Preventing Yesterday’s Threats Tomorrow
4 simple reasons your security program is probably struggling
I recently crossed 20 years invested in the Information Security industry. That’s a lot of time wearing a white hat, doing my best to fight the good fight, punching miscreants as much as possible trying to protect a number of organizations and generally working to try to make the Internet a safer place for everyone. It’s been an honor working alongside some of the best and brightest in the security, risk and threat landscape, and doing good for some exceptional organizations, including the opportunities I’ve had along the way to work with some of the largest financial services firms, leading technology organizations, and giant retailers.
Several of my recent years were spent knife-fighting in the trenches in the security product space, before making an “Ali-like return to the ring” to where I started my career, on the defender side of the table, taking what was then my second CISO gig, for a major healthcare IT solutions provider.
There, while getting Ali-return-like pummeled on a day-to-day basis by a myriad of challenges, (think Ali vs. Holmes) I witnessed firsthand the swelling crest of several negative forces in the Information Security industry.
What had previously felt like whispered rumors or weak truisms — cliches we would repeat in the industry, but ones I didn’t really believe held power — ended up smacking me in the face… repeatedly, and with great vigor. As a result, I’m ready to admit what several before me have outlined — there are systemic, fundamental weaknesses underpinning the current foundation of modern information security. They are all problems that I believe are going to get worse before they get better (they are all negative trends that haven’t yet hit bottom) — and they are all weaknesses I believe all share a common solution.
First problem: constant gnawing emptiness — not an ever-present ennui, but emptiness in my organization: positions I couldn’t fill, talent I couldn’t retain. It’s been widely publicized, and in some ways in IT in general it’s always been considered a constant that there’s never enough quality talent to fill all the needs — but I feel the security talent shortage isn’t overblown, if anything it’s still being understated.
That shortage of key talent is being negatively amplified by a near-endless vendor ecosystem of security products that are all too often falling short of delivering meaningful results in the real world.
Once word leaked out in the industry that I was serious about bringing meaningful change to my organization, I experienced a never-ending stream of vendors — literally, dozens each week, week after week after week — that would quickly and enthusiastically claim to solve all my problems via virtually-indistinguishable buzzword driven marketing campaigns. And of course, all of the vendors produced results that matched their claims and everyone lived happily ever after.
OK. There were a notable few solutions I implemented that delivered exceptional ROI — Cloudflare was one, Checkmarx another — but in actuality, almost every vendor engagement led to implementations that fell significantly short of my already-low expectations — let alone falling flat on delivering real, meaningful change to my organization.
The vendors aren’t the only source of blame, of course. There were plenty of instances of self-inflicted injuries as well. One that still stings was a stellar (and ridiculously low-cost) endpoint visibility solution from Qualys that had a great portion of its value overtly neutered in the enterprise workflow when parts of the org chose to duplicate the functionality elsewhere.
Worse yet, Internal IT threatened revolt upon my request to roll out yet another endpoint agent — and validly so: in a six month period we installed or replaced at least a dozen different endpoint agents in attempt to solve various point problems, from encryption to web filtering, from malware to advanced malware (because of course our AV vendor’s ransomware product needed its own agent), and of course to achieve the aforementioned endpoint visibility to power endpoint detection and response.
At Blackhat, marketed as the “most respected” of the information security conference circuit, I overheard that there were a hundred vendors in representation that had some form of an endpoint agent. At first I assumed hyperbole, but after walking the floor of the vendor hall, I began to believe it was an understatement.
Second problem: it is painfully obvious that the security product space is overly fragmented, to the defender’s detriment, and to the detriment of easily and effectively achieving enterprise-wide visibility, detection and response.
I believe this fragmentation exists in no small part that’s because we’ve mostly been focusing on the wrong things, as Facebook CSO Alex Stamos did a great job advocating in his BlackHat keynote:
We focus on complexity, not harm. A lot of times we act like there’s an Olympic judge holding up a difficulty score that helps us determine whether the problem is worth putting effort into either researching it or fixing it. The truth is that the vast majority of harm comes from the simple problems that are difficult to solve, such as the rampant reuse of passwords. […] although there is a huge focus on 0-day exploits the truth is that campaigns using such exploits are rare while many thousands of people are affected by simpler attacks every day.”
While this resonated and I fully agree this focus on complexity is a significant factor in the security community, I also fear much of the source of the problem lies much farther back — much of the modern state of security is the longstanding natural consequence of early design decisions in technology, and some of it is the culmination of the ever-constant feature vs. security tradeoff decision that “the business” continually makes, finally coming home to roost.
“The business” — the collective term for those generally seen as the other side of the table from security, those driving towards business objectives in order to enhance shareholder value —is moving faster than ever in every direction — experiencing accelerated change, powered by rogue and shadow IT, the explosion of endpoints. IT was always intended to empower the business, and empower it, it has — generally at the cost of security.
“We have built the digital world too rapidly. It was constructed layer upon layer, and many of the early layers were never meant to guard so many valuable things: our personal correspondence, our finances, the very infrastructure of our lives. Design shortcuts and other techniques for optimization — in particular, sacrificing security for speed or memory space — may have made sense when computers played a relatively small role in our lives. But those early layers are now emerging as enormous liabilities. The vulnerabilities announced last week have been around for decades, perhaps lurking unnoticed by anyone or perhaps long exploited.”
The high profile security vulnerabilities Zeynep refers to were Spectre and Meltdown — and the easy way to explain them is that these, and virtually all security vulnerabilities, occur ultimately because security is hard and mostly because those that build things are not incentivized to build them securely.
The third problem can be summarized as “the market” — enhancing shareholder value — generally demands functionality (whether that’s speed or features or whatever else) and not security. As it stands, despite dropping a couple points from the high, Intel stock is still up a few percentage from 30 days ago, and is still up more than 22% in the past year. Equifax may have given back 16% of their stock price from peak post breach, but as of today they’re still up for the trailing twelve months — barely, but still up.
The market is speaking loud and clear, companies should continue to optimize for functionality and not for security. That doesn’t mean companies won’t focus on security, it just means the market will continue to demand products that are optimized for business value, and security will generally continue to be added on instead of baked in.
As such, prevention is and always will be a losing battle, because the market is prioritizing features and functions and connections and whatever else, over security — as such we are going to be fighting a losing battle when it comes to preventing threats.
Instead — Detection and Response are the fundamental keys to the next wave of information security — the fundamental answer to surviving the accelerating pace and scope of breaches.
Obviously, don’t drop your defenses, don’t stop a high level of focus on prevention, especially in terms of the very basics of prevention, like excelling at patch management. But at the highest level we need to make sure that the once the basics of prevention are established, that prevention is appropriately balanced with robust detection and serious response. And in most cases, in our industry, it’s not.
The fourth problem: Organizations need to shift focus beyond implementing security products that detect yesterday’s threats tomorrow, and instead concentrate on building the basics. For most, this means fundamentals of security combined with building the underlying ability to detect and respond to tomorrow’s threats when they come through the gates.
Most organizations painfully and pitifully aren’t able to accomplish the basics and are spending their time and resources chasing the new shiny. Mike Johnson, CISO of Lyft, summarized it effectively as:
Mike Johnson on LinkedIn: "Want to start a cybersecurity...
Want to start a cybersecurity program or mature an existing one? It's not about buying the latest cool tech. Security…
“Want to start a cybersecurity program or mature an existing one? It’s not about buying the latest cool tech. Security is about fundamentals, plain and simple. Don’t try and immediately become a cutting edge security program. Don’t model your program on those that have crazy funding or absurdly large staffs or have been around longer than your entire company. It’s too much to bite off at once. What to do? Fundamentals.”
Requirements in most regulated industries — and general best practices in most others — mean you should have someone looking at your security events — evaluating and responding to all those alerts generated by the various “false posifitve platforms” you’ve chosen to implement. This means Security Operations all day every day — usually conducted by the aptly named “24x7 Security Operations Center.” Roll up all the principles outlined above:
- Focus on the basics, which meant detection and response, not just prevention products that detect “yesterday’s threats tomorrow”
- Find a way to combat the constant talent shortage in security
- Move faster, to meet the business’ need for speed and functionality.
- Achieve all of the above without blowing my budget or breaking the bank.
and I had arrived at a clear plan of action: I would document a clear requirement for the board and executive management, a business plan to invest in building out a a 24x7 Security Operations Center (and all that went with it). We’d expand our capabilities, we’d have the funds to shore up our resources, and we’d be able to enable the business to move at the speed they required.
One go-round with my company’s exceptionally talented CFO produced an unarguably lopsided financial model that unequivocally proved buy-vs-build was more cost effective, by far. The first three points led me to build a SOC, the latter led me to understand it needed to be outsourced to do it cost effectively.
This led to what would prove a very frustrating attempt to buy a managed SOC solution for my org last year. An ultimately fruitless endeavor I will spare you the full details of at this time, because I’ve already consumed more of your time than I deserve. But suffice to say, I burned a significant amount of precious resources — most of all, my time — banging my head up against a wall, trying to find a reasonable, credible, and agnostic MSSP solution to buy, and came up short in every instance.
It shouldn’t have been a surprise. The existing Managed Service Provider space is pretty widely acknowledged as terrible at worst and sub-par at best, whether due to substandard price/performance, poor service levels, or rampant technology lock-in.
“In the beginning I looked around and, not finding the automobile of my dreams, decided to build it myself.”
- Ferdinand Porsche
So I decided to do something about it.
Where does all this land? Why am I here? Time being a flat circle and all — I think we as an industry are collectively headed back to the early golden days of the emergent MSSP, back when the MSPs actually delivered quality at a fair price and significantly helped their customers improve their security program when the vast majority simply couldn’t do it themselves.
In short, I am betting that Security as a Service is going to be the future of our industry, at least for many (if not most) organizations. I believe the future is security products, integrated with the operators to operate them, in a model that’s actually achievable and consumable by your average organization that otherwise can’t find or retain the talent to drive them. And in turn letting the security teams that organizations can build focus on more interesting problems, like finding a way to enable the business to deliver innovation but still do so securely.
Several months ago, I left my second CISO position and moved from an advisory position to join the excellent executive team at Fishtech. There I’ve been laboring these past many months in stealth, trying to build the kind of solution I wanted to buy all along, but couldn’t.
What we have built is a Security-as-a-Service division for Fishtech, operating under the name of CYDERES (pronounced Sigh-Dare-Us, originating from CYber DEfense + RESponse).
CYDERES [CYDERES.com] is a human-led, machine driven Security-as-a-Service solution that provides exceptional people, robust process, and the right technology to detect threats and respond to security incidents in real-time.
Together, we have assembled a meaningfully kickass group of like-minded individuals — startup veterans, experienced SOC operators, security architects, threat hunters, incident responders, and cutting-edge security researchers. We have teamed up with senior experts in automation, DevOps, machine learning and data science. We are incubated as a division of Fishtech under the leadership and direct guidance of one of the most successful cyber security entrepreneurs of all time in Gary Fish.
We are driven towards a single goal: to build the sort of “next generation” Security as a Service solution I wanted to buy all along, but couldn’t. The kind of service we’d all be proud to deliver — and we’d want to recommend to our trusted friends and colleagues in the industry.
Our flagship offering is Security-as-a-Service (SECaaS) for Managed Detection and Response, that’s completely technology independent (“we don’t make the products you use, we make them better”) with support for on-prem, hybrid, or even cloud-only architectures.
We’re delivering a few closely aligned security-as-a-service solutions, primarily in Security Orchestration, Automation & Response (SOAR) and Security Incident Response, and we’re leveraging strong partnerships with a wide number of security vendors, many of whom needed better “last mile” solutions to help get their products off the shelves and actually producing meaningful value for customers — or other vendors who were being forced into becoming services companies, because no better alternative existed.
One more thing — we’ve also built the idea of a full reference architecture stack leveraging open source and/or very low cost security solutions with the idea that everyone deserves a serious security program regardless of budget. We believe you can have telemetry + threat detection + full packet capture + threat intelligence, even on a budget, and when combined with our automation / workflow / enrichment engine and people to power it all, you can actually move the needle on your information security program without breaking the bank.
Security is not a problem that can be solved, but it’s a journey you can undertake — and one you don’t have to make alone.
It’s cliche to say, but I truly believe we can make the security landscape better than it is today (I won’t go as far over the top to drop the “making the world a better place…” line) — by delivering legendary service at a fair price to organizations that need help.
CYDERES is expanding intelligently in every direction. We’re hiring analysts, architects, engineers, and every other sort of expert you’d expect. If you’d be interested in coming to help us build the kind of security service you’ve always wanted to see, one you can be proud to deliver and proud to recommend to your trusted friends and colleagues, this is your call to arms. Help us!
If you’re firmly planted on the other side of the table, you can help us. Vote with your dollar. Support the kind of change you want to see in the industry. Help us help you bring meaningful change to your organization’s security posture while you return to enhancing shareholder value.