The enterprise cyber security challenge between attackers and defenders cannot sincerely be compared to a chess match. The chess analogy suggests that both entities are similar in terms of resources and capabilities; only differing in their approach or strategy to the game. In contrast, enterprise defenders are required to be omniscient while attackers only need to know “one thing” very well.
The RSA Conference 2020 provided an excellent backdrop to review the challenges and opportunities that enterprise defenders face.
Addressing The Changing Strategy Of Cyber-Attackers
The attacker distinction of having a singular focus is changing. Attackers are increasingly building chains. These chains seek to identify data for exfiltration. Defenders that examine only one link in that chain are missing the big picture.
As an organization stands up its cyber security program, a common practice is to identify common building blocks that construct the underlying architecture and approach. With growth of the organization, the security needs also expand and are often addressed through the adoption of point solutions; quickly solving one particular challenge with each solution.
Over time, this patchwork of solutions necessitates a re-approach to the security program. Multiple, incompatible platforms lead to specialization of security team resources and an inability to efficiently process threat signals.
See Related: Patching And The Basics
Cyber Security Solution Strategy Alignment
We frequently summarize that these strategy decisions vary by organization. The industry sector, size of organization, maturity of security program, risk tolerance levels and business model among others are all important factors that must be considered.
For the purpose of brevity, we will describe three approaches observed across enterprise organizations for solution types:
Integrated Solutions: As the name suggests, a collection of tools and techniques combined into a single platform relies upon the entirely of the solution to derive value. Compatibility amongst tools is a benefit for a highly integrated platform. Separate activities can now be viewed as a single “incident” using this approach. The perceived downside of an integrated solution is that you may be paying for functionality that the organization does not need (The Swiss army knife dilemma). The sense of being “locked in” to a single supplier solution has also been raised.
Layered Solutions: An increasingly popular approach to addressing phishing attacks is to implement multiple, distinct tools. The benefit of a layered approach is seen as catching more attack variations since there exists no one-size-fits-all solution. Convincing your organization’s finance executive that buying multiple types of the same solution is a smart strategy may pose more of a challenge. The comparisons to other business activities requiring a layered approach are limited and recognizing that cyber security is unlike procuring other software may aid in overcoming initial objections.
Point Solutions: Task-specific approaches to building an enterprise security program are foundational. As previously referenced, an organization will reach a level of maturity after standing up its security program where expansion using this approach should be questioned. However, point solutions are not obviated at this stage. Even with the most integrated solutions, there will be business-specific requirements that are not best handled through the platform approach.
For more mature organizations, the right solution is likely some combination of these three approaches. Resource allocation for your security team and outsourcing of non-core services is another aspect to consider.
See Related: Beyond The Firewall: Breaking Down Layered Security
Developing An Information Sharing Ecosystem
Acquiring and deploying security solutions is only a part of the equation in matching wits and brawn of attackers. To make the solutions fit their intended purpose as well as retain adaptability, a threat intelligence and tool ecosystem is necessary. The ecosystem enables multiple security perspectives to contribute and shape how solutions evolve.
The outcome of an effective information sharing ecosystem is the ability to accelerate common objectives and drive better value. In turn, more powerful security solutions are developed to help defenders achieve a better perspective and change the game on attackers.
See Related: RSAC 2020 Watchlist: Threat Intelligence, Info Sharing And Frameworks