Cybersecurity at a crossroads: Time to shift to an architectural approach?

The need for greater scale, intelligence, and automation is driving massive change in security operations and the (Security information and event management) SIEM market.

According to ESG research, 45% of cybersecurity professionals believe that security operations are more difficult today than they were two years ago, while another 11% claim that things are about the same.

When asked why they felt this way, security pros pointed to a growing attack surface, a continuously evolving threat landscape, the volume and complexity of security alerts, and the collection and analysis of increasing volumes of data.

It is my firm belief that every one of these issues will grow substantially more complex over the next two to three years. Between cloud-native applications, partner ecosystems, and new device types, attack surface growth and changes will be difficult to keep up with, leading to an explosion in vulnerable assets.

• Generative AI will help security teams with basic hygiene, leading adversaries to get more creative with exploits across growing attack paths.
• Security alert volume will skyrocket, making it difficult to piece together random events with seemingly no connections.

Finally, data volumes will vastly increase as security teams are asked to closely monitor cyber-risk data, identity data, social media, physical, and digital security signals, and incorporate all forms of digital risk protection (DRP) into their security operations oversight.

Big organizations must shift to an architectural security approach

Over the next few years, large organizations must transition from a product-centric to an architectural approach to security operations. No vendor will deliver the whole enchilada. Therefore, CISOs must focus their teams on architectural components, such as those listed below:

Cloud scale

Unless you are Amazon, Google, or Microsoft, you won’t have the compute, network, or storage capacity to address security operations requirements. This means that organizations with on-premises systems must plan for cloud migrations as soon as possible.

Note that I’m not talking about “lift and shift.’ Rather security operations systems must be built on top of modern cloud-native technologies like containers, serverless functions, infrastructure as code, and APIs, capable of scaling capacity exponentially over the next few years.

All things data

There’s lots to unpack here. First, the notion of moving all the data to one repository is completely outdated due to data volume and constant change. Future security operations must adhere to a federated data model.

Note that I do see large organizations standardizing with data lake technologies like Databricks and Snowflake, and I also see a role here for things like the Amazon security lake.

While this makes sense today, we’ll see new data management platforms in the future with compelling security use cases. Enterprise security operations architectures must have the flexibility to migrate or integrate data in the future.

Connectivity

This one is fairly simple — everything has to connect with everything else through APIs, transport protocols, and industry standards. In the case of APIs, they must be well documented and built for flexible use cases, not vendor-based black boxes.

I’d really like to see the industry come together with some standards here.

Core automation

Rather than bolting automation into tools after the fact, everything that can be automated should be automated.

This is especially true of basic actions like looking up IP addresses, associating assets with owners, enriching alerts with threat intelligence, and checking file samples against VirusTotal.

Generative AI and Cybersecurity

What about generative AI? In my humble opinion, it’s a mixed blessing. It will help with analyst knowledge and efficiency, but its benefits will be obvious to adversaries who will engineer around it.

I also believe that gen AI will come into enterprise through the back door, on top of existing products. This will lead to balkanization.

Get ready to hear the term, “collective defense” much more often. This may be where Gen AI can be very helpful by monitoring threats and responses across multiple organizations and then sharing best practices throughout their customer bases.