[Posted on Behalf of Anton Chuvakin, Security Strategy - chronicle Google]
This post is a convergence of a few things: our recent foray into more basic security areas (such as from threat hunting to vulnerability management), my experiences at a recent Security Summit and of course recent ransomware-like incidents (from WannaCry to Petya).
So, we analysts lots of do 1on1s at Gartner Events, these are essentially in-person client inquiry. It so happened that I took a decent number of 1on1s with organizations (some large!) that just hired their first security professional (likely a manager, but sometimes a technologist) or that had no full time security people at all (so Director of I&O or even a CIO was talking to me). Many of these organizations were definitely not SMBs! The epiphany that resulted from this is as follows: a lot, A LOT of perfectly great security advice is 100% useless for those guys.
First, everything that starts from "have your security team ..." goes into the wastebasket. Next, everything that requires specialty skills ("have your SIEM engineer do...", "your incident responders will...", etc) goes for a toss too.
Indeed, even larger organizations buy more boxes than they have people to run them, but for these guys the situation is dire: no box that requires an FTE will deliver value to them due to the lack of said FTE. So, essentially no SIEM, no EDR, no DLP, no UEBA, etc.
Sure, some security tools perhaps can be run by IT operations teams (firewalls by networking, EPP by desktop team). On the other hand, telling these companies to rely on “shoot and forget” [well, relatively so!] preventative controls like …you got it… firewalls and EPP is also bad advice since they are no match for today’s “better” threats. This also gives birth to such clichés like “ransomware only affects ‘security-stupid’ organizations”, etc – not really, but it does affect the short-staffed more than others…
Some of you are reading this and thinking, "Hold my beer, I am going to quit my job and start an MSSP! WIN!" Hold on! MSSP alerts need to be triaged, somebody need to tell an MSSP which security settings you want changed, etc. All this requires people with security knowledge. By god, even selecting the right MSSP requires security talent, otherwise there is a high risk of vendor taking advantage of you. Also, as an MSSP, you'd face some of the same talent shortage and cost issues…
Where are you taking all this, Anton? Three conclusions:
we are all kinda screwed since “damned if we do, and damned if we don’t”
if you think you can do security well without security people, you are so deluded - and probably breached too
however, we need to REALLY focus on making the available people work effectively and efficiently.
This is the only way to survive! "Force augmentation" should be the only game in town.
And, no, it does not automatically mean "buy SOAR tools" because their current implementations often require a lot of good people to jump start the implementation....
So, we analysts lots of do 1on1s at Gartner Events, these are essentially in-person client inquiry. It so happened that I took a decent number of 1on1s with organizations (some large!) that just hired their first security professional (likely a manager, but sometimes a technologist) or that had no full time security people at all (so Director of I&O or even a CIO was talking to me). Many of these organizations were definitely not SMBs! The epiphany that resulted from this is as follows: a lot, A LOT of perfectly great security advice is 100% useless for those guys.
First, everything that starts from "have your security team ..." goes into the wastebasket. Next, everything that requires specialty skills ("have your SIEM engineer do...", "your incident responders will...", etc) goes for a toss too.
Indeed, even larger organizations buy more boxes than they have people to run them, but for these guys the situation is dire: no box that requires an FTE will deliver value to them due to the lack of said FTE. So, essentially no SIEM, no EDR, no DLP, no UEBA, etc.
Sure, some security tools perhaps can be run by IT operations teams (firewalls by networking, EPP by desktop team). On the other hand, telling these companies to rely on “shoot and forget” [well, relatively so!] preventative controls like …you got it… firewalls and EPP is also bad advice since they are no match for today’s “better” threats. This also gives birth to such clichés like “ransomware only affects ‘security-stupid’ organizations”, etc – not really, but it does affect the short-staffed more than others…
Some of you are reading this and thinking, "Hold my beer, I am going to quit my job and start an MSSP! WIN!" Hold on! MSSP alerts need to be triaged, somebody need to tell an MSSP which security settings you want changed, etc. All this requires people with security knowledge. By god, even selecting the right MSSP requires security talent, otherwise there is a high risk of vendor taking advantage of you. Also, as an MSSP, you'd face some of the same talent shortage and cost issues…
Where are you taking all this, Anton? Three conclusions:
we are all kinda screwed since “damned if we do, and damned if we don’t”
if you think you can do security well without security people, you are so deluded - and probably breached too
however, we need to REALLY focus on making the available people work effectively and efficiently.
This is the only way to survive! "Force augmentation" should be the only game in town.
And, no, it does not automatically mean "buy SOAR tools" because their current implementations often require a lot of good people to jump start the implementation....
Comments