North America has signaled the end of summer and a long weekend with the Labor Day holiday; a day that recognizes the contribution of the workforce, and the power of workplace unity. As organizations come together to plan and execute for the next year, it seems fitting to remark on what teams that unite together with a common mindset and goal can accomplish.
The threat landscape for organizations has irrevocably changed whereby the “advanced threat” has become the new normal; the one that is targeted for a specific company, designed to bypass traditional controls, and a planned and orchestrated set of attack activities. Finding the clues to these orchestrated attacks is a challenge as the volume of the alerts increases, and the length of time it takes to investigate priority alerts and false positives, wear security teams of every size down.
The current situation within a security response team can be bleak, and getting worse. The majority of the day is chasing an event that was a road to nowhere, missing network coverage limits ability to respond to threats. Spending millions to see only days of PCAP stored for forensic analysis. The morale of the security team responsible for searching and responding to threats is colored with frustration and a feeling of chasing fragments and incompleteness.
The leaders of the security organization typically cannot hire or find and keep enough skilled or trained staff to deal with the problem. The security “elites” are investing in “Seal/SAS” style hunters or puzzle-matching ninjas, supported by expensive data science projects and analysts. Cyber-intelligence functions are largely manual in workflow and digestion of data sources; resembling Political Intelligence units, not IT functions. The prevailing wisdom is that “threat hunting” and Intelligence teams are for the privileged few of IT security; the ones with large security and Incident Response teams with big budgets and decades-long expertise (often earned in top government and their contractors). Threat Hunting and Cyber Threat Intelligence capability are destined for “niche” status, with the rest struggling with firewalls, sandbox and perhaps a SIEM. These are the teams where Security teams are lean, and Incident Response is a policy, not a team.
Yet, as the world of threats has rapidly evolved from black and white models of known behavior to a world of gray; where a series of well cloaked activities need to be revealed to find the new types of threats. In this new world, every team and every member will need to think about what looks gray and how to answer whether what happened next and next, led to “white” or “black”. The “hunting” or proactive “puzzle-solving” model must evolve from a “niche” movement to the masses where looking for clues becomes a change in mindset model, not a caste model.
We have seen how small teams in security operations, or even a sole actor responsible for policing the activities of an outsourced NOC and SOC, can transform their organization’s security approach. They do this by changing their mindset first to look at activity within their network, and then open their aperture to use different sources, or piece together the same information in a different way. This mindset that is about figuring out what looks different and what happened next.
This mindset can be taught or is present already in members within the organization. Indeed, we are seeing teams of all sizes desiring a new model, where their day is more productive, minds constantly searching and problem solving, and together or with peers, they can unite to forward progress within their organizations. In an industry screaming their wares of “next gen” and the new “automated” threat detection solution, post Labor Day, lets take a moment to focus on empowering teams and the workforce of security.
The post Size Does Not Always Matter, It’s the Mindset That Counts appeared first on Arbor Insights - Our People, Products and Perspective.