Vendor: You do need this too!
Practitioner: Really? Ok, I’ll have that (tool) too.
Cyber security professionals have a unique reputation for being the “No, you can’t” department within an enterprise environment. The end user asks if they can do something, security says “No, you can’t”. Of course, next time they’re unlikely to come back asking, they’ll just do it like Nike directs. This is a discussion point for another day rather than the purpose of this write up.
If we’re experts at saying NO (ok, a good security professional should be doing better than just saying ‘no’) then why don’t we apply the same practice when offered the next shining tool?
The cyber security appliance, software, and service market is big and booming as many innovative solutions – that combat new threats – continue to make their debut on the market. New solutions will always be required because the security industry constantly reacts to evolutions in the threat landscape. However, practitioners should be doing a lot more to understand their specific exposure (or weakness) points prior to going to market in search of the appropriate tools that address control gaps/weaknesses. Let’s be honest, we’ve all most likely succumbed to the temptation of making an investment in a product that we came across at a security conference or vendor event because it does very cool stuff prior to establishing whether that cool stuff is both urgent and important. A security department that perpetually places less emphasis on understanding which cybersecurity risk will be mitigated by the technology product being considered for acquisition is simply accelerating to the bottom. I spoke about this topic at the last American Petroleum Institute’s (API) cybersecurity conference last November – a myriad of technology products without a well-thought-out security strategy and roadmap is often detrimental to a cyber security program.
Security technology products, as critical to any security program as they are, will only always address one of three fundamental elements of such program. The other two – peopleand process – are, at the very least, equally critical. In fact, my opinion has always been that the people component should always be weighted higher than the other two elements because of the influence it has on those two. For instance, the (right) practitioner determines which tool is best suited to address their cyber security needs. Similarly, s/he determines which processes need to be developed or improved to make the team more productive. When an organization gets the people element right, they will most certainly derive a great return on security investment (ROSI). The reverse is also true – you get the resource wrong, you get a negative ROSI.
The question then arises: at what point do new security tools begin to negatively impact the effectiveness of our program negatively? To answer this question, we need to know what “effective” looks like. A security department that pays little or no attention to metrics and reporting has zero chance of answering this question. Like Peter Drucker once said, “If you can not measure it, you can not improve it”. When a program is in its infancy, various security tools will be required to support its layered defense model. However, as the program matures, more energy and focus should be directed towards its processes rather than technology. Technology investments are usually a point in time activity but processes typically outlive technology products. One highly invaluable process for example is the establishment of a metrics framework that helps security department report the performance of their program in a meaningful, consistent and repeatable manner. Technology investment decisions should always be driven by data. Like Edwards Deming famously said, “In God we trust, all others must bring data”, business leaders must always demand relevant information (such as performance metrics, strategy document, or output of a SWOT analysis) from their staff, and be satisfied that proposed spendings will mitigate highest priority risks before writing the check. Apart from guarding against financial recklessness, doing this forces the security leader to clearly understand his/her challenges and come up with a well-thought-out solution before submitting a request for investment.
Every security program will experience different inflection points during its lifetime (hopefully, every program lives as long as the organization continues to exist!). However, an inflection point can either be positive or negative. As far as technology investments are concerned, a positive inflection point occurs when the addition of a new security product results in enhanced security capability. This will always be the case where proper planning (e.g., strategy and roadmap, threat modeling, requirement analysis, and so forth) has been undertaken prior to the investment being made. In this scenario, the team knows precisely what technology investment is required to move its program to the next level, as against succumbing to sales calls or a vendor’s persuasion. A good example of where a positive inflection point occurs on the back of investment in new technology is where a team decides to augment its traditional Anti-Virus (AV) solution with Next Generation Endpoint Security (NGES) solution that offers enhanced malware prevention capability. Unlike traditional AV solution that relies on a pre-determined pattern of behavior to thwart a threat, NGES combats advanced threats and next generation attacks such as memory-based, PowerShell, script-based, and obfuscated malware.
Conversely, a negative inflection point occurs when additional technology products are acquired before the team fully figures out the path to its next maturity stage and hence the rationale behind such acquisition. If technology products are acquired mainly because “this is what defense-in-depth or regulatory mandate dictates” then the security program itself is under threat. As security professionals, we really should be getting the best out of our existing technologies before thinking of making additional investments. The only exception, of course, is where zero technology capability currently exists in a particular security domain (e.g., data security or cloud security).
On the process side of the house, when assessing the effectiveness of security programs, there are several useful models and frameworks out there that can be leveraged to really determine what security investments are required. An example of a good one is the Lockheed Martin’s cyber kill chain model, which reveals several stages through which a cyber attack must progress before the attacker’s mission is accomplished. This model, though has its critics, has been found by many professionals to be very useful in developing countermeasures against cyber threats. In fact, some vendors have developed their products around the kill chain model and typically show potential customers how (and where) they break the chain.
Taking a step back to think through (and provide answers to) the following questions before considering any technology solution is a great first step in itself.
- What cyber threats are we trying to combat?
- How effective is/are the countermeasures being considered?
- What is the value proposition to our business?
The above list of questions is not exhaustive by any stretch though.
Another model that is fast gaining recognition amongst security professionals is the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) model.
This piggybacks on the cyber kill chain model to characterize the activities of an adversary after stage 4 (post-compromise) of the cyber kill chain. Critics of this model may call it defeatist given that it’s only useful where a compromise has occurred. However, this for me, is a pretty pragmatic framework that accepts cyber security breach as the third certainty beside death and taxes. With this in mind, the framework helps an enterprise defender to fulfill one of his/her primary missions (according to Dr Eric Cole at the SANS institute), which is: prevention is ideal, but detection is a must. This is a key tenet that every security professional must always remember.
The good guys at MITRE put a lot of thoughts into this model by breaking it down into 10 tactics and 127 techniques that an adversary may adopt after compromising an organization’s computer system or network. This model is highly recommended for enterprise defenders aiming to enhance their host and network security capabilities.
In conclusion – and at the risk of stating the obvious – enterprise defenders should always apply the people, process, and technology elements of their program in equal measure to derive countermeasures against cyber threats. Tilting the balance in favor of the technologyelement results in unnecessary spendings that ultimately affect the bottom line whilst increasing cyber risk posture. When it comes to security technology investments, more does not always equal better.