When more is too much in security

“Growth creates complexity, which requires simplicity” – Mike Krzyzewski.

There is a common misconception that the more security tools you have, the better your organisation’s security posture. It’s no wonder, then, that enterprises average more than 70 security point offerings, and it shouldn’t come as any surprise that with each offering that is added to the mix, complexity rises and efficiency decreases. While this may not be a huge issue for Fortune 100 companies, with their nearly limitless security budgets, everyone else suffers.

One of the underlying issues driving complexity is that over the years, organisations adopted a layered security approach to protect themselves from the ever-changing threat landscape and the increasing sophistication of attacks.

However, each layer consisted of multiple disjointed offerings, resulting in security researchers finding themselves becoming integration engineers, trying to connect all of the dots. How do you collect and accurately correlate signals and indicators from different sensors, filter them, normalise the data, scan for false positives, and assess the relevancy of the data to your needs and more? How are multiple threat feeds ingested, prioritised and tested for false positives? How can you ensure everything works together for a security posture that’s as close to perfect as possible?

You can’t. The proof is in what’s been called dwell time – most threat actors reside inside organisations’ networks for weeks (if not months) before launching their attack.

During this critical period of the attack, IT has many opportunities to detect, mitigate and even prevent an attack. While on the organisation’s network, the attackers collect passwords and assure their persistence on the network utilising everything from tools that are already in the system, such as WMI or PowerShell (or what’s called LOL, which stands for living off the land) to custom tools performing privilege escalation, lateral movement to identify crown jewels, preparing exfiltration tunnels, and much more, all while evading security controls.

This busts yet another old cyber security myth which is, “the attackers have to be right just once, and the defenders have to be right all the time”. This myth is an oversimplification of what really happens during a breach. In fact, the exact opposite is true. The attackers have to be right at each and every step to reach their goal, while IT has multiple potential choke points in which they could have detected, mitigated or prevented the attack. So why do defenders keep missing those signals?

In many of those cases, all the signals were there but they were somehow missed. This begs the question – with each new tool added to an organisation’s security stack, are we adding fat or muscle to our security operations? Are we helping and empowering the security analyst to perform their job in a smooth, streamlined manner or are we adding yet another screen they will need to monitor in the hope of catching a signal or alert? Are we adding yet another integration project that will not only take ages, and even longer if some of the employees leave, but will also move the focus of the team from security operations to integration and testing?

Threat actors have multiple advantages over the defenders – they have the initiative, they are far more agile, they adapt and change quickly and more. However, a close look at many of the breaches revealed that they are still using the same tools and techniques – phishing, password cracking and vulnerability scanning. It is not the ‘what’ that they have changed, but the ‘how’.

The same has to be applied to our defences – instead of constantly trying to add new features and functions to our cyber defences, we have to be able to use the ones we already have in a simpler (yet not simplistic), more comprehensive and more manageable way.

You know, when I served in the army, there was an old saying my commanding officer used to repeat: “If it won’t be simple, it simply won’t be.” It applies just as brilliantly to cyber security as it does to physical security.

Etay Maor is the senior director of security strategy at Cato Networks and an industry-recognised cyber security researcher. He previously held senior security positions at IntSights, IBM and RSA, and is an adjunct professor at Boston College. He is also part of the Call for Paper committees for the RSA Conference and QuBits Conference.