Recently, I spent two weeks traveling across Europe talking with defenders, reporters, and leaders of security programs. While each country faces its own unique challenges and has its own needs, there were a few themes that were consistently present. (Threat Outlook Report 2020).
Naturally, we addressed common issues like the increase in attacks and the rise in sophistication of attackers—but these topics are frequently discussed. I also wanted these conversations to focus on what teams can do to effectively combat the growth in cyberattacks.
A common theme was a growing confidence from defenders in their ability to defend their systems. This is interesting, as many of us share the sentiment that defenders are still understaffed (the latest report says 3 million jobs are still unfilled), that attackers have all the advantages (a point I would argue isn’t entirely true), and that CISOs still don’t have access to the money or tools we need. So, how are we gaining confidence?
In our survey, conducted with over 3000 CIOs and CISOs across the globe, some of the most encouraging numbers are:
89% said that threat hunting has improved their defenses
79% said they are more confident in their ability to repel attacks, while
37% said they are “a lot” more confident
What’s made the difference for us?
Community
Our community has pulled together in a number of ways—whether that is via formal threat intelligence sharing programs, or through Slack, or a community like the Carbon Black User Exchange. Teams are working together across the globe to share what works. We have shifted the way we think about attacks and our defensive techniques through open source projects like OS Query, the use of an open framework like MITRE ATT&CK, and simply meeting in person more frequently to share pain points and successes. We used to say we weren’t talking enough, but I think that’s changed. Think about what happened with ATT&CK—every vendor in the space got better as a result of well-published, accepted testing of their products. Gaps were closed, new code was pushed, and we all improved as a result. Teams that didn’t understand the TTPs of attackers now do. And I think that is a great thing.
Process
We are moving more and more towards automated processes. I believe this is mostly born out of necessity; when you have few people, you need to automate when appropriate. Teams are adopting automation for manual efforts like ticket opening and closing, incident response action, and configuration management. Teams—again, out of necessity—have started to adopt DevSecOps and are writing more tools than ever. There are also a wide number of open source tools available to help defenders automate. The community has really taken on the challenge of automated assessments, and we’ve seen a number of automated testing tools perform well in the space. Continual fine-tuning needs to be the next goal on the horizon.
Technology
I believe we are in the middle of an unprecedented explosion of tools that provide better value. We have decided to stop buying all the market has to offer and start buying the fewest number of solutions necessary to accomplish the best outcomes. We are starting to use orchestration amongst our technology stack, unifying our systems to detect and stop threats. We have also pushed vendors to build open APIs and integrate with each other. While we have a long way to go on the vendor side, I think the momentum is headed in the right direction. As consumers of security solutions, we must push our vendors to be the vendors we need—not the ones that think they know what we need. We must truly partner with them to help create better solutions that work together. Additionally, we have seen moves to address the overall broken industry, which is full of “bolt-on” tools sprinkling pixie dust on top of foundational problems. VMware Carbon Black represents a fundamental shift in the market to build security in, versus bolting it on. This should help drive down the overall cost to achieve outcomes and help clear out a lot of the noise we see today. Teams need fewer choices that actually work. I think we have hit this tipping point, as well.
So what does this mean for all of us? It means we should hold our heads up high. Yes, breaches will continue—but we are identifying, reporting on, and remediating the root causes of breaches faster than we ever have before. I believe our overall morale as a group has been low for far too long. 2019 is the year we tip the scales back in favor of defenders. The point at which we address the fundamentals. The year we push back on our adversaries and kick them out of our environments. They are running out of places to hide, and they know it. We are making them work harder. We are making them adapt to us for once, and I think that is simply awesome.
Good luck and good hunting!