Cyber security is currently one of the hottest fields in the corporate world. Enterprise hiring managers and vendor companies alike repeatedly report an inability to find enough experienced workers to fill their open positions, leaving organizations clamoring for better, faster, and cheaper solutions to stop gap the most egregious cyber security threats. At the same time, there is no dearth of security guidance and advice pouring forth from experts and supposed experts (this author not excluded) about how to best secure organizations, individuals, infrastructures, data, devices, applications, identities, networks, etc. etc. And anyone who has walked a conference hall —virtually or in person — knows just how many security solutions are offered on the commercial and open source markets.
It’s hard to ignore all the activity in cyber. People are working long, hard hours and researching how to do things more effectively and more efficiently all the time. Yet it's also hard to ignore the plain fact that breaches just keep happening, and the vast majority of them are due to “the basics”: authentication errors, lax access controls, or misconfigurations. The latest blockbuster attack — the T-Mobile breach — is a combination of all the above (that we know about thus far).
Vendors, for their part, are innovating at a furious pace and receiving startling amounts of VC funding to do so. The goal is breach prevention — to stop cyber attacks from hitting organizations’ networks, data, and devices. Still, most products are targeted toward one part of the picture: endpoint or device hygiene, network traffic, authentication mechanisms, identifying misconfigurations, highlighting coding errors, application behavior...and organizations are left to piece these solutions together, sort through massive amounts of data, and act immediately on the most pressing threats. In large part, remediation continues to be manual; there is no easy button for most vulnerabilities (though some vendors might claim otherwise).
And this is why security continues to be hard: the disparate and siloed nature of security products.
In the last few years, there has been an attempt to build “full stack” products or orchestration tools that allow for ease of use and increased efficacy with reduced manual effort. This product bucket includes detection and response tools (in all their various forms), SOAR, cloud security posture management, integrated risk management (IRM), and much, much more. By all industry budgetary measures, these products are gaining traction with end user security teams.
However, with the incidents persisting despite deployments of these tools, an astute security practitioner has to question how much progress we’re making as an industry. Little industrywide data exists on how many cyber attacks are prevented because of these tools. A “best guess estimate” is: A lot. But is that enough? Are the exorbitant outlays enough to justify the end result? Could we do better?
The “shift left” movement aims to prevent attacks altogether while the “shift right” camp plays cleanup, trying to make sure that when an attacker is successful the resultant damage isn’t crippling. These tools, on both sides, have done a decent job of stopping the proverbial “low hanging fruit,” but by no means have attacks — even bad ones —stopped or even slowed appreciably. When the damage is done, it’s the consumer who is hurt most by these breaches, not organizations. Overwhelmingly, breaches (even the biggest, most gasp-worthy among them) haven’t resulted in significant long-term damage to companies. Short-term? Sure. Long-term? No. If that were the case, Experian, LinkedIn, and Yahoo! (et. al) would have gone out of business or wouldn’t be allowed to exist due to consumer or regulator concerns. Consumer data is flying around the surface, deep, and dark webs, so much so that very few people balk anymore when they receive a breach notification and are offered a year’s worth of free credit monitoring.
However, in 2020, American consumers lost nearly $56 billion USD in 2020, and that doesn’t account for the pain, aggravation, and years' worth of stress dealing with the fallout from that theft. Businesses have cyber insurance to help with data theft or lost productivity. Consumers don’t (nor am I suggesting that a solution to identity theft is insurance).
All of this creates a conundrum: Are businesses in some way incentivized — even if it’s passively or subconsciously — to not use or deploy security solutions? Surely the vendor market profits when breaches happen. In the best case, businesses have a full security stack before a breach happens. But in many cases, products are bought after, once the security team can adequately demonstrate the effects of a breach to upper management (who may or may not be betting against their company’s name in the headlines by stalling on security product purchases).
Thus, cyber security feeds off itself. Vendor companies make more money when breaches occur (in many cases, justification for the purchase is made by pointing out another company’s breach but the result is still more sales). Enterprises buy products to prevent breaches, but lack of resources leads to shelf ware or misuse; the vast ecosystem of tools leads to overwhelming management complexity; the abundance of tools leads to alert fatigue and staff burnout; and all the while, we’re still scratching the surface on breach (or compromise) prevention.
Is this a highly negative view of the market? Probably. But it’s also not one that’s not shared. In public we say all the right things, point out positivity, praise people for doing their part. In private, though, I can tell you I have discussions with security practitioners from both enterprise teams and vendor companies who are just as frustrated as I am at the circumlocution happening in our industry.
Recently, Adam (Sr. Analyst at TAG Cyber) and I spoke with Corey White, Founder and CEO of Cyvatar. Typically our briefings start with an overview of the company, and often that overview includes a mission statement. Mission statements, though, tend to be things like “to protect businesses from ransomware” or “reduce the attack surface” or “catch vulnerabilities before applications are deployed into production.” Corey started differently, and this struck a chord with me and Adam; Corey began with his background as a security consultant, sharing that many of the security deployments and assessments he and his former teammates conducted resulted in follow up work...after the company experienced a compromise. Could the assessments have been bad? Possible. Could the deployments have been incorrectly implemented? Yes. Could the customer have failed to apply the suggestions or use tools the way they were intended? Of course. Realistically, though, it was a combination of failed people, process, and technology (PPT).
“Buying a security product does not make you secure,” Corey said to me and Adam. “In my experience, most products are shelf ware and the PPTs are not implemented correctly. If companies don’t operationalize what they have, products are useless," he continued. We went on to discuss that cyber security hygiene is like body hygiene: if you’re not brushing your teeth, washing your face, eating healthy food, and getting some exercise every day, you’re not going to have good health.
Strategies to succeed
Although this was not groundbreaking news, it begs an important question: If we want to truly succeed in security and prevent compromise, can we reasonably keep doing things the way we have been doing them? We cannot be building siloed security products and deploying them to stop a piece of the puzzle (attackers will just find another way). We cannot buy a product then not deploy it or use correctly. We cannot be blaming inefficiencies on lack of staff— find creative ways to hire. Technology can be taught; determination and drive cannot, generally speaking.
Maybe most importantly, we have to stop treating security like it’s a “no win” game and that no one else in the business world understands. Consumers are often the hardest hit in a breach; an identity theft victim deals with the aftermath for years. Businesses bounce back in months. Consumers get it. Maybe they don’t practice security the way security practitioners do, but it’s not their job to do so. It’s up to the experts to put in the protective measures and ongoing processes that create cyber hygiene, day in, day out. There is no tool that can stop a breach if a human misconfigures a deployment, if a patch for an exploited vulnerability isn’t applied, or if the network is wide open, and allows for lateral traversal.
The industry needs tools, but more importantly we need people who understand and are willing to work on the processes and procedures that put in the effort to ensure the technology is working correctly, that gaps are not missed, and that security is a holistic overlay, not endpoints or devices or networks, or or or. It’s not “either/or”; it’s the “all” that needs to start happening.