The quick and the breached: Futureproofing security operations

Security is about rates: the adversary is innovative, motivated, funded and enjoys the advantages of asymmetry in cyber conflict. The rate of improvement in the proficiency of attackers is increasing faster than, by-and-large, that of the defenders. The first step to being futureproofed is to be present-proofed; and the essence of that is to be quick and adaptive. In a word, security needs to be more agile with people, processes, and technology.

For many, the agile R&D movement can feel a bit revolutionary or even cultish. It is, after all, a complete change in how engineering is done, shifting to user centrism, owning production code, and an emphasis on pragmatism in what we now call DevOps. The agile manifesto, though, has extremely valuable lessons and can lead to a similar revolution in SecOps: the user isn’t to blame, policies have to account for real human behavior, a focus on processes. Perfection is the enemy of the good, and incremental improvement is the heart of accelerating how effective security operations are.

IOCs are no longer the star in the fight to detect and prevent advanced attacks. There will always be a role for IOCs in reducing noise, stopping the low-hanging fruit of the threat world and adding color; but security is a chaotic system with an intelligent opponent. The adversary is always on the attack and has effectively found ways around IOCs. The only time an IOC bell rings is either when the attacker makes a mistake or when they intentionally drive a diversion to increase noise-to-signal ratio.

The heart of futureproof security operations is a lean-in, detection mindset; an agile methodology; and a dedication to incremental improvement. This inevitably leads to new behavioral telemetry sources like XDR, decrementing “just capture it all” from the SIEM years, with an emphasis on reliable and hard-to-predict-by-attacker automation. It’s vital along the way for CISOs to focus on logistics, communications, and dialog with their business stakeholders, to pick the right KPIs, and to make clear that the goal of security isn’t to stop everything but rather to optimize the reduction of security risk. This is the path to going from a world where the attackers only have to get it right once to a world where they have to be right all the time, and one day to a world where even when they do everything right, they still fail more than not.

Sam Curry, Chief Security Officer, Cybereason

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.