As we head into the final stretch before RSA, CounterTack, like most cybersecurity organizations, is realizing how critical every day, every hour and every minute is, relative to the work we are doing for our customers in protecting their IT infrastructure.
And as each vendor, enterprise organization, partner and investor gets ready for five days of meetings, presentations, job interviews and cocktails, RSA is typically the platform for numerous announcements and cybersecurity advancements.
One thing the industry should be looking at around this conference, is conceding some level of victory to attackers. Yes. Concede a little. This is the conversation that needs to happen while there's the biggest collection of cybersecurity industry types in one location. Let me explain.
I base this on statement on what we are hearing that is causing breach fatigue amongst all whom are part of this industry. What continue to hear is the narrative of 'whodunit.' Its tiresome. And its not practical. It doesn't really help an organization. And often, its a law enforcement issue really.
Conceding in this manner doesn't mean giving in. From my perspective, its about understanding the most important information as quickly as possible about something potentially bad that is going to happen, that will happen or that has happened within your IT framework, that you need to manage.
Conceding in this manner also, speaks to the how frequently we hear about who has perpetrated a an attack that has led to a breach of data. After all, that is when we hear about it in our newsfeeds - is when its a breach disclosure. Its not really news if an organization is thwarting hundreds or even thousands of security incidents and preventing them from becoming a 'breach.' What fun would be? Victories over attackers probably happen more than we know, or so we hope as an industry.
Conceding is really about letting go of the 'whodunit' approach when its learned a breach may have transpired. Its hard to do when so many reports and in-depth articles rely on forensic investigations that take months to research, verify data and publish - and they mostly focus on following paths to attribute the breach.
Conceding, for how I'm describing it is all about removing the barriers of classical security practices, in identifying which criminal group or even state could be responsible, as the MAIN COMPONENT of any first-level reference to a particular breach.
After all, for every customer or potential customer you speak with, certainly as a cybersecurity vendor of some sort of software, hardware, service or framework you are shilling to the market, what is the number one priority you are hearing that they want to accomplish through their cybersecurity program?
Is it hunting attackers? Is it identifying geo-specific characteristics important, say, if I know I am leveraging a security tool that enables me to see that data exfiltration is happening as we speak, or has just recently happened, say, 30 minutes ago, an hour ago, or the day prior?
In many ways, for the enterprise, its not really that different from what consumers face when for example, they have their credit cards breached. Do I really care if I can see the name of the perpetrator who hacked my account? Sometimes, you can see who's done it.
The point is, do I dwell on that fact for more than a minute, or do I take corrective action as quickly as possible to report fraudulent activity, freeze the account if necessary, cancel current cards, or if its a bank savings or brokerage account, close out the account and open an entirely new one?
This brings an essential argument to this issue - which is do I focus on time or who has attacked me? Cutting attacker dwell time is one thing - you never want attackers inside your organizations walls. But they're likely there in some form.
That said, relative to time, knowing what they are actually doing, behaviorally, is where you ultimately prioritize time over who. That is the fundamental reason detection exists. You want to stop what an attacker is doing. You want to prevent further infiltration and lateral movement to other machines, which helps cut time to mitigation. Its also cutting the time to be able to respond effectively to ease the damage inflicted - its NOT about who did it at that point. This is critical.
In fact, like a consumer, as a security lead, you don't really care who hacked you, you just don't want to lose anymore money, you want to be feel as if you are making good on your role to protect the organization and want to remain employed.
(CounterTack and Ponemon Institute published a study in 2015 on the trends and impacts associated with nation state attacks. It is still very much important.)
So what s it about time that matters within this argument?
Time is not on the defender's side, and generally speaking its not on the industry's side. And time is often unkind to end-users, security consultants, and most of all, members of critical security teams when they carry a massive load in being responsible for safeguarding data, complying with key industry standards, and understanding how to navigate their threatscape effectively to achieve a great percentage of wins against those who attack them.
Time again, is critical, to be able to most effectively detect and respond to attacks, uncover behaviors that could place the organization in a more susceptible position to exploits and to prioritize the security incidents accurately based on intelligence around the threats.
Understanding the demographic make-up of a group perpetrating an attack HAS merit, in fact it has a wealth of merit. Particularly as teams monitor different types of attacks, over time, when its clear specific types of IOC's are present and part of a broader campaign. But its not just understanding who it is - if you know historically who's targeting you, perhaps as a security analyst, you know what those techniques consist of.
But the game changes when an attack launched pushes through the attack lifecycle and becomes a full-scale breach. That is when the rush to determine who becomes the conversation, the story. And its when it becomes too late, because by the time its reasonably determined, its too late to go back. So who carried this out doesn't really matter relative to that attack, only intelligence going forward for contingent security planning.
There it is - a call for changing the discussion. Do you value time or do you value knowing who attacks you? The largest collective group of security professionals are congregating soon. I think security practitioners need to prioritize time above anything to continue to push, and foster innovation in the midst of this battle.