From Cybersecurity Webmaster to CISO

Sep 06, 2023
6 minutes

Navigating the Tides of Change & Building a Resilient SOC

Charting the course of my career, transitioning from a cybersecurity webmaster to chief information security officer (CISO), has given me unique insights (and scars) into the multifaceted nature of cybersecurity. Where prevention and incident response focus on what you need to do in order to avoid or handle cyberattacks in order to minimize fallout, a resilient SOC focuses on how to create efficient and repeatable processes. It not only ensures your ability to withstand an attack without catastrophic consequences, but also ingrains the idea of anti-fragility.

The transformation I’ve seen in cybersecurity over the past 15 years has been incredible. The idea of what to secure has expanded as the cloud, mobile devices and IoT has evolved. Multifactor authentication (MFA) and stronger encryption have become the norm rather than exceptions. And, more emphasis has been placed on continuous and holistic cybersecurity awareness, including through Zero Trust, real-time threat detection, attack surface management, vendor risk management and user education.

However, while the technology, adversarial tactics and security practices have changed quite a lot, the underlying philosophy within the security operations center (SOC) is still primarily focused on prevention and response alone. There needs to be a third pillar of cybersecurity philosophy – resiliency.

Every security incident should be a learning opportunity to build stronger defenses, and sometimes it may require a complete rethinking of how security works.

The Cybersecurity Webmaster Era

When I began my journey as a cybersecurity webmaster, the internet was in its nascent stage. Websites were becoming digital storefronts, and the role of a webmaster was pivotal. Beyond ensuring the site was up and running, my task was to safeguard it from emerging cyberthreats.

Luckily for me, cyberthreats were relatively unsophisticated at this time. Simple distributed denial of service (DDoS) attacks, website defacement and basic malware were the primary concerns. The tools at our disposal were rudimentary. But, as online transactions and data sharing became more commonplace, the need for advanced security mechanisms became apparent.

The Transition to CISO

Taking the helm as a CISO, the strategic dimensions of cybersecurity came into sharper focus. Beyond merely ensuring technical safeguards, it became crucial to integrate cybersecurity into the very fabric of business strategy. The purview now encompassed risk management, crisis communication, regulatory compliance and, most importantly, aligning security imperatives with business objectives.

CISOs had to stop wondering whether security was strong enough if an attack happened. Instead, they needed to ensure processes were in place when an attack inevitably arrived. This is the foundation of building a resilient SOC – building efficient and easily automated processes to mitigate attacks as they come, minimizing the fallout, and finding ways to strengthen security with each hard lesson learned.

Monumental Industry Changes

Over the years, there have been instances where a new technology or strategy completely rethinks how security operates and greatly improves resiliency:

  • Shift to Zero Trust – The traditional security model operated on the principle of “trust but verify,” but verification methods always came with flaws and was replaced by the Zero Trust model. With Zero Trust, the default stance is mistrust, requiring verification for every user and device trying to access resources, irrespective of their location.
  • Cloud Security and Hybrid Environments – With the surge in cloud adoption, securing hybrid environments that combine on-premises and cloud resources has become paramount. CISOs must ensure that data remains secure as it travels between these environments and as it resides in the cloud. Additionally, organizations need to be more diligent about attack surface management in the face of constant changes.
  • Automation and Intelligence – SOCs today are flooded with data and alerts, and it is impossible to make sense of it all manually. CISOs must implement intelligent systems to ensure only critical tasks are seen by analysts and everything else is automated.

The Cyber Transformation Journey Faltered at Detection & Response

However, in the ever-evolving world of cybersecurity, one glaring challenge that many organizations continue to face is the duration it takes to detect and respond to cyber breaches. Threat actors can live off the land, using legitimate system tools to maintain persistent access and avoid detection.

Despite advancements in technology, many breaches still go unnoticed for weeks or months and, subsequently, take as long to prevent and contain. Even worse, the evidence of these breaches can be pulled together easily, but only after the fact. In a resilient SOC, those indicators of compromise should be surfaced automatically before the impact occurs.

This transformation has been stymied, primarily due the existence of the legacy SIEMs that we have all been forced to rely on. These legacy SIEMs have numerous challenges, including scalability issues, limited analytics capabilities, integration challenges, slow search and query performance, alert fatigue and lack of cloud-native support, among others.

Last year, we decided to take up the challenge and transform our detection and response program with resiliency in mind. We discovered, you can build a more resilient SOC by rethinking automation, data analytics and where security analysts fit into the process. This meant building a SOC platform that was automation-first, could intelligently filter through alerts to surface true threats and could adapt to detect and stop even novel attacks. So, a vital component was shutting down our legacy SIEM and moving to the newly launched Palo Alto Networks XSIAM SOC platform.

We were able to complete this XSIAM transformation journey in a short 6 months. This provided us with an in-depth picture by pulling data from endpoints, network, cloud and identity systems, then normalizing and stitching it all together. We then applied our machine learning models to reduce our alerts, achieve a mean time to detect (MTTD) of 10 seconds and a mean time to respond (MTTR) of 1 minute for critical and high alerts.

The Resilient SOC: Essential Reading for CISOs

Are you up to transforming your detection and response program? If so, start your journey with building your resilient SOC. This new asset is an interactive digital experience where we feature seven chapters on security issues, such as supply chain risks, ransomware, automation and more, including a chapter on our Cortex portfolio. The future looks bright, and we’re proud to be creating a safer version of it with the innovation we’re providing today.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.