Automate to maximise analysis

Stemplinger said threat intelligence feeds are useful to help information security professionals keep their knowledge current and give insight into what threats are on the horizon.

“This allows

you do adapt your defences, which is why it is also useful to exchange threat information with your peers,” he said.

However, Stemplinger said that, to save time and improve efficiency, as much of this as possible should be automated by using things such as automatic feeds to security information and event management (SIEM) systems.

“Once you have done all that, you need to be able to spot attacks by collecting and processing as much security information as you can,” he said.

Stemplinger recommended organisations analyse their security data to define a baseline of “normal” and build capabilities to do this automatically and highlight any anomalies.

“Automate as much as possible, so that analysts only need to spend time looking at things that need human analysis,” he said.

Resilience also requires a proactive approach, and for this Stemplinger recommended that information security professionals run regular “experiments” to spot malicious activity.

“Start with a question. Ask yourself what log entries would you need to see to identify a likely attack on your organisation, then automate the collection and analysis of that data,” he said.

At the same time, information security professionals should work to strengthen their ability to contain attacks by assessing how fast they would see an attack, what they would do in the event of an attack, how they would isolate an attack, and how quickly they could clean affected systems.

The next important element of a resilience strategy, he said, is to define an incident response process that includes all relevant parties, both inside and outside the organisation such as suppliers.

“Define responses at a business level so that it is clear to everyone who is responsible for shutting down particular systems and under what circumstances they should do so,” he said.

Finally, Stemplinger said continuous improvement is mandatory when it comes to increasing the resilience of an organisation.

“Test your incident response processes continually and conduct ‘lessons-learned’ sessions after each test or security incident. Build the results into your security architecture,” he said.

Stemplinger said that, while protection remains a fundamental part of information security, organisations need to move beyond that to build their capacity to detect attacks and respond.

“By increasing an organisation’s ability to detect and repond not only increases security, but also makes the business more agile and executives less anxious,” he said.

Read more about resilience