When more is too much in security

“Growth creates complexity, which requires simplicity” – Mike Krzyzewski.

There is a standard false impression that the more security instruments you’ve got, the higher your organisation’s security posture. It’s no marvel, then, that enterprises average more than 70 security point offerings, and it shouldn’t come as any shock that with every providing that is added to the combination, complexity rises and effectivity decreases. While this will not be an enormous challenge for Fortune 100 firms, with their almost limitless security budgets, everybody else suffers.

One of the underlying points driving complexity is that over time, organisations adopted a layered security strategy to guard themselves from the ever-changing risk panorama and the growing sophistication of assaults.

However, every layer consisted of a number of disjointed choices, ensuing in security researchers discovering themselves turning into integration engineers, making an attempt to attach all the dots. How do you accumulate and precisely correlate alerts and indicators from totally different sensors, filter them, normalise the info, scan for false positives, and assess the relevancy of the info to your wants and more? How are a number of risk feeds ingested, prioritised and examined for false positives? How are you able to guarantee the whole lot works collectively for a security posture that’s as near excellent as attainable?

You can’t. The proof is in what’s been known as dwell time – most risk actors reside inside organisations’ networks for weeks (if not months) earlier than launching their assault.

During this important interval of the assault, IT has many alternatives to detect, mitigate and even stop an assault. While on the organisation’s community, the attackers accumulate passwords and guarantee their persistence on the community utilising the whole lot from instruments which might be already in the system, corresponding to WMI or PowerShell (or what’s known as LOL, which stands for dwelling off the land) to customized instruments performing privilege escalation, lateral motion to establish crown jewels, getting ready exfiltration tunnels, and much more, all whereas evading security controls.

This busts one more outdated cyber security fantasy which is, “the attackers have to be right just once, and the defenders have to be right all the time”. This fantasy is an oversimplification of what actually occurs throughout a breach. In truth, the precise reverse is true. The attackers need to be proper at every step to achieve their objective, whereas IT has a number of potential choke factors in which they may have detected, mitigated or prevented the assault. So why do defenders maintain lacking these alerts?

In lots of these circumstances, all of the alerts have been there however they have been one way or the other missed. This begs the query – with every new device added to an organisation’s security stack, are we including fats or muscle to our security operations? Are we serving to and empowering the security analyst to carry out their job in a easy, streamlined method or are we including one more display screen they might want to monitor in the hope of catching a sign or alert? Are we including one more integration challenge that won’t solely take ages, and even longer if among the workers depart, however can even transfer the main focus of the crew from security operations to integration and testing?

Threat actors have a number of benefits over the defenders – they’ve the initiative, they’re far more agile, they adapt and alter rapidly and more. However, a detailed have a look at lots of the breaches revealed that they’re nonetheless utilizing the identical instruments and strategies – phishing, password cracking and vulnerability scanning. It is not the ‘what’ that they’ve modified, however the ‘how’.

The identical needs to be utilized to our defences – as an alternative of regularly making an attempt so as to add new options and capabilities to our cyber defences, we’ve got to have the ability to use those we have already got in a less complicated (but not simplistic), more complete and more manageable approach.

You know, once I served in the military, there was an outdated saying my commanding officer used to repeat: “If it won’t be simple, it simply won’t be.” It applies simply as brilliantly to cyber security because it does to bodily security.

Etay Maor is the senior director of security technique at Cato Networks and an industry-recognised cyber security researcher. He beforehand held senior security positions at IntSights, IBM and RSA, and is an adjunct professor at Boston College. He is additionally a part of the Call for Paper committees for the RSA Conference and QuBits Conference.