The past couple of years has witnessed an explosion in cyber-attacks. In an effort to keep their businesses alive, many organizations, no doubt, had to accelerate their digital transformation initiatives. But, in doing so, many neglected its consequences, resulting in suffering through cyber-attacks. Also, after a security incident, many organizations took a considerable amount of time to remediate the vulnerabilities.
The situation has been worse for organizations with multiple subsidiaries as it takes more time to remediate security gaps than single-entity organizations. This is primarily because integrating entities into a network or security architecture increases the attack surface. Additionally, a weak security policy in one subsidiary creates corporate-wide exposure. Furthermore, within subsidiaries or during an acquisition, data sources or exposed assets which can be significant, are often overlooked.
Keeping this in mind, CISOs should create strategies that will help them to monitor security practices. They should find out how they decrease their risk of vulnerabilities through frameworks such as MITRE’s Adversarial Strategy, Techniques and Common Knowledge (ATT&CK) as well as incident response plans. This will make it easier to identify valuations and risk for assets during the discussion and assessment f an acquisition or merger, either way.
Here are a few ways that CISOs can use to optimize security monitoring for federated organizations:
Regularizing data input
Organizations often have centralized IT functions in place, but these functions for security monitoring, incident response, and threat detection are not common. Subsidiaries often utilize multiple stacks, regulatory requirements, processes and communication tools. Each of the teams within the organization communicates on their own. However, this makes it difficult for parent organizations that lack visibility into subsidiaries’ assets as well as context for discovered risks.
Therefore CISOs should opt for standardized response processes as well risk definitions such as MITRE to create a common language that can help to create a common language. Also, tagging alerts from this framework and business entity allows alert contextualization as well as linkage to common response plans.
In conclusion, CISOs should build baseline threat detection, assess consistency, and fill response gaps from a risk perspective to align subsidiary response and corporate policy and messaging.
Integrating defined technology sets
Since the entities being acquired have their own security infrastructure in place at the time of acquisition, organizations should integrate and monitor them. While CISOs should strive to standardize the infrastructure, they should consider it as a long-term goal.
They should use a large number of systems, such as security information as well as event management (SIEM), vulnerability management, endpoint detection & response (EDR), and threat intelligence. By implementing MITRE, detect and response may function in a technology-independent manner. Subsidiaries that have a common orchestration platform enforce enterprise-wide policies more seamlessly.
One of the critical challenges faced by organizations is building a mechanism to share security operation costs. Federated organizations often require fair, scalable models.
Organizations should define tangible pricing models depending on the number of assets under the monitor. While this is easy to implement for EDR, it is much more complicated when considering cloud and application monitoring. Self-service portals for subsidiaries with in-depth cybersecurity cost reporting allow entities to run independently yet be charged back accurately for security service costs.