In his March 20th Cyber Intelligencer, Anup Ghosh nailed it with his description of the failure of the security industry’s traditional ‘Prevent, Detect and Respond’ strategy. As Anup proposes, given the state of our collective failure, a move toward a strategy that is focused on Containment, Identification (of compromised assets and adversaries), and regaining Control of compromised networks is a more sound approach.
In his piece, Anup correctly indicts the purveyors of detection tools, who:
[have] only succeeded in producing prodigious alerts and data dumps that understaffed and over-worked security teams now have to wrestle with.
Few organizations have enough resources to sort through the volume of alerts their solutions provide and the terabytes of log data required to derive actionable insight at the speed and scale that is required.
As the industry and our customers move forward toward identification and control, information security capabilities will necessarily evolve away from emergency response and dispatch playbooks and toward more sophisticated analytical approaches. Unfortunately, given that the population of information security personnel with strong intelligence and analytical skills is about as abundant as Valyrian steel, if we don’t alter the way these tools are delivered, we are destined to fail again.
Of course, well-funded purveyors of analytical tools who have effective sales and marketing teams will be able to sell their expensive on-premise tools to large government information security organizations and the Fortune 100. But, given the volume of their data and the speed with which customers need to take action, they won’t be happy with their results.
Ironically, the good news for these vendors is that the rest of the market can’t afford to deploy their capabilities. How many non-Fortune 100 companies do you know who have advanced threat intelligence cells and big data log analysis infrastructures? So at least they won’t be angry and disappointed.
At the end of the day, I believe that even large company CISOs really don’t want to buy analytical tools. Rather, they simply want prioritized recommendations and enough confidence in the analytical rigor behind those recommendations to confidently take meaningful action.
To us and other venture capitalists who are funding cybersecurity startups, the winners are going to be companies with solutions that invert the analytical process – providing prioritized actions based on rigorous analysis and shared intelligence, and walking customers backwards through the analysis only if they care. Using machines versus people to triage massive volumes of intelligence based on relevance and risk to an organization is inevitable. Solutions that leverage more affordable As-a-Service delivery models that enjoy economies of scale for both computational resources (i.e., elasticity) and analytical human capital make the most sense.
At Mach37, we agree with Anup. We continue to prospect for and invest in solutions that will deliver affordable advanced intelligence and analytical capabilities to satisfy the growing need for identification and control. We believe these solutions will allow us to avoid the mistakes of the detection vendors, finally getting it right this time.