There is an adage in the information security profession that loosely states a security team must be right every time while a threat actor just needs to be right once. The odds are unfairly stacked against organizations fighting to protect their brand, their clients and their employees' livelihood.
Organizations are continuously bombarded by a changing threat landscape and evolving adversary tactics. An organization's attack surface shifts – and even expands -- as quickly as the business itself changes direction, yet security budgets often remain stagnant at best. Ambiguous and often contradictory viewpoints in the security industry often confuse and frustrate organizations about what right looks like as they defend their networks. Even worse, the industry perpetuates an unrealistic notion that organizations can protect their environments 100% of the time. In theory that sounds like an ideal goal, but in reality, it sets organizations up for failure. Secureworks® Chief Threat Intelligence Officer Barry Hensley is often heard reminding security teams: "You cannot secure a network, but you can defend one." Technologies and tactics are improving, providing more visibility and context, but organizations still struggle to rapidly take risk-reducing actions with confidence.
More Noise Doesn't Guarantee More Signal
Consider this common scenario which plays out at organizations around the world every day. Company X spends $3M USD on SIEM licensing annually and an additional $8M USD annually on staff, tools and other security licensing. They realize after installing the SIEM that the out-of-the-box use cases provided are not applicable or do not work in their environment, requiring them to figure out how to apply intelligence about the threat landscape to their environment. Alert fatigue and false positive rates become overwhelming and unmanageable, so they start turning down logging levels and disabling signatures. Now to get the value from their investment, they decide to add external intelligence to make the tool smarter and increase efficacy. This drives the costs up even further. But threat intelligence still doesn't solve the ineffectiveness of their tool's use cases so the organization opts for added professional services from their SIEM provider to help solve the problem that the tool inadvertently helped to create in the first place.
Though SIEMs can be tremendous security assets, return on investment can be disappointing without the proper context and threat knowledge. Costs continue to stack up as security leaders realize that existing controls are being bypassed by the latest adversary tactics. Increases in licensing costs drive up budget, leading to what can easily become a $20M USD annual budget request. Meanwhile, risk hasn't been measurably reduced, and the strain on staff results in turnover, reducing the level of business knowledge and environment expertise on the security team.
"Starve Your Distractions. Feed Your Focus."
The security industry and organizations alike are failing – online criminals outnumber ethical hackers, are better funded and can evade many security defenses by making the smallest tactical changes. In every industry, across the globe, one of the most chronic cybersecurity health epidemics is the irrational manner in which security controls are applied to organizational environments. When layer after layer of disparate tools are implemented in an effort to react to the latest risk factor, environments become noisy and complex. Difficult to manage and sometimes incompatible, those layers become riddled with gaps caused by uncoordinated technology, people and processes. As a result, risk reduction reaches a point of diminishing returns, meaning that adding another control to the environment does not reduce risk to a level which justifies the spend. Many organizations also often fail to widen their framing of the threat landscape and understand how quickly it changes – it's a struggle for many to understand how fast adversaries change tactics which is critical to defending against them. Instead, they react to trends in their vertical or get distracted by emerging threat topics that may or may not be relevant to the organization's unique risk profile. Keep in mind there is nothing inherently wrong with information sharing across your networks and keeping up with trends that could impact your organization, but tactics should be contextualized by how they fit into your overall security program, your own evolving threat landscape and what is likely to reduce the most risk.
The Reality of Game-Changing Conditions
Organizations are the masters of their business and environment, but most struggle to keep pace with an ever-evolving threat landscape, despite investment in tools and talent. The bottom line is that for most organizations, the investment needed to build out an effective internal security program are allocated to business units that more directly contribute to business growth. And when you think about it, why wouldn't you want to focus on what makes your business money? But to best defend your organization, companies must prioritize not only security tools but also the context – both security and business context -- needed for those tools to help you reduce risk without stifling innovation. And the security industry itself must innovate faster and with more confidence to provide that context. Security technologies have improved but have yet to reach their full potential, providing more intuitive, responsive and integrated solutions. The game is changing and only by working together can we make it harder for the bad guys to score.