High profile data breaches prove security investments are only half the battle

Since the start of 2017, we’ve seen some epic data breaches leaving millions of affected consumers uncertain about the security of their personal information and what to do next.

Many of the responses from these affected companies have centered around investments the companies have made or will make in attempt to “remedy” the breach problem in the future.

This is something I hear from countless leaders in business and security where ‘significant investments in data security’ have been made.  Now, it’s no secret these companies have extremely valuable data – everyone can agree on that point.  So, presumably these companies have every incentive to keep that data secure.

If a company like Verizon or the like can make significant investments and have every incentive to keep the most sensitive kind of information secure, but still experience a breach…it stands to reason that our playbook needs a revision.  The security playbook consists of a few guidelines and directives, and most organizations have been following this playbook for many years.

The primary directives of the security playbook are:

1) Collect a lot of data
2) Store that data in a big database with finely tuned models
3) Sit back and wait for the alerts to stream

We see time and again that this playbook doesn’t work – or else it would have worked by now.  Seeing what happened to businesses in the last 9 months alone should awaken us to the realization that we must do something different.  These things happen because we continue to follow an outdated paradigm with directives that haven’t evolved to address the changes in the world.

These investments do not address the evolving security landscape, the attack surface growth, or adversary goals.  Legacy security investments continue to miss these attacks – like web applications that are left vulnerable to exploit.  Secondly, the playbook does not appreciate the mindset of assumed compromise.  As organizations continue to adopt this mindset, a new set of plays is needed to serve the new paradigm.

Threat hunting is a discipline that uncovers the changing Tactics, Techniques and Procedures (TTPs) of sophisticated adversaries.  Threat hunting involves open-ended, recursive, combinatorial search across all datasets to reveal what is currently hidden.

Organizations have spent billions in currency and labor hours finely tuning monitors and alarm systems.  These measures fail when the attacks evolve around our best defenses.  Organizations who adopt an assumption of compromise can protect themselves by regularly hunting for threats, using discovery methods to find previously unknown tactics specific to their environments.  It is within this mindset that we can explore the potential problems we have not modeled.

We should demystify the notion that threat hunting is the preserve of super-elite organizations or individuals.  Anyone can hunt, it only requires following the methods and principles for it.

While companies pledging to “do more” is encouraging, perhaps we can adjust what we are doing to protect data, instead of throwing more money and resources at the same systems in the same paradigm, to serve the same playbook that continues to fail.  To keep making the same investments would be the very definition of insanity.