Dive in to SecOps ’23: Identity, Integration, and More

Creating an effective security operations organization is much like solving a puzzle. Cybersecurity leaders have to piece together high-performing teams, anticipate and respond to an ever-evolving array of threats, and get their tools to work together to deliver the intelligence they need to protect their organizations. It’s a challenge, to be sure. 

At Mimecast’s SecOps Virtual 2023 event, Mimecast executives and industry experts shared their insight and experience about some of the key trends that cyber leaders are watching and the issues that are keeping them up at night. Balancing accessibility and security for the modern workforce, the role of identity as both a cyber risk and cyber solution, how to defend against insider threats, the challenge of finding cybersecurity talent and keeping them sane, and the possibilities (and limits) of automation and integration, were all discussed during the virtual event. Bolstered by practical advice from Mimecast strategic alliance partners CrowdStrike, Exabeam, Okta, Netskope, Palo Alto Networks, Rapid7, and Secureworks, the event covered a range of best practices for SecOps and beyond.

Risk Management: Addressing the Unknown and Responding to the Unthinkable

Apollo 13 Chief Flight Director Gene Kranz kicked off SecOps ’23 with an inspiring and enlightening keynote discussion with Mimecast Senior Director of Strategy & Evangelism Thom Bailey. Cybersecurity leaders and professionals responsible for managing unrelenting risk and high-stakes responses might find their challenges pale in comparison to what Kranz lived through, but the parallels are clear. 

“We’re in the same business,” Kranz told attendees, “the business of risk management.” 

Responsible for crew safety and mission success dating back to the Gemini 4 mission, in 1970 Kranz led the effort to bring the Apollo 13 crew home safely after an oxygen tank exploded. But it wasn’t the only crisis Kranz successfully managed. He shared lesser-known anecdotes from three perilous missions, as well as his hard-won lessons learned about addressing the unknown, mitigating risk, high-pressure decision-making, and creating strong teams. 

“You have to build a chemistry related to the task, where people doing similar jobs are not individuals but they become one person accomplishing a function,” Kranz said. “They do this as a result of what I call ‘task chemistry.’ This is then amplified when you add in the social and psychological chemistry. All of a sudden, instead of being a normal team, over a period of time, you become a dynasty.”

Identity Attacks, Identity Solutions

The increasing role of identity in security is on the front burner for cybersecurity leaders across industries. Identity-based threats — from credential theft and credential stuffing, to man-in-the-middle attacks, to phishing and password spraying — are responsible for an outsized proportion of cyber risk today. With companies going all-in with the cloud to support their hybrid and remote workforces, they are particularly vulnerable to identity-based attacks.

As the boundaries of traditional business (and technology environments) fade, identity is emerging as the new perimeter. A breakout session by John Grundy, senior strategic alliance manager at Mimecast partner Okta, explored how having a common identity platform can provide continued access for employees and protection against the growing threat of identity-based attacks.  

While an existential necessity during the COVID-19 pandemic and, ultimately, a workplace transformation, the continuation of remote and hybrid work and the explosion of new enabling technologies and tools open up new avenues for cyber risks. Further on the topic of balancing security with the needs of a modern workforce, Mimecast’s Bailey brought in ManpowerGroup CISO Randy Herold and Mimecast Chief Security & Resilience Officer Mick Paisley to discuss how companies can “work protected” in evolving technology environments. Herold talked about the importance of not only preparing for uncertainty, but also practicing for it. Charged with protecting an organization that operates in more than 70 countries, Herold also shared lessons from his own staffing challenges. 

“We’re constantly dealing with a shortage of resources, whether it’s skills or quantity or both. The way we’re dealing with it is in two different manners,” Herold said. “First, we’re looking for talent that can work from anywhere around the globe and can serve anybody anywhere around the globe. The other piece is that we are recruiting even when I don’t have openings because if we can find quality people, we can find work for them to do.”

Insider Threats: Inside and Out

Compromised credentials account for a significant portion of security breaches, and an increasing number of these breaches happen internally. Defending against insider threats was the focus of two SecOps ’23 sessions. 

One of them featured Shawnee Delaney, who has served as a clandestine officer conducting human intelligence operations for the defense intelligence agency, coordinated intelligence community relationships for the Department of Homeland Security, and set up insider threat programs for Uber and Merck. Big picture: She has gone from recruiting malicious insiders to fighting them. Delaney now leads her own insider threat consulting business; she talked to Mimecast regional CISO Neil Clauson about the insider threat from both vantage points. 

“If you have humans working for you, you have insider risk,” said Delaney, who went on to explain three different types of insider risks — negligent insiders, compromised insiders, and malicious or criminal insiders — and how to mitigate them.

In the other session about defending against insider threats, the point was made that too often, actions by disgruntled employees or bad actors with valid credentials go undetected for too long. 

“Insider threats can arise from multiple sources,” said Mike Moreno, senior product marketing manager at Mimecast partner Exabeam, in a breakout session, noting that layoffs and restructuring, social engineering, and phishing all can lead to insider threats. “You, as a security analyst or director, need to be aware of what’s going on.” 

You also need a strategy for mitigating insider risks. Moreno went on to explain the power of combining user and entity behavior analytics (UEBA), artificial intelligence, and awareness training to identify abnormal behavior, deter internal threats, and automate and accelerate responses. 

Atomation and Integration: Where to Begin

Reducing the number of products and vendors in day-to-day use with security integration can be an important step to easing security complexity and improving an organization’s security posture. Likewise, increased automation can have similar benefits and free up scarce and overburdened security professionals to focus on higher level work. 

Ben Bryant, a security orchestration, automation, and response (SOAR) specialist with 20 years of experience in IT who currently works as a solutions architect for Palo Alto Networks’ XDR solution, shared some valuable automation use cases and real-world results in the “How Integration and Automation can make almost anything possible” breakout session. In another breakout session, “Automation: Is the juice worth the squeeze?” Rapid7 practice lead Jeffrey Gardner and SOAR lead project manager Tyler Terenzoni offered practical advice on where and how to start with automation, and how to measure progress.

“We have organizations and attack surfaces that are growing as teams migrate to the cloud, as infrastructure gets more complex. This has led to security teams implementing a record number of tools,” Terenzoni said. “That results in a large number of alerts that are generated, which increases alert fatigue and further burdens an already burdened security team.” 

As security leaders also deal with economic uncertainty, they need a force multiplier. “That force multiplier is automation,” Gardner added

The Bottom Line 

Mimecast’s SecOps Virtual 2023 event went far beyond SecOps tips and best practices to cover a broad range of relevant topics for today’s cybersecurity leaders and their teams. In addition to the sessions noted above, other topics of discussion included the importance of being vigilant against “survivor bias,”[1] building and retaining high-performing teams, maintaining the mental health of stretched-thin cybersecurity professionals, and separating the cyber risk signal from the noise. 

Visit the Mimecast SecOps Virtual 2023 event page to view recordings of these and other sessions on demand. 

[1] “After a Ransomware Attack, ‘Survivor Bias’ May Conceal the Root Cause,” Heller Search