Soldiers in combat over the last century rapidly grow accustomed to the distant cacophony of artillery and bombs. Some even get desensitized to nearby explosions. How many of us react with shock and horror at a data breach headline? Few do. We all hear them rumbling in the distance all the time.
Look at all of the familiar names in this list of recent casualties: Sears, Kmart, Best Buy, Saks Fifth Ave, Lord & Taylor, Whole Foods, JC Penny, Walmart, Panera Bread, Sonic, Arby’s, AppleBees, Coca-Cola, Delta Airlines, Under Armour, Orbitz, Atlantic City, Equifax, Yahoo, SunTrust Banks, Blue Shield of California, Western Union, Boeing, CareFirst BlueCross BlueShield, and Bed Bath & Beyond.
I doubt any of these are first-timers. Each has probably increased its cybersecurity budget each year for many years. Look at Bank of America and J.P. Morgan Chase. Each will spend around $500 million on cybersecurity in 2018. They are not alone. The FY 2019 Budget requested by the White House includes $15 billion for cybersecurity-related activities for the Federal government, a $583.4 million (4.1 percent) increase over FY 2018. Gartner’s “Survey Analysis: Trends in End-User Security Spending, 2018” estimates that 2018 cyber budgets for 73% of enterprises will experience an average 21% increase over 2017.
Why Spending More Yields Less: The Whole Costs More than the Sum of its Parts
Intuitively, you see examples of this everywhere. No doubt you’re familiar with small firms out-innovating very large ones. Perhaps you know of examples of where small teams of people have developed far better widgets in much less time than far larger teams. The fundamental problem is that people seldom excel within complex workflows.
None are more complex, and more chaotic, than those in cybersecurity. The threatscape constantly changes. So, does the cyber defenders’ tools and practices. Worse, most defenders spend much of their time reacting to crises or other urgent matters.
Sadly, it might surprise many to read here that this fundamental people problem has always been the natural, opposing boundary condition to the grand ole ‘defense in depth’ theorem. Those many layers and elements of defense inevitably reap diminishing returns.
Matters have worsened in recent years. The enterprise lost patience with frequent compromises at the endpoints due to ineffective software-based protection. Most organizations have lunged into a ‘detect and react’ posture. Endpoint Detection and Response (EDR) is the most conspicuous poster child for this. But the bulk of it exists in the form of security analytics tools and teams. IBM/Ponemon summed it nicely: ‘Enterprise detect and escalate costs of 2017 were nearly double those of 2015’. This resonates with findings from an ESG survey finding that 72 percent of cybersecurity and IT professionals believe cybersecurity analytics and operations is more difficult in 2017 than in 2015.
Before looking deeper into the cost factors of security analytics, I’d like to draw attention to what I didn’t find in an analyst report concerning business processes that CISO’s must master. It featured many familiar topics but did not delve into what I consider the greatest imperative: the business process that ties everything into a cohesive, simple, proficient workflow. Despite all of the technologies, cybersecurity is ultimately a people problem. And that is why the whole usually costs more than the sum of its parts.
Security Analytics Will do More for Less, But Why Didn’t It?
There are three reasons why security analytics is making things darker before the dawn. Bear in mind, we’re talking about the ‘Detect and React’ posture that has become prevalent. The first reason is that there are too many disparate detect tools. ESG found that 70% of enterprise respondents say they deal with between 10 and 50 security technologies and services regarding their security analytics & operations. Along these lines, 84% said their analytics approaches have been siloed. The second reason is that ‘react’ has been too separate from ‘detect’. In other words, too much of ‘detect’ is followed by manual investigation and remediation. Their survey question exploring the challenges of security analytics and operations overwhelming point to this. The most cited challenge was total cost of operations (30%). This was followed by 27% of respondents asserting that their infosec team spends most of its time reacting to incidents. The third ranked issue (23%) cited by respondents was that remediating security incidents took too long. These all point back to poor integration between ‘detect’ and ‘react’.
I’ve not forgotten the third reason that security analytics and operations driving ‘detect and react’ is problematic. There are either too few people or those available are under-skilled. Ironically, 80 percent of the respondents, which represent organizations looking to do more with automation, are growing their staff size to do so. And, 81 percent of them say that doing so is hard to do, which merely echoes what we’ve all heard elsewhere.
I should mention the fourth ranked challenge by respondents. It kind of spans all three of the reasons mentioned earlier. About 21 percent of the respondents cited operationalizing threat intelligence as one of the great challenges. It seems to me that too few people cite my rationale for the value of threat intelligence. It’s simple: no organization has a big enough budget for mitigating all possible risks. Threat intelligence enables an organization to allocate its limited resources toward those mitigations most likely to be useful. Those that only see threat intelligence as feeds for malicious URLs, domains, and other things to blacklist may be throwing good money after bad.
Security Orchestration, Automation, and Response (SOAR): Don’t Let the Promise Blind You to the Past
The enterprise has been dreaming of an all-encompassing architectural fabric for all business processes for decades. In cybersecurity, the SIEM was supposed to be the data warehouse that captured and transformed data from all sources with business intelligence features that gleaned actionable insights fused from disparate pieces of data. We still have a long way to go. Even so, that is ONLY half of ‘Detect and React’. In theory SOAR should integrate the two. And the enterprise cybersecurity cost curve would finally flip downward. Right?
Well, those that fail to learn from the past are doomed to repeat it. The most important thing to recall from the past is ‘change’. It is the only constant in enterprise IT. All of our choices MUST account for ‘change’. And, ‘change’ comes in unexpected ways. Last year, I spoke with several analysts that had interviewed many customers of McAfee’s endpoint protection platform. Many of them were stuck with version 8.8 because they could not upgrade to version 10.5 or later. They had invested much effort into ePO integrations, which might be regarded as a limited prequel to SOAR. Apparently, all of them would have had to have been re-done to upgrade to 10.5 and later. Granted, this ePO matter was just a microcosm compared to SOAR. Still, it should serve as a reminder to all organizations that ‘change’ can wreck any ‘promise’.
‘Change’ is far more nuanced and insidious than this ePO example implies. Think of all the tools that employ metadata and all of the headaches occur when a simple metadata term splits into several new ones. Now consider the vast diversity of the different ‘detect’ and ‘react’ topics. As for machine learning enhanced SOAR, never forget that the Achilles Heel to any form of machine learning is ‘change’. Seemingly insignificant changes break machine learning models.
Any move toward SOAR ought to be accompanied with an extensive list of use-cases centered about potential changes. SOAR candidates should be measured in their adaptiveness to these changes.
There’s a Better, Complementary Alternative to SOAR: Challenge Your Paradigms
SOAR is a promise worth pursuing, especially if it subsumes SIEM. However, recognize SOAR for what it is and isn’t. SOAR is about chasing infinite possibilities faster. Yes, the tactics, techniques, practices, and IoC’s of the adversaries are infinite, as are the remediations and workflow dynamics. Also, never forget the implications of the ‘whole costs more than the sum of its parts’. One of these is that different elements affect other elements differently. Some affect many more than others. None affect more aspects of enterprise cybersecurity than the endpoint and the human. Dramatically improved risk mitigations for the endpoint and/or the human’s actions yield a cascade of reduced incident volumes on a wide variety of different elements of your cyber program. Look for new tools that profoundly challenge the ‘detect and react’ paradigms in how they mitigate risks at the endpoint or by the human.
AppGuard Flips the Cost Curve by Nipping Malicious Code at the Endpoint
Many elements of an enterprise cybersecurity program depend on what happens at the endpoint: malicious code attacks with or without end-user particpation. Imagine how effectively blocking malicious code attacks at the endpoint affects different elements. For example, consider some network sensor that generates a considerable amount of alerts volume. What percent of those alerts would never occur if the adversary had been stopped cold at the endpoint?
Why Can AppGuard Block what Others Cannot Even Detect?
AppGuard blocks policy non-conforming actions. It’s not the first product or technology to aspire to do so. But it is the first to do so in a manner that is practical. The key to this is its adaptiveness to change. It only needs to know a relatively small number of things about the endpoint that seldom change. It’s patented technology dynamically learns what it needs know about the rest of the endpoint. This is why AppGuard agents in the field typically go months and months without any form of policy update, some even years. Yet, it blocks new types of attacks on day one. It does so because it doesn’t need to tell good from bad files, normal from abnormal, or to pierce through disguises. It does not use signatures, IoC’s, or other pattern matching to block attacks. It simply blocks those unacceptable actions that the adversaries must successfully complete on the endpoint to achieve their goals. This approach means that AppGuard blocks attacks without having to recognize malicious code itself. Ultimately, AppGuard customers find they can radically scale back much of their ‘detect and react’ operations such as incident response, alerts triage, and remediation efforts.