There is no denying the notion of strength in unity. Similarly, inclusiveness and the broad participation of many is another idea that is widely cherished. These are both principles that are essential for achieving success in security in these challenging times.
Conventional security has separate tools, alerts, policies, procedures, teams, and reporting. At one time, this approach made sense by applying specialization to specific areas of the attack surface or data and computing infrastructure specific to the needs and vulnerabilities of each. Attacks were generally focused and not overly progressive.
Today, the challenge is more about finding the real indications of an attack early and less about trying to protect a certain part of the attack surface. There are nearly an unlimited number of vulnerabilities facing every organization, and they change frequently. Attackers have almost an infinite number of chances to penetrate infrastructure, explore it, find valuable assets and work towards exploiting them.
Successfully finding an attacker at work is less about discovering a single point of compromise—although that is still valuable—and more about seeing progression. The latest attack chain models reflect this idea. Seeing progression involves multiple points and multiple pieces of data. It may also involve the skilled processing or analysis of each tool. Data and findings need to be centrally collected, correlated, and analyzed as a whole to understand progression, see the early stages of an attack and rule out other abnormalities that are not relevant.
Democratizing security means that all data and findings can and should be considered. It is not about augmenting a particular platform, but rather about creating an open environment that accepts information from all tools and sources without restrictions due to technical or marketing limitations. It is possible that not all sources have the same “weight,” but it’s important that each has a “voice” that can be heard. Democratization is the ability to have the participation of all.
Combining all sources means not only that every stone will be turned to ensure we’re not missing some vital piece of information about ingress, egress, or anything in between. Lots of “dots” provide better resolution or fidelity (as any consumer of monitors or cameras can tell you) but also enable a more precise connection of the dots. Such an ability can elevate the paradigm of an unwieldy level of security alerts to one of far more accurate incidents. False positives can be ruled out for far more accuracy. The combination of broad participation and the strength of unity is becoming essential.
The traditional approach to security results in a state where a data breach, or something worse, is inevitable, and teams are taxed far beyond their ability. Security teams are already short-staffed and overworked. Hiring new or additional professionals is difficult due to the acute worldwide shortage. At the same time, companies are expecting security teams to become enablers of digital business and become more involved with risk, adding to already full plates or shifting time to these new demands.
Getting rid of existing tools and systems is not the answer. For the most part, each still has value, and most companies have sunk investments in them that are more than just monetary. Each tool also has investments of training time, procedures, rules, reporting and other things. Each still performs a function that has value in minimizing vulnerabilities, improving hygiene and stopping less sophisticated attacks.
The old mentality needs to be discarded—instead, we need to use these tools to stop the new era of attacks and move from an alert-centric to incident-centric security team. The tools can still be left in place, and their data and findings given over to a new approach. Jettisoning these tools is a bit like tossing out the baby with the bath water.
A highly experienced, robustly staffed security team could potentially gather all the data and alerts, correlate them manually and make better assessments of security events. Such an environment would be rare. The alternative is to employ the latest generation of Extended Detection and Response (XDR) that is beginning to be known as Open XDR. The value of this new type of XDR is that it accommodates all tools and all sources. It embodies democratization and inclusion to provide the necessary breadth and depth to find an attack quickly and accurately. Teams can then work to quickly stop attacks and mitigate or prevent damage.
There is strength in unity and democracy when it comes to security. It is rapidly becoming a necessity to those who want to survive or flourish in new realities.