By Sergio Caltagirone

A Step Ahead

A Step Ahead: Focus on Security – download the e-magazine.

Too many of us are living in the last century of information security. We’re taking the approach that we’re not patching fast enough, not doing asset identification well enough. These things may still play a part in the security puzzle, but the threat landscape has moved well beyond that.

Which is why we’re seeing the failures that we’re seeing. We’re still fighting the last war and losing the current battle.

Assume you’re going to lose

We need to approach security with the presumption of loss. We are just now entering that phase of understanding in cyberspace. That’s why cybersecurity insurance has become such a big deal.

Take flood control for example. We have several predictive and detective measures to identify when and how large a flood will be. We have topology maps which identify the locations of critical resources such as hospitals and neighborhoods.

We can prevent normal, everyday flood. But, in a 100-year flood scenario we triage choosing to protect the hospital over the neighborhood. We need to prioritize detection. We can’t prevent all loss. We need to respond quickly and effectively to our detection. We can’t try to save everything all the time – we diffuse our already extended security resources and no longer focus on the true business risks.

We need to change not just what we’re doing but how we fundamentally think about the problem.

Prevention is not the cure

Prevention is critical and always will be, but prevention only gets us so far. We need to reevaluate our current investment to identify where and how we can move to quicker and more effective detection.

If we want to move up the security maturity spectrum, we need to shift our thinking from ‘How do I stop the next breach?’ to ‘How do I detect it fast enough that I can do something about it?’

We’re practiced at protecting in depth, but to bolster our detection before the full impact is actualized by an adversary, we need to detect in depth as well — which calls for a detection-driven security cycle.

The adversary is our best teacher

We’ll never be able to know all our vulnerabilities, assets or attack vectors. Adversaries will innovate quicker than defenders. But, that doesn’t mean we’re lost. We own the territory and the infrastructure.

Instead of trying to continuously fight last week’s war, we must understand our adversary’s behaviors and “control the physics” of the space.

By that, I mean: Adversaries are going to do many things once they get access to a machine and are able to leverage the associated assets. What are they going to do with the passwords? Can we detect when they’re stored in a file? If not, can we detect when a password is being used, possibly through identity protection? And if they’re assuming identities, can we detect if they’re stealing data? The answer to all those questions is “Yes, we can.” Rather than thinking of an attack as a single point of failure, but it’s a string of opportunities for the defender to detect and respond. It’s said attackers only need to be right once. To sever that attack thread, defenders only need to be right once, too.

Learn more about cybersecurity

Insights on Data Protection on
More articles about security on this blog.

Speaking of cloud security providers

Sergio Caltagirone

Sergio Caltagirone is the director of Threat Intelligence and Analytics for Dragos.

The cloud is a critical component of any modern enterprise. Most cloud service infrastructure is more secure than most enterprises – and enterprises need to realize that fact. But, don’t choose your cloud services and security based on a checklist. Security changes so quickly that any checklist is a useless metric. Instead, choose a technology provider that takes security so seriously it’s part of their organizational identity. Only then will you find a partner that moves and evolves quickly in the security landscape not because of a checklist, but because that’s who they are.

How we will win

Security is not won through procurement, it’s won through people and relationships. Pick the right partners, technology vendors and business partners. That’s how we win with security. Your technological security solutions are your security lower bound. Your people, the defenders, your organization, your relationships that define how great you can be — your upper bound. Make your defenders great, and your cybersecurity will only get better.

The biggest opportunity

We currently have at our fingertips the largest collection of shared computing resources ever in the history of mankind due to cluster and cloud computing. We can collect more data and see more things than we’ve ever been able to before. Our applications are generating telemetry and data more than they ever have and our ability to process it is greater than it’s ever been, and we’re not even tapping this at its full capacity. This is the biggest opportunity — simply taking advantage of this computing revolution that’s right here, right now.

Things you needn’t worry about

With so many things on our minds, especially at the C-level, it’s important to know what is not worth spending energy on.

  • AI – As a threat, this is so far in the future that only my grandchildren may have to consider it. We have so many business concerns and modern-day threats to worry about that are here-and-now that AI should not be on anyone’s radar yet.
  • Cryptocurrency mining – That should be something your vendors handle for you at the technology layer. It’s a misuse of your computing resources.
  • Cloud breaches – As organizations move to cloud-based and hybrid-based architectures, we will see breaches within cloud infrastructures. But, given the current state of breaches, it’s hard to say the tradeoff is any worse than where we are today. Most cloud infrastructures are better protected, better managed and more secure than most enterprises.