3 Reasons Cybersecurity is More Difficult Than Before (Part 1)

Let's rewind the clock a few years....

Security operations and analysis was relatively straightforward, incident response was a fire drill (but we knew how to put out the fire), systems were somewhat homogenous (Windows OS with a touch of mobile), and the people who cared about security were those with "Security" in their titles.

In this context, security analysis was also a fairly simple task - gather some logs, construct the models of potential problems, and take a seat while the alerts stream to the inbox. So, we could all follow this playbook because we had the required ingredients for the recipe. We all had some logs, some other marginally relevant data and maybe even a database like a SIEM. We hired a security analyst with objectives to identify and locate threats that looked a little strange and took steps to address them.

We call this, "Passive Security". And this theory predicts an easier life for security professionals.

However, according to a recent study by ESG, 72% of security professionals say their job has become more difficult than it was 2 years ago - why is that?

If the above theory worked, then it would have worked. All theories make predictions, with real-world outcomes serving as evidence for or against the theory's validity. The Passive Security Theory does not predict difficulty. It predicts the exact opposite - ease, comfort, reduced risk, and better security.

Since the theory's predictions have not been validated by the evidence, I would like to propose 3 reasons cybersecurity is more difficult today than 2 years ago:

The threat landscape evolved greater complexity

Respondents to the ESG survey shared that the adversary's approach has morphed so significantly that today's Tactics, Techniques and Procedures (TTPs) are not congruent with traditional Indicators of Compromise (i.e. what is an indication of compromise/attack today, does not conform to the previous models). Addressing these evolving TTPs requires new skills and/or technologies to pinpoint the tactics when they occur.

But that's the problem...we cannot predict which new methods adversaries will use. We humans are excellent predictors of history, because we are explanation machines. We look back and narrate the past to fit what we know now - Karl Popper would be shaking his head. This retrospective bias leads to a failure of imagination for what future may hold.

Take the climatic patterns of our planet - we can't determine what the weather will do next week. Why, then, do we think we can predict what adversaries will do tomorrow? Weather is a natural phenomenon, controlled by the physical laws of the universe. The threat landscape is endowed with this iniquitous free will, deployed by humans whenever it suits them - itself fundamentally unpredictable.

These rapidly changing motives and techniques to achieve goals explode outward to "n" possibilities. This complexity is difficult to comprehend and impossible to control.

The threat landscape evolved greater sophistication

Along with the changing complexity is the evolution toward a more enhanced adversary community. Just when the models are calibrated with the retrospective awareness of what has happened before, the game changes. Respondents told ESG they simply cannot evolve as quickly as the adversary does.

This is akin to antibiotic treatments. Once we have what's needed to combat the permutations of complex threats, they evolve to an improved order of sophistication.

Many security teams don’t have the requisite combination of skills to keep up with greater complexity and sophistication. But even if we believe we have these first two solved, there remains the final reason for increased difficulty for security professionals.

The volume of security alerts exploded

Security teams are drowning in alerts. Changing dynamics to infrastructure and resource constraints leads to alert fatigue and ineffective investigation. In order to address this concern, security teams select portions of alerts to investigate - leaving the less seen and less well-known alerts for the end of the course, time permitting.

This has a compounding effect. When the volume of alerts exceeds our capacity, we humans take the path of least resistance: we reduce our vision to the salient, the known, and the comprehensible. When this happens (as all members of our species are apt to do), we aggravate the first two reasons for difficulty.

While we discretely select alerts that conform to our biases - threats that clearly show compromise - the complex and sophisticated go unexamined, accelerating at an accelerating rate.

Jon Oltsik distilled these problems into a profound metaphor:

I’ve concluded that there is no one killer problem with organizations’ cybersecurity analytics and operations. Rather, cybersecurity analytics and operations suffer from "death by a thousand cuts." CISOs often face organizational, process and technology problems that keep getting worse. 

In Part 2, I will propose changes we can make to address these growing difficulties.

#firemon #threathunting #cybersecurity