Why some organisations struggle with Cyber Security
Cyber Security is hard.
Organisations are faced with a threat landscape that challenges their security posture on a 24/7, 365 days a year basis. Despite the risks of these externalities, many organisations fail to acknowledge their internal security shortcomings, resulting in totally preventable security incidents and disruptions to day-to-day business operations.
Here are just a handful of reasons why they struggle with Cyber Security:
Overly focused on Resilience, not Recoverability.
Preventing major security incidents is undoubtedly one of the main responsibilities of an organisation’s security team, yet many organisations fail to prepare for worst case scenarios.
It’s no secret that Cyber Security is hard. Regardless of how sophisticated their Security Operations are, even the most prepared organisations fall victim to debilitating security incidents. However, what separates the proverbial men from the boys is the ability to swiftly remediate and learn from such incidents, all while keeping disruption to a minimum.
More often than not complacency is at fault. No one checked if the weekly backups were successful, no one bothered to audit security configurations, and so on and so forth…
Make it routine to diligently check the mundane. Hope for the best, prepare for the worst. Avoid recreating a scene from The Thick Of It.
Lack of investment because “nothing ever happens”.
“I don’t recall us having any notable security incidents? Our security team must be doing fine, we can curtail their budget no problem 👍”.
My house hasn’t been on fire too so I could probably remove that from my policy, right?
It’s difficult for stakeholders to quantitatively and qualitatively assess the efficacy of a Security Operations team. Actioning a high number of true positive alerts from a quantitative perspective seems great, yet from a qualitative perspective suggests that the team is failing to remediate and prevent threats.
Where as a Marketing team has clear, definable KPI’s, Security Operations KPI’s are often opaque and lack meaningful substance, resulting in stakeholders making critical decisions on inherently unreliable data and metrics.
While the issue still exists today, more and more stakeholders are cognizant of the need for proper Cyber Security investment. Let’s hope it stays that way.
Shipping before fixing or properly testing.
Many tech companies and vendors follow the mantra of ship now, fix later. It’s understandable. Competition is fierce, customers want features yesterday, and often times that means security considerations take a back seat.
Many established vendors do have good security practices in place, such as in-house automated security tooling, developers who follow secure coding practices and more. Though for some vendors on a tight schedule such steps are often skipped, typically leading to products and features that are inherently less secure.
If you’re ever bored one evening, take a look at vendor CVE’s that are trivial to exploit and just as easy to fix. Some vendors are worse than others, but it’s hard not to reach the conclusion that security often takes a back seat during their product delivery lifecycles.
Lack of Coverage Across the Environment.
To truly understand if a potential threat is indeed a threat, Security Analysts will often have to leverage numerous data points in order to determine any next steps.
Let’s take a typical scenario:
In a Security Operations Centre environment, Security Analysts will receive pattern match alerts for suspicious network traffic. Often times, the alert will contain sufficient context indicating that the traffic is indeed malicious, however, given that malicious traffic can sometimes be indistinguishable from legitimate traffic, further analysis is often required.
In a well-run SOC, one of the next logical steps would be to simply query the endpoint’s EDR (Endpoint Detection & Response) client for further context, however, many organisations lack EDR’s on their endpoints.
Without the easy to use, timesaving capabilities of an EDR to investigate and isolate the endpoint, analysts would have to rely on less-efficient methods of querying the endpoint. This could include remote PowerShell sessions, RDP or even checking out the endpoint in person!
By that point it’s often too late to categorize the alert, resulting in the analyst abandoning the initial alert and marking it as inconclusive. It’s a bad habit that shouldn’t exist in most SOC’s, but it inevitably does happen, and in some circumstances can lead to more severe security incidents.
In the past when I’ve worked with Junior Security Analysts, I’ve always told them when investigating alerts: “Context, Context, Context”. Without sufficient coverage, you can’t get the context, and without the context you can’t make a conclusive determination.
The importance of Cyber Security is an afterthought for most employees.
Let’s be frank, many employees see organisational Cyber Security as an inhibiting force, existing only to tell them what they can or can’t do. Don’t click on this, don’t do that, seek our permission first before setting up X.
Some security teams don’t do themselves any favours either. They fail to develop positive, symbiotic relationship with other business units which in turn results in a lack of trust. While fancy Cyber Security tools can help deter security incidents, one of the greatest assets in an organisation’s Cyber Security arsenal is undoubtedly their employees (it’s cliché, but true!).
Security teams who develop healthy, positive relationships with their fellow employees undoubtedly reap the benefits of a more security conscious, and thus safer organisation.
Not fully understanding the environment.
A large network consisting of tens of thousands of endpoints and a seemingly endless amount of applications is HARD to protect. It’s even harder to protect when your security team don’t fully understand how all the intricate moving parts of the network operate together.
What separates a great security team from a good security team is an understanding of the intricacies of their main services and applications. Security teams are generally more comfortable monitoring user endpoints and their associated network traffic, yet some of the biggest threats stem from business critical services and applications (Web Applications, VPN’s etc).
Befriend the team who develop and maintain your business critical applications and services, truly learn about these systems and figure out how your security team can better monitor and identify suspicious activity and threats.
Having a non-existent security team.
“Have you met Dave, he’s our IT everything guy!”.
Sure, Dave may be a talented fellow, but realistically he’s not going to have the time and effort to reactively and proactively deal with threats. Chances are if an organisation has a “Dave”, they’re also unlikely to have anything that resembles a typical SOC fitting (SIEM, EDR, SOAR etc).
Small established businesses should at least have an outsourced Security as a Service provider. The next logical step would be to then hire a dedicated Security Analyst/Engineer, one who over time can help develop these capabilities in house.