Evaluating Success in Adversary-aligned Security Operations

In our last post, we explored why CISOs need to expand and evolve their thinking around what — and who — constitutes an adversary. In this final part of our series on adversary alignment, we will explore three lenses through which a CISO can evaluate the success of an adversary-aligned security operations team and the value it delivers to the organization.

In this article:

• The risk lens
• The event lens
• The hunt lens
• Adversary alignment: a summary
• Conclusion

The risk lens

The risk lens focuses on the capacity to preempt, manage, and mitigate problems before they occur. Best practices involve ranking and tallying deviations in normal user behavior, device behavior, or network activity, taking action when a risk score exceeds a designated threshold, and prioritizing the response. This lens demonstrates the crucial role of defenders within the organization.

The event lens

The event lens focuses on optimizing tools and technologies to ensure that the right behaviors trigger the right responses. The main proof point lies in the accuracy and efficacy of alerts, as well as the meaningful triage of identified threats. These best practices help assess alerts and events and their impact on the organization’s security posture.

The hunt lens

The hunt lens focuses on fully comprehending the range of actions and reactions an adversary may attempt. This involves active threat hunting and adopting an “assume breach” mindset. Defenders analyze intelligence reports and breach details from other organizations, pursuing a creative, iterative approach to playing out hypothetical scenarios.

These lenses function as a continuous feedback and improvement loop, each enhancing the other, ultimately leading to a more effective security operations team.

Adversary alignment: a summary

Adversary alignment represents a comprehensive rewiring of how CISOs and senior decision-makers perceive their security posture. It involves understanding adversaries as not only cybercriminals and malicious insiders but also internal actors and factors that create vulnerabilities.

By aligning with how adversaries think and act, the security operations team can anticipate behaviors, reduce risks, and continuously refine security processes through powerful insights and analytics.

Embracing adversary alignment empowers CISOs to create a culture of:

• Risk awareness — “Security as a shared responsibility” is embraced by everyone.
• Empowerment — Encouraging a critical, creative, and proactive security operations team while helping the organization avoid threats to their credentials, data, and reputation.
• Communication — Security leaders and teams can speak candidly about the organization’s security capabilities and confidently hold decision-makers accountable.

Conclusion

Adversary alignment is an essential strategy for any organization seeking to improve its cybersecurity posture. By understanding the different types of adversaries and using the three lenses to evaluate the success of an adversary-aligned security operations team, CISOs can drive meaningful change within their organizations, fostering a culture of risk awareness, empowerment, and communication.

Adversary alignment is the ability to understand your organization’s visibility and capability gaps to detect threats across the entire cyberattack lifecycle. The adversary-aligned CISO has the power to profoundly shift their organization to create a culture of risk awareness, empowerment, and communication, where security leaders and teams can speak candidly about the security capabilities the organization has — and the capabilities that it lacks — and confidently hold senior decision-makers to account.

Download this white paper to learn how your people, processes and tools can be adversary-aligned, and the benefits of doing so.