidly about the security capabilities the organization has — and the capabilities that it lacks — and confidently hold senior decision-makers to account.
Download this white paper to learn how your people, processes and tools can be adversary-aligned, and the benefits of doing so.
Safeguarding Banks With Security Updates, Patching, and Pen Testing
8 Critical Considerations For Defending Against Insider Threats
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See How New-Scale SIEM™ Works
New-Scale SIEM lets you:
• Ingest and monitor data at cloud-scale
• Baseline normal behavior
• Automatically score and profile user activity
• View pre-built incident timelines
• Use playbooks to make the next right decision
Request a demo of the industry’s most powerful platform for threat detection, investigation, and response (TDIR).
Get a demo today!