Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:00 AM
Rick Gordon
Rick Gordon
Connect Directly
E-Mail vvv

Note To Vendors: CISOs Dont Want Your Analytical Tools

What they need are solutions that deliver prioritized recommendations and confidence in the analytical rigor behind those recommendations to take meaningful action.

In his March 20th Cyber Intelligencer, Anup Ghosh nailed it with his description of the failure of the security industry’s traditional ‘Prevent, Detect and Respond’ strategy. As Anup proposes, given the state of our collective failure, a move toward a strategy that is focused on Containment, Identification (of compromised assets and adversaries), and regaining Control of compromised networks is a more sound approach.

In his piece, Anup correctly indicts the purveyors of detection tools, who:

[have] only succeeded in producing prodigious alerts and data dumps that understaffed and over-worked security teams now have to wrestle with.

Few organizations have enough resources to sort through the volume of alerts their solutions provide and the terabytes of log data required to derive actionable insight at the speed and scale that is required.

As the industry and our customers move forward toward identification and control, information security capabilities will necessarily evolve away from emergency response and dispatch playbooks and toward more sophisticated analytical approaches. Unfortunately, given that the population of information security personnel with strong intelligence and analytical skills is about as abundant as Valyrian steel, if we don’t alter the way these tools are delivered, we are destined to fail again.

Of course, well-funded purveyors of analytical tools who have effective sales and marketing teams will be able to sell their expensive on-premise tools to large government information security organizations and the Fortune 100. But, given the volume of their data and the speed with which customers need to take action, they won’t be happy with their results.

Ironically, the good news for these vendors is that the rest of the market can’t afford to deploy their capabilities. How many non-Fortune 100 companies do you know who have advanced threat intelligence cells and big data log analysis infrastructures? So at least they won’t be angry and disappointed.

At the end of the day, I believe that even large company CISOs really don’t want to buy analytical tools. Rather, they simply want prioritized recommendations and enough confidence in the analytical rigor behind those recommendations to confidently take meaningful action.

To us and other venture capitalists who are funding cybersecurity startups, the winners are going to be companies with solutions that invert the analytical process – providing prioritized actions based on rigorous analysis and shared intelligence, and walking customers backwards through the analysis only if they care. Using machines versus people to triage massive volumes of intelligence based on relevance and risk to an organization is inevitable. Solutions that leverage more affordable As-a-Service delivery models that enjoy economies of scale for both computational resources (i.e., elasticity) and analytical human capital make the most sense.

At Mach37, we agree with Anup. We continue to prospect for and invest in solutions that will deliver affordable advanced intelligence and analytical capabilities to satisfy the growing need for identification and control. We believe these solutions will allow us to avoid the mistakes of the detection vendors, finally getting it right this time.

Rick Gordon is an expert on security technology, business strategy, and early-stage venture development. He currently serves as Managing Partner of Mach37 TM, a cyber security market-centric accelerator developed by the Virginia Center for Innovative Technology. MACH37 ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/4/2015 | 11:43:39 AM
What if the needle isn't there?
Rick, great article and spot on.  My issue with most of the Big Data Analytic solutions is their dependence on logs and alerts.  Malware and malicious insiders are becoming increasingly good at NOT generating log entries, and obfuscating their actions.  What this means is it doesn't matter how good a haystack puller you have, if the needles aren't there, you won't find anything.   We need solutions that detect malicious behaviors in real-time even when there are no log entries. 
User Rank: Apprentice
4/29/2015 | 10:33:55 AM
Could Not Agree More
You are spot on Sir.

I would add that containment security can no longer be an emergency response plan or have udder absence from the IT security vocabulary.  I have been writing about containment fro over two years so it is great to find people that actually get it and care about it.  

There are two types of containment approaches. 1) Spot or Surgical Containment - which is dependent on SIEM functionality to enable a containmenmt action (note this approach is only as good as the data loaded in the SIEM).  2) Structural - which relies on physical or virtual end-to-end segmentation of the networks to eliminate shared routing and security elements that can be exploited for breach propagation.  Quite frankly both are required and they are harmoniuos if implemented correctly.

When I was at Cybera we pioneered containment through virtual application networks (SDN WANs) and had implemented over 70,000 sites implemented globally with companies like Shell, Verifone, ExxonMobil and Little Ceasers.  I have yet to see a viable structural containment solution on the market besides Cybera's.

If you want to read more about containment security see my blog at containmentsecurity . net
User Rank: Apprentice
4/28/2015 | 8:32:27 PM
Lets not get lost in the semantics
Containment (post-initial compromise and prior to data exfiltration) is just about only thing all of us should be focused on. Those that think they can Prevent attacks believe the hype from perimeter security solution vendors who are still selling security products built on top of constructs from the 1990s. There will be no silver bullet solution due to an ever expanding attack surface, the creativity of the attacker, and human IT services users that will always click on something, surf to a bad website and down load malicious code.


Containment means we (finally) acknowledge that attackers know we all have the basic stuff at the perimeter and what they want to hack a human for credentials or have malware do it for them. In many organizations this is a fundamental disconnect. I don't think anyone can say that businesses have any real strategy for detecting attackers that leverage stolen valid user credentials.


The key is to be able to have a system that understand and learns what credential activities and access characteristics are normal for all an organization's users, peel all that away and see what's left. This leads to the identification of compromised user accounts. With this visibility we can draw conclusions about what assets have been compromised before the data walks out the door. There were a few of these user behavior intelligence solutions on exhibit at RSA.
User Rank: Ninja
4/28/2015 | 1:35:57 PM
Re: Spare Us the Sales Hype
When it comes down to it any informed individual understands that there is no silver bullet. With these solutions however there needs to be a cost model for implementing security safeguards and the value cannot outweigh business values such as revenue, etc. As much as we instill value into the business side of organizations we need to acknowledge and understand their justifications as well. If business generation becomes unsustainable due to cost of implemented solutions, then security will indefinitely take a step backwards as the business goes under. As stated, many smaller organizations do not have the financial backing to implement a comprehensive security solution so they do the best of breed approach while although optimal will not yield the best results.

Education is a huge need as its inexpensive and its not as prevalent as it should be. This is a great point as education can help alleviate some of the pitfalls from a light security blueprint.
User Rank: Apprentice
4/28/2015 | 12:56:08 PM
What's wrong with "Response"?

One could argue that "Containment, Identification and Control" are all part of "Response," or even take a more nuanced view and say that it's just an extension of Prevent-Detect-Respond.

IMHO, the issue isn't that Bruce Schneier's description of the procses of security is wrong, it's simply that HOW we Prevent, Detect and Respond have evolved with better tools over the last 15 years (thanks, in part, to better vendor tools - an opposite conclusion of this article). One could argue Containment is a form of Prevention, such as through virtual segmentation and other layer 2-7 adaptive security measures not available 15 years ago. Identification is a form of Detection - while some companies may struggle with traditional SIEM-in-a-SOC approaches, there are many that are have excellent SIEM deployments including layering on machine learning anomaly detection, sandbox technologies, and data recording/analysis. Lastly, Control is just another part of Response, towards the tail end of the typical IR cycle.

I'd like to see a matrix of benefits of both approaches. I think the heavy overlap will show that there's nothing wrong with the original Process of Security. From Bruce in 2000: https://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html

User Rank: Ninja
4/28/2015 | 12:23:24 PM
Spare Us the Sales Hype
In addition to methodology, the Security industry needs to be rid of the software outfits that are all hype.  As anyone who has sat in front of a pentesting GNU/Linux distro, no one tool does it all.  What you need are experienced programmers/hackers/techs who understand how to address each ecosystem and the context of potential or actual intrusion events, review the data, select the tools required for each situation/ecosystem/device, and implement an evolving strategy.  But unfortunately, many of those disillusioned business owners are also victims of sales hype, having purchased software solutions that don't offer evolving strategy, don't offer people with experience, and claim or suggest they have "the" fixall solution.  We need more education out there as to what Information Security is and how to do it properly.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.