For those who don’t know, we have three P’s in cybersecurity; people, platform, and process. Invariably, the first step companies take towards securing their organization is by investing in platform (technology): anti-virus, usually followed by a firewall. Then, once they grow to a size where they “feel like” they have something “worth protecting” they come to a juncture – do we hire a dedicated security person and give the IT folks some relief to return to their focus on delivering business outcomes? Do we invest in an intrusion prevention system? A SIEM? Breach insurance?
What many decision makers fail to realize is the necessity of rigorous processes, whatever “solution” they choose. Given the direction of the industry (towards detection and response), and the uptick we have seen in the adoption of our service, I think that this is changing; forward-thinking companies are finally realizing that the problem is lack of process. And not the lack of disclosure process or writing things on paper and locking them in file cabinets only to pull them out when someone asks if there was a process. I’m talking about the routine: what are your IT security processes every day? What are you monitoring and how does that prevent or discover breaches?
Let me push you along the adoption curve by dispelling the fallacies about security and defining and prescribing a process-centric approach.
The Technology Trap
This doesn’t just happen in small to medium-sized enterprises, where familiarity with threats/attacks can be low – big consulting firms will implement plans for enterprise clients that involve hiring teams of people and buying a bunch of point solutions. When it comes to process, you’re left to figure it out on your own.
We would all love to “just buy a solution” or “just hire a person” to solve this problem, mitigate this looming risk. Unfortunately, it’s a fallacy – buying a SIEM and hiring a specialist/analyst/admin person to use it is insufficient. It’s not enough to prevent breaches from happening, nor to detect them when they do occur… and, with the false positives they yield, certainly not enough to respond to them.
Why is Security Different?
The shocking part about all of this is that for most other business units that have been tasked with doing more with less, process is the focus: how can I change what I’m doing to yield a greater result from the same input? Or from even less? The difference is that with Cybersecurity, the “greater result” is the absence of a negative, rather than more of a positive, so it can be more difficult to quantify your results – are we experiencing fewer breaches because our AV and firewall are enough? Are we simply not being targeted? Or are we not detecting them when they happen?
That all changes with Threat Hunting. Once we redefine our goal from “don’t get hacked” to “investigate the indicators of compromise” or “hunt the threats” or “remediate the vulnerabilities” – we come to see that those same process changes are required to achieve (those leading indicators of) our goals. Buying firewalls, collecting logs, hiring an analyst won’t do anything on their own. A continuous process of looking for threats and vulnerabilities before they become breaches: that’s what’s missing.
Yet, I’ve never met a resource in a company that does this: it’s too expensive. I’ve never seen a job description like this. Many companies will not even be thinking about this post-breach. Experience tells me they will seek out a large consultancy and pay for a “plan” which includes buying and hiring a bunch of resources that will defend their position when they get hacked next. And if their process doesn’t change, they will be breached again…
…Unless I can get the message across: breaches aren’t stopped by firewalls or AV or a SOC. Breaches are stopped by looking for them, and by closing the holes that become them, over and over again. Rigorous, routine, process. That’s what we do at ActZero every day. Ask for a Demo so you can see our process in action via our people, on our proprietary platform.