By Josh Linder
With cybersecurity vendors now numbering more than 1,000 and worldwide security spending projected to eclipse $93 billion in 2018 (according to Gartner Research), one has to ask, “What are enterprises spending on? And are organizations getting the value they expect?”
According to cybersecurity software innovator Phantom Cyber, spending without reconciliation has become the “security circle of life.” As professionals and executives, we are chasing our tail, believing in the fallacy that solutions, which haven’t missed anything (or at least not much), are doing their job.
In addition, security buyers continue to ask, “If I invest in your technology, what are you going to replace?” Without rethinking the security stack, it is impossible to answer this question.
First, we should explain why having architecture is so important. The key is that in the discipline of cyber protection, a multi-layered approach is critical. We have to know where things fit and how they interoperate. As Gartner Vice President and Distinguished Analyst, Avivah Litan pointed out in a recent blog entry, a layered approach is essential for fighting attackers.
By mapping risks across the various aspects of the enterprise, a layered architecture facilitates the identification and exposure across endpoint, network and databases. This allows for a business and technical risk mitigation plan, which can be agreed upon by the security team, third parties, executives and the Board.
While this seems simple in concept, in the realm of cybersecurity, a single, generally-accepted architecture continues to be an enigma. It just doesn’t exist. Those familiar with traditional IT architectures, such as Zachman and TOGAF, will be surprised to find that cybersecurity lacks a similar set of standards.
Aligning all of the various products and services together gets infinitely more complex when one realizes that different teams with opposing metrics own solutions. The security team might source identity and password management, but password resets must be performed by the helpdesk. Endpoint security has wavered between security and end user computing (EUC), who also manages office productivity, mobile device management and possibly internal cloud services.
In addition, adversaries are getting better. They use multiple methods which, in isolation, only cause a low-priority warning (such as the recent NotPetya wiper malware). Advanced tools, which correlate and orchestrate individual events, are still in their infancy. Security teams are distributed across cities, countries and continents. An ad hoc stack contains detection, mitigation and response spread across multiple tools and owners.
Therefore, the greatest challenge is that those who are motivated, patient and smart will get through any single layer of security. State-sponsored criminals constantly change their objectives, and their tactics, techniques and procedures (TTPs), evading the tools of what previously worked before.
As noted above, a security stack should optimally map to compliance, risks, exposures and the steps to prevent and mitigate security incidents.
First, organizations should take a holistic view across their enterprise. While there is no generally-accepted “stack,” there does exist a number of risk and activity-based standards. The SANS Institute has an excellent framework comprised of 20 critical controls, frequently updated to reflect a changing threat and operational landscape. This is a terrific starting point across many vectors.
Other frameworks include the NIST (National Institute for Science and Technology) 800 – 53 Security and Privacy Controls.
To minimize complexity, organizations should utilize vendors whose platform addresses multiple layers and partners with complementary solutions. Protection cannot operate in a silo.
Once a foundation is in place, organizations should take a hard look at the efficacy of all tools currently in use enterprise-wide. Just because a product or service has been in use for years does not mean that it is still effective today.
What enterprises will often find is that they own most – if not all – of the technologies they need, but are not getting maximum value. Revising the security stack should focus on risks that are being met and gaps which can be filled. Any new solution should clearly address a shortcoming, not just “replace AV with next-gen AV.”
This is an ongoing process and not a single event in time. Revisions should be made annually, along with quarterly health checks. Again, find trusted partners – and industry peers – to provide input.
Despite organizations devoting more resources to cybersecurity, we still struggle to keep up. A failure to make decisions and take action is more costly than ever before. Maersk Shipping Lines is a great example – an attack, which spread across their entire network, cost $300 million to their bottom line. Pharmaceutical giant Merck hasn’t disclosed the impact, but it could range from $2 – $400 million.
The best proactive response to an ever-changing security threat is a clearly articulated and implemented security stack. It will never be perfect – whatever vendors produce today will be defeated tomorrow.
Organizations must start with basic hygiene and sound security practices. Then utilizing a layered approach to security, organizations will address maximum coverage across all threat vectors. Nothing in security is 100 percent effective, but starting with a plan and minimizing over-investing in one facet will maximize value.
Registration for Atlanta Cyber Week events, including Cybercon, will close very soon. We encourage CISOs, startups and others involved in the cybersecurity community to sign up for the events they plan on attending ASAP. Spaces are limited. Visit http://www.atlcyberweek.com and cybercon.us for more information.
Josh Linder is the director of Amida Technology Solutions’ cybersecurity practice. He has nearly 20 years in security, information management, marketing and business strategy. Josh advises security startups in the areas of marketing, sales, business development and architecture.