Keys to Working Smarter Not Harder in Cybersecurity Part 2 of 5

Welcome to part 2  in this series about keys to working smarter not harder in cybersecurity.  In case you missed it, in part 1 I talked about about the importance of understanding the nature of cyber and how to start focusing on what's most important.   

Let's look at some other key points here:

  • Things get worse - and they always will - what you need to do about this starting now
  • How cybersecurity is not a static process or journey but a dynamic and continuous one
  • The fallacy of views such as "once and done"

Who has the time for so much today?

Why would anyone, knowing the true nature of cyber, write 100 pages of cybersecurity guidance that alone takes years to update, and is practically obsolete by the time it’s completed?  Many long policy documents by government organizations are written this way still.  They are not focused on speed of implementation or precision.

I believe it is because those writing such lengthy documents still believe that thoroughness is king.  They have not gotten leaner, nor do they focus on the most important things. Instead, they focus on everything.  But when everything is a priority, nothing is a priority.

Cyber strategies and policies must transform now, or they will not be agile or focused enough for the future.  This involves change and going outside of one’s comfort zone to pave new territory.  But it must happen, else cyber organizations will be stuck trying to focus on too much. 

Wicked Problems of Cybersecurity

Cybersecurity is so different from all other environments and constructs.  Cybersecurity has many characteristics of what’s been called “wicked problems” not easily or permanently solvable.  There are solutions to cope, although there is no single once-and-for all solution or silver bullet as a permanent fix.  

As a “wicked problem”, cybersecurity has no permanent solutions.  Also, one solution could cause more issues in other areas.  This is the nature of “wicked problems” and there are many other things to be understood.  

A deep dive on the wicked problems of cybersecurity is needed, in order to understand the true nature of cyber issues and how they can be best dealt with.  “Dealt with” is key, because “solved” is not a realistic goal.  Anyone who thinks otherwise does not yet understand the nature of cyber.

A root cause – static rather than dynamic view of the nature of cyber defense

Not understanding the nature of cyber is a root issue and challenge that must be overcome.  Older thinking assumes the more thorough, the better.  Such conventional thinking still believes “prevention is best” because that’s how things work in many other environments, in the kinetic world.  

Older environments were much simpler with less issues to address.  This is no longer the case, and unlike the kinetic world, cyber interdependencies are much more complex.

Cybersecurity is Never “once-and-done”

In cyber, things are not once-and-done.  There will always be bypasses and constant developments dancing around the many “statues of prevention and perfectionism” that have been built.  Each of these statues are just waiting to crumble.   

Each item above and others regarding the nature of cyber and cybersecurity must be studied and considered carefully, before charting the course.  Not investing the time to ensure one is on the right path will result in a longer and more painful cyber journey.

It gets worse every year - and it's been that way for over a decade

Antivirus companies to said back in 2014 - that AV was dead because it could no longer truly scale and keep up.  That was 2014 folks - where FireEye said that "82 percent of all malware [they detected] stays active for a mere hour, and 70 percent of all threats only surface once, as malware authors rapidly change their software to skirt detection from traditional antivirus solutions."

In 2015, I recall a statistic that said one-third of all malware ever produced was in that year alone, compared with the total produced between late 1990's through 2014.  This seems to match other analysis regarding malware growth explosion

Symantec determined in 2016 malware doubled in growth again, from that massive 2015 growth year.  Unbelievable.  Things have also grown since, considering it's now the 2020's.  

Roger Grimes of KnowBe4 said it right - basically that every year things get worse even if one can't wrap their head around how this is even possible...yet it happens and has for over a decade.  Grimes calls this worsening for Ransomware "Nuclear Ransomware 2.0 Quintuple Extortion" - scary stuff.

Innovative strategies that can offset such things cannot include the signature-based approach as primary.  Trying to chase down every issue or possibility is futile.  

I believe a combo of sandboxes, behavior-based solutions, upscaling detection-response and using precise intelligence plus automations at scale - are the only ways to go.  

Also, pre-packaged AI-based analytics and product intelligence shared via cross-pollination of cloud-based next-gen products shows the most promise.  If you don't know what I'm referring to - stay tuned - I will talk more about this powerful 1-2-3 punch in the future to greatly help defenders.

For Now - Get Past Prevention and Fully Embrace and Perfect: Hunting, Detection, Response

The focus should now be more on hunting, detection and response, rather than a prevention-centric approach to cybersecurity.  If preventions repeatedly fail and attackers at some point will get in, a strong hunt, detect and response program is critical.  More critical perhaps, then prevention.  

A hunt-detect-respond capability should become a well-oiled machine in one’s cyber defense arsenal.  It should be tested often, automated where possible, focused in precise things and improved and honed continuously.  

The older views listed earlier do not take the real nature of cyber into account, such as the fact that attackers will get in.  Prevention-based solutions no longer work, yet are still at the root of the thought processes found in many checklists, documents and advice within cybersecurity.  They are a primary area of focus, yet they repeatedly fail.  Things must change.

The team should not be graded on how many vulnerabilities were reduced - that's the old-school one-for-one approach.  Today's metrics should center on only the most critical exploited vulnerabilities for prevention.  

The best metrics concern how fast things are detected, how effectively they're blocked and responded to - especially on most critical assets.  In other words, did the disruption of the cyber attack kill-chain actually actually work?  

Metrics and dashboards and hunt teams should answer to whether attackers were thwarted, systems recovered, and persistence footholds and C2 mechanisms eradicated.  Those are real metrics, not theoretical ones based on tons of vulnerabilities or just "response" busy work.  

Stay tuned next for part 3 of working smarter not harder in cybersecurity.

#Cybersecurity #LessIsMore #Infosec #WickedProblems - CYBER Y'ALL! - @CyberYall

Comments

Popular posts from this blog

Slay the Log4Shell Dragon TEAM 1 - Protect and Detect Vulns Playbook

Slay the Log4Shell Dragon TEAM 2 - Hunt and Detect Attacks Playbook

Keys to Working Smarter Not Harder in Cybersecurity Part 5 of 5