This presentation will examine the findings of a doctoral study into the strategies cybersecurity professionals need to reduce the gap between the attacker's time to compromise and the defender's time to detect and respond. This is an opportunity to learn from the experiences of cybersecurity professionals within the financial services industry who have implemented or are implementing security automation.
The session will cover strategies to ensure success, challenges faced, use cases implemented, and benefits from security automation and adaptive defense methods. The conceptual framework for this doctoral study proposed using automation and intelligence sharing to speed the detection of and response to cyber attacks while using deception and adaptive defense methods to slow the attack. It was determined that defenders must address both sides of the equation to narrow the gap between the attackers time to compromise and the defenders time to respond.
This presentation examines findings of a doctoral study into the strategies cybersecurity professionals need to reduce the gap between the attacker's time to compromise and the defender's time to detect and respond. This is an opportunity to learn from the experiences of cybersecurity professionals within the financial services industry who have implemented or are implementing security automation. The exploratory qualitative study used semi-structured interviews to collect information from 10 participants with cybersecurity experience in the financial services sector, including analysts, engineers, senior management, and CISOs. An iterative open-coding process was used to analyze the data, from which the following six themes emerged: (a) use of automation in security operations, (b) benefits of security automation, (c) requirements for successful security automation, (d) use of intelligence sharing in security operations, (e) minimal use of deception and automated response, and (f) impediments to effective intelligence sharing.
Cyber defenders must improve detection and response times to help counter the increasing cyber threats. Recent advances and research into security orchestration and adaptive cyber defenses seek to lessen the advantage enjoyed by the attackers. The leading research addresses the problem through three major concepts: (a) community sharing of security intelligence, (b) automation and orchestration of security responses, and (c) the use of adaptive cyber defenses. This study explored the strategies that cybersecurity professionals within the financial services industry can employ to improve cyber defenses using automation, intelligence sharing, deception, and adaptive response.
Cyber attackers enjoy a significant advantage over the defenders in cyber conflict. The attackers' advantage stems from multiple issues, including the asymmetry of cyber conflict, the increased sophistication of cyber attacks, the speed and number of attacks, and a global shortage of cybersecurity talent. Current human-centered cyber defense practices cannot keep pace with the threats targeting financial services organizations. Cyber defenders must address both sides of the equation to narrow the gap between the attackers' time to compromise and the defenders' time to respond. An integrated approach involving security orchestration, automated response, information sharing, and advanced defense methods can reduce the competitive gap between attackers and defenders. The conceptual framework for this study proposed using automation and intelligence sharing to speed the detection of and response to cyber attacks while using deception and adaptive defense methods to slow the attack. By addressing both sides of the equation (the speed of defense and the speed of attack), the framework sought to decrease the attacker's advantage.
The study identified several strategies that cybersecurity professionals in the financial sector could employ. These strategies include focusing on quick wins when implementing security automation, using automation to mitigate data quality and relevancy concerns with intelligence sharing, and developing trust in automated response methods. The findings of this study support the need for and benefits of security automation. There are many use cases for security automation in the financial sector. Further, the financial sector can derive significant benefits from automation.
The findings show that financial institutions actively participate in intelligence sharing; however, several impediments to effective intelligence sharing exist. The main concerns with intelligence feeds relate to the quality of the data, the relevance of the data, and the recency or currency of the indicators. Cybersecurity professionals in the financial services industry could use a security automation strategy to help address each of these impediments to effective intelligence sharing. The findings suggest that the use of deception and automated response methods may not be prevalent within the financial sector. However, there is a strong interest in the future use of deception and automated response methods. The most significant challenge to overcome related to automated responses is developing trust and support by demonstrating that the automation is taking the correct action. Also, cybersecurity professionals need to consider how to counter or undo incorrect actions taken by automation.
Key take-aways:
