How to Align Your Cybersecurity Posture and Cyber Risk Tolerance

Your cyber-risk tolerance, the types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value, governs your cybersecurity spend and correspondingly your cybersecurity posture. In simpler times, deploying a firewall to guard the network and installing signature-based anti-virus at the endpoints was considered appropriate to get a medium level of cybersecurity. The evolution of the threatscape makes such a posture antiquated and consequently exposes the organization to very high levels of cyber-risk. 

Avoidable risks are those you can address by implementing standard cybersecurity practices (i.e. patch management, multi-factor authentication, strong password policies, least privilege access, security awareness training, and more). The big question to ask yourself and your organization is “what is acceptable exposure to unavoidable risk (our cyber-risk tolerance) and how do we best align to it (our cybersecurity posture)? 

They basically fall into these three camps: 

• Infrastructure risks: The average organization runs more than 450 different software applications and gives 182 partners and vendors some type of access to its IT environment on a weekly basis according to Privileged Access Threat Report | BeyondTrust. These risks are unavoidable in a world where tool standardization and connectivity are necessary for doing business.  

• Industry-centric risks: It is not possible to avoid the risks that are inherent to operating in your industry. For instance, electronic health records (EHR) are an attractive target for threat actors due to the high values they fetch on the black market. No healthcare organization can completely eliminate these risks. What is your industry’s inherent risk? 

• Human-centric risks: People make mistakes. The possible existence of insider threats (both malicious and unintentional) cannot be eliminated. 

Mitigating these risks essentially require: 

• Coverage: A means by which you can identify and enumerate these risks – network, endpoint, and application activity as well as user behavior. 

• Monitoring: Both the technology to ingest telemetry and the expertise to configure the system for continous reliability and effectiveness; and conduct threat hunting. 

• Detection: Leverage machine learning and threat intelligence to correlate seemingly innocuous events and identify real cyber threats. 

• Response: With actionable intelligence on priority threats, employ automated incident response to triage a breach and contain an attack while security experts complete full remediation and forensic investigation. 

Managed Detection & Response (MDR) services are enjoying high rates of acceptance with organizations that accept that such services are a must for modern threat defense.  

Not to be confused with simply Managed Endpoint Detection & Response software, MDR services can have a wider scope of coverage.  

The global MDR market size is expected to grow from an estimated value of USD 2.6 billion in 2022 to USD 5.6 billion by 2027, at a Compound Annual Growth Rate (CAGR) of 16.0% from 2022 to 2027. Some of the factors that are driving the market growth includes addressing the shortage of skilled cybersecurity professionals and budget constraints, government regulations, and strict regulatory compliance.  

What benefits do MDR services provide in terms of risk reduction? In a nutshell, this service reduces unavoidable cyber-risk. 

Your organization is not static. It’s always changing – and hopefully growing. As organizations grow, typically their cyber-risk tolerance shrinks. How do you invest in a proper MDR solution to solve for today’s risk tolerance while avoiding a future rip-and-replace to meet a more stringent risk tolerance in the future? 

There are two axes on which your MDR solution should flex with your organization’s cyber-risk tolerance to deliver an aligned cybersecurity posture. 

1. Breadth of coverage: Use a risk-based approach to prioritize your assets and start with largest risk assets amongst your network, endpoints, servers, SaaS, and cloud infrastructure, etc. Your MDR solution should be able to scale-up and scale-down in terms of how many and which assets are covered. 

2. Depth of protection: Take a defense-in-depth approach to prioritize the basics and most impactful security controls such as 24×7 security monitoring, a cadence of cybersecurity alert reviews from monthly to weekly to daily, a vulnerability management program, proactive threat hunting, etc. Your MDR solution should integrate with or offer many of these and allow you to enable/disable them as necessary. 

There are three primary characteristics to dive into when selecting an MDR solution: 

1. Will it cover my specific IT assets? Is it Extended Detection & Response (XDR)? XDR (Extended Detection & Response) is an evolution of threat detection and incident response (TDIR) that successfully breaks down the traditional data and environment silos of legacy SecOps platforms to deliver wider attack surface visibility, deeper threat detection – and ultimately, faster incident response. XDR does not necessarily mean other security controls are rendered obsolete. Rather, XDR platforms must ingest, normalize, and correlate telemetry from all sources such as SIEM, EDR, and UEBA to reduce noise, identify true Indicators of Compromise (IoCs), trigger appropriate automated response, and deliver actionable alerts. 

2. Will it scale with my business? Is it Open? Open XDR is a class of XDR that is vendor-agnostic in terms of its protection scope. Open XDR, sometimes called Hybrid XDR, is designed to integrate with other security technologies to avoid ripping and replacing them – thus they are “open” to ingest anything and everything the platform can. The key, however, is to inspect the quantity and quality of data source integrations the Open XDR platform provides. 

3. Am I getting a tool or outcomes? Is it Managed? Managed XDR delivers this platform as-a-service combined with our 24×7 SOC (Security Operations Center) to not only provide platform hosting and tuning, but also a jointly defined SecOps Runbook, an IR Playbook, around-the-clock security monitoring, proactive threat hunting, and guided remediation support.