In the previous post, we discussed how a new generation of security and threat analysts will come not from just core engineering or CS skill sets, but with Political Science and Visualization and core liberal arts background and competency. There is a fundamental need to do things differently to improve threat detection and response outcomes and that change must come first and foremost in how the related security organization, processes and workflows are designed.
The Hardest Things In Life Are Sometimes Just Hard
A case in point is the infusion of cyber threat intelligence into the everyday workflow of the Incident Response and Security operations team. The daily or weekly ” Intelligence” brief to guide and filter the workload of the Operations and IR team, and inform Management is the goal. And the goal is a good one because the application of targeted and relevant intelligence can turn a team swatting flies in a million directions into one that can easily zero-in and eradicate the malaria-laden mosquito that may have gone undetected with the fly swatting distraction.
But it is still a pipe dream even among creme de la creme teams that have a large set of malware researchers, an even larger set of threat analysts sifting through myriad forms of Intel, and a team lead that is experienced in all forms of Intel, manages key relationships and can triage the hardest stuff.
They belong to ISACs, have geo-political advisory information, detailed adversary and industry data, and thorough TTP reports, in addition to technology specific reputation and other feeds. They are automating where they can, using standards, leveraging “platforms ” to help aggregate or show relationships in connection points and it still is really hard and mostly manual. It is hard because it requires so many inputs and skilled, experienced eyes to filter results effectively and introduce new workflows to hand off to the Incident Response or Operations teams. And if it is hard for the teams that have 20+ malware research and threat analysts alone, it is even harder for the organization struggling with a lean security team and has no formal IR or Cyber Intelligence program.
Enter A Bevy of New “Blackbox” Security Vendors
With complexity and highly manual processes, the pickings are ripe for a new (or refocused) set of security vendors to tout their wares of new algorithms to magically “learn” and “automate” the problem behind the scenes. It is tempting to want to believe it, and looking at the course of the past twenty years; CS and Engineer-trained security leads are smitten with the new security “gadget” and features to help solve the problem. It is partially the reason why the Security technology market has skyrocketed to a $20 Billion industry, with little change in trajectory anticipated.
And sometimes the cool new tool actually works and is a warranted investment; spam became an almost overnight bane of existence to the email administrator and frustrated executives increased the pressure. An effective spam filtering tool that could quickly learn a company’s email patterns and block 95% of the junk, made the admin a hero and was easy to justify. But outbound filtering and DLP never really did take off, and that’s because most organizations did not have the processes or workflow in place to implement it successfully. Indeed, the spam filtering tools that are still around today actually had the reporting and workflow to effectively manage the needs of the email admin dealing with spam.
Change Is Possible.
Many may doubt whether a large enough set of companies can make the change, or ever implement their own Cyber-threat Intel program or IR team and for the most skeleton IT teams, it will be a major struggle. However there are thousands of organizations with security teams of 10 or more , and change can occur with an integrated team of threat analyst, security analyst, Security Operations center and a Security Architect or leader who takes the helm and marshals resources.
The post The Art of The Long Haul and Avoiding the Quick Security Fix appeared first on Arbor Insights - Our People, Products and Perspective.