The evolution of threat research: Looking beyond best-of-breed

A more agile response

Cyber security research itself isn’t novel. Those same aforementioned suppliers have always generated quarterly or yearly reports to assess the efficacy of services deployed, and to monitor the general threat surface for specific sectors and regions based on ongoing data analysis.

Doubling up as both a consultative and solution-driven arm, this cohort is designed to give customers the upper hand, albeit behind the scenes, represented through the makeup of the service itself.

Now, given the evolution of attacks, there is a need for more individualised relationships where the supplier provides a completely personalised forecast of what to expect, what to plan for and, therefore, what or what not to invest in.

Armed with insight of what their specific vulnerabilities are and could be, those investment decisions need to become more informed and targeted, off the back of information that won’t be inherently driven by making a sale, keeping up appearances or retaining product subscriptions.

The ultimate aim instead is a more agile and tailored response to the ever-changing actions and behaviours of their threat matrix.

“Inevitably, AI and GenAI can be thanked for this potential, with improved computer technologies allowing us to look at threat and attack data within an organisation,” says Jon Clay, vice-president of threat intelligence at Trend Micro. “From there, we can build more customised threat models and attack path prediction views for them.

“After all, many attacks are customised by the adversary for their victims and, as such, we need to discover, assess and prioritise their specific attack surfaces. By doing so, we can provide targeted mitigation strategies to minimise the risks found.”

Not doing the basics

Trend Micro is no stranger to change. Founded in 1988, the company’s pride comes from being one of cyber security’s pioneers, built on the notion of exchanging digital information. Its Vision One platform delivers attack surface risk management combined with Extended Detection and Response (EDR), catering for all sectors, regions and strands of the digital environment.

“As such, we have one of the broadest native security products in the industry still,” says Clay. “And, more pivotally, it gives us one of the best vantage points in the cyber security space, too.

“The main issue we observe time and time again is that organisations are simply not doing the basics when it comes to cyber hygiene, which would help to minimise their risk of a breach. Things like patching, enabling multi-factor authentication (MFA) on critical accounts, using the latest detection technologies and enabling them and, finally, minimising the number of misconfigurations that expose devices and accounts to attacks – they can all make a significant difference in strengthening cyber security posture.”

This shortfall creates a two-pronged problem. One, a basic inability to protect against more advanced attacks. And two, because of a vague awareness that they’re not safe, they rush into investments that promise general defence, without gaining any greater knowledge into what their specific threat landscape looks like.

“There’s a third issue, too,” says Clay. “New technology is exciting and can have a great impact within an organisation. As such, they tend to want to adopt it quickly. The challenge we see is that many do not understand the security risks these technologies also open within their organisation. It’s crucial to assess any new technology prior to implementation to identify these security risks and ensure they are implemented with a secure design.”

Not a priority

So, a lack of bespoke due diligence, rushed investment decisions, and a potential weakening of defences rather than a strengthening, all derive from this more reactive stance, and a sole dependence on acquisition rather than information. The upshots at that point are sadly well documented.

Naturally, there’s the financial hit. Clay notes that the extent of “shelfware” that is purchased but never implemented is alarming. A late-2023 Pure Storage report confirmed that as many as 90% of IT buyers were introducing tech installations that the rest of their infrastructure couldn’t support. A year later, and an estimated 30 to 50% of software was still either unused or underutilised, bringing us to a present-day situation where bespoke insight into suitability – not just a panicked investment – has to be the first port of call.

“Many companies are still fighting fires and are focused on the many alerts they get from their existing security products,” says Clay. “This causes challenges as they cannot focus on preventative measures or on building a more resilient security model. Their threat research tends to revolve around ingesting third-party threat feeds of IoC/IoA data, and in some cases, engaging in threat-hunting.

“Really, though, the truth is that research isn’t typically a priority at all.”

Major transformation

More generally, the cyber security industry is going through a major transformation, and the traditional best-of-breed, siloed security services don’t offer the same level of security, nor visibility, that organisations need to identify today’s attacks.

This status quo, compounded by threat research being left to the discretion and generalisation of suppliers, opens the door to company-specific vulnerabilities. At this juncture, it’s vital that those same businesses start to include bespoke threat research as a primary tick box moving forward. And, slowly but surely, they are.

Stefan Saliba is IT operational security manager at Betsson Group, a global gaming and betting company operating in a space where user privacy and security are paramount, and where breaches are especially attractive due to the extent of finance details attached to the platform.

“We need to stay ahead of zero-day exploits in order to protect millions of people around the world,” he says. “Constantly putting out fires isn’t an option for an operation of this scale. We have to approach our work much more proactively, and that can only happen with comprehensive threat intelligence and real-time virtual patching.”

Both are enabled by Trend Micro, with Clay adding that Betsson Group is one of many organisations coming to the same realisation; proactive defence can’t be achieved simply with blind trust in suppliers. Users should be seeking proof that their service is fit for their purpose.

“We’re seeing customers, both new and existing, take more control over their infrastructure and networks,” he says. “They see customised attacks targeting them, so want to be more customised in how they defend against them.

“Changing perceptions that the old model still works is challenging, and getting them to adopt a new way of doing things will take time, but we’re certainly seeing a pivot.”

The death of best-of-breed

Perhaps this pivot isn’t just a result of one obvious advantage – that of more individualised cyber protection – but because of the realisation of numerous additional benefits that come from more bespoke threat research being prioritised through the supplier selection process.

There is an opportunity to consolidate and reduce investments into security tools if you know exactly what you’re protecting against. This spins off into reduced training, support and maintenance outlays as further cost benefits.

Improved awareness, knowledge and understanding of the security environment also paves the way for more informed business decisions. Knowing explicitly how an expansion, relocation, rebranding or acquisition might impact the existing defence situation reduces a huge deal of risk while emboldening shareholders.

“Personally, I think simply understanding cyber security through the lens of your own company is enough of a reason to prioritise threat research,” says Clay. “Organisations are recognising that by fostering a security awareness mentality among their employees, they will be more secure. Security needs to be an everyday commitment as attacks are increasing in speed, variety and sophistication.

“More and more, companies are asking how they can improve their ability to predict what attacks will target them, their industry, their region,” he says. “As such, threat research capability will become the norm and the traditional best-of-breed approach may soon die out.”