Can Security Beat the Well-Armed Adversary?

Mahmoud Mounir, Regional Director at Secureworks META explains as the information security is evolving fast and with adversaries armed to tooth, organisations need to develop more comprehensive strategies to tackle the rising tide of security risks and needs to be more prepared to beat the adversaries.

To combat threats in today’s environment, organisations must understand that from tools to tactics, the security game is changing.

There is an adage in the information security profession that loosely states a security team must be right every time while a threat actor just needs to be right once. The odds are unfairly stacked against organisations fighting to protect their brand, their clients and their employees’ livelihood.

Organisations are continuously bombarded by a changing threat landscape and evolving adversary tactics. An organisation’s attack surface shifts – and even expands — as quickly as the business itself changes direction, yet security budgets often remain stagnant at best. Ambiguous and often contradictory viewpoints in the security industry often confuse and frustrate organisations about what ‘right’ looks like as they defend their networks. Even worse, the industry perpetuates an unrealistic notion that organisations can protect their environments 100% of the time. In theory that sounds like an ideal goal, but in reality, it sets organisations up for failure.

Secureworks Chief Threat Intelligence Officer Barry Hensley is often heard reminding security teams: “You cannot secure a network, but you can defend one.” Technologies and tactics are improving, providing more visibility and context, but organisations still struggle to rapidly take risk-reducing actions with confidence.

More Noise Doesn’t Guarantee More Signal
Consider this common scenario which plays out at organisations around the world every day. Company X spends $3M USD on SIEM licensing annually and an additional $8m annually on staff, tools and other security licensing. They realise after installing the SIEM that the out-of-the-box use cases provided are not applicable or do not work in their environment, requiring them to figure out how to apply intelligence about the threat landscape to their environment. Alert fatigue and false positive rates become overwhelming and unmanageable, so they start turning down logging levels and disabling signatures. Now to get the value from their investment, they decide to add external intelligence to make the tool smarter and increase efficacy. This drives the costs up even further. But threat intelligence still doesn’t solve the ineffectiveness of their tool’s use cases so the organisation opts for added professional services from their SIEM provider to help solve the problem that the tool inadvertently helped to create in the first place.

Though SIEMs can be tremendous security assets, return on investment can be disappointing without the proper context and threat knowledge. Costs continue to stack up as security leaders realise that existing controls are being bypassed by the latest adversary tactics. Increases in licensing costs drive up budget, leading to what can easily become a $20 million annual budget request. Meanwhile, risk hasn’t been measurably reduced, and the strain on staff results in turnover, reducing the level of business knowledge and environment expertise on the security team.

“Starve Your Distractions. Feed Your Focus.”
The security industry and organisations alike are failing – online criminals outnumber ethical hackers, are better funded and can evade many security defenses by making the smallest tactical changes. In every industry, across the globe, one of the most chronic cybersecurity health epidemics is the irrational manner in which security controls are applied to organisational environments. When layer after layer of disparate tools are implemented in an effort to react to the latest risk factor, environments become noisy and complex. Difficult to manage and sometimes incompatible, those layers become riddled with gaps caused by uncoordinated technology, people and processes.

As a result, risk reduction reaches a point of diminishing returns, meaning that adding another control to the environment does not reduce risk to a level which justifies the spend. Many organisations also often fail to widen their framing of the threat landscape and understand how quickly it changes – it’s a struggle for many to understand how fast adversaries change tactics which is critical to defending against them. Instead, they react to trends in their vertical or get distracted by emerging threat topics that may or may not be relevant to the organisation’s unique risk profile. Keep in mind there is nothing inherently wrong with information sharing across your networks and keeping up with trends that could impact your organisation, but tactics should be contextualized by how they fit into your overall security program, your own evolving threat landscape and what is likely to reduce the most risk.

The Reality of Game-Changing Conditions
Organisations are the masters of their business and environment, but most struggle to keep pace with an ever-evolving threat landscape, despite investment in tools and talent. The bottom line is that for most organisations, the investment needed to build out an effective internal security program are allocated to business units that more directly contribute to business growth. And when you think about it, why wouldn’t you want to focus on what makes your business money? But to best defend your organisation, companies must prioritise not only security tools but also the context – both security and business context – needed for those tools to help you reduce risk without stifling innovation. And the security industry itself must innovate faster and with more confidence to provide that context. Security technologies have improved but have yet to reach their full potential, providing more intuitive, responsive and integrated solutions. The game is changing and only by working together can we make it harder for the bad guys to score.