RSA Security conference is just around the corner and it’s always interesting to see the news that follows. Like Angela Duckworth’s book about Passion and Grit, it’s amazing how you can have your head down in the trenches for so long and suddenly re-discover something in a new way — casting a new perspective on what you are doing now or previously did. Every once in a while I get so fired up when I discover something old in a new way. I just found some new inspiration in re-discovering a story from many years ago related to Cybersecurity and wanted to share it.
So much of Cybersecurity rests with our perception of risk. A long time ago, a wise and experienced CSO shared with me something that I just re-discovered to be very true. He said, “Security is a function of sales and what people desire.” Sounds funny without the context, which was a discussion around why security features were not being offered in a product to protect users when they were available in the standard. He explained that the security feature wasn’t available because users weren’t asking for it — because they didn’t perceive or understand that specific risk. I just re-visited this thought and found how true it is about our collective perception of risk.
Back in 2004, I was deploying Cisco’s Cisco Security Agent (CSA) to enterprises. It was a venerable endpoint security product in the Host Intrusion Prevention (HIPS) space but ultimately was dropped — Rest in Peace, CSA, Rest in Peace. You were a product that arrived ahead of its time. That was then and maybe there wasn’t a compelling perception of risk to change people’s minds.
Now, ransomware attacks are pervasive in our mind’s eye. The truth is ransomware has been a HUGE and positive catalyst for change in the computer security industry. Because we feel the pain from ransomware. Because the operations and business impact is visceral and immediate when we lose access to our data. CIOs responsible for IT operations can feel it with loss of productivity and revenue. As a result, security programs now enjoy a larger budget for purchase of endpoint security solutions. They see the ROI on a tangible product that can buy a chunk of mitigation insurance against Ransomware DoS. Raising awareness. This is a good thing for our industry. The “Prevention is ideal, but detection is a must” (h/t Eric Cole) model of controls work well for security programs that are dealing with a persistent and determined adversary. But is this really as effective for ransomware? When fighting ransomware, prevention is vital. Response matters very much as well (including Ransomware-specific IR Playbooks and procedures), but is outside the scope of what I’m emphasizing here — the rise of endpoint security. But unlike CSA, the timing is right NOW and the next-gen endpoint security vendors have capitalized on this. Well played, Endpoint Protection Platform (EPP) and Endpoint Detection & Response (EDR) vendors. I salute you. But there is no easy button to push here nor silver bullets to be found. To yield value, these products can require correct policies and configurations. This means proper resources, care, and feeding to implement and maintain them (just like CSA required). For an exploration, check out Black Hills Information Security (BHIS) amazing webcast series on bypassing endpoint security (“Sacred Cash Cow Tipping”).
No single security solution can magically meet ALL of your security requirements for ALL attack scenarios. You need layered, defensive security controls and processes applied intelligently to your program. But first, it is vital for your organization to have a well-formed threat model for your business assets. If you haven’t already, run a threat modeling exercise to understand your business risks. Take it a step further and perform an adversary simulation with MITRE ATT&CK framework mapped into your business risks. (h/t Edward Amoroso)
