Why the entire security industry is lying and what can we do about it?
Long story short it is not good for business :-(
Let’s say I’m a Startup company trying to raise 20M$ USD from a VC, what do you think they will say when I tell them that my product is going to detect only 40% of the hacker attack attempts??? And the same goes for big vendors trying to convince their customers about their 2 million dollars “unique” product which can solve almost any security threat, what would be the level of satisfaction if truth be told?!
The most notorious lie is about companies estimating their detection rate where there is an unknown information about unknown security attacks; “our security product can detect 98.3% of the attacks today”, if there’s an unknown factor in that equation how can anyone measure it?
The “Assume Breached” mindset must be changed, CISO or anyone responsible for the security in the organization need to think what would be the maximal impact of a keylogger or mimikatz software presence in any element in their network; Any red-team, penetration-test company and Malware of course will try to grab your credentials eventually so he can gain more access without any detection, so you must imagine someone have your “Domain Admin” and what he can do from that point, if your network can be totally compromised and ruined only because someone have your credentials it’s a game over and no one can help you.
Cyber-Attack context is mainly about impact, meaning that the way someone hacked/steal your information is probably the same method like in the last 10 years but in terms of information the world has massively changed and now the data is everywhere and everyone are connected, therefore the impact from a security breach is much worse.
The security industry is all about “best-effort” approach and therefore we should act accordingly, for example if we know/think/believe that there’s a 1% chance of being a victim of Ransomware Malware we must backup all our data no matter what promises our security vendor makes.
IMHO what’s your next step as a security professional:
- Stop trusting people and companies about detection and prevention
- Internal Network segmentation and isolation – Multi-Tenant approach
- Proactive and new creative defense approaches
- Adopt security automation options
- Incident response and recovery plan ready to use
- Hire better technical people :-)
-
9 年very interesting
CEO at SURF Security ? Former CISO, Chromium Geek ?Let's connect to talk about Zero Trust Browser ?
9 年AWESOME POST!
Director, Engineering & Product
9 年Does stop trusting include to stop trusting you? Who do we choose to not trust? The truth is that it isn't easy to choose who to trust because whoever knows more than you can manipulate and show you only part of what they know. It's not lying - it's the side of truth that helps them sell their product. It depends on the person, and you have to learn not to panic from information and follow your gut. Like in any new era - learn the ropes, get used to the street experience.
Manager of Information Security @ ClearBalance HealthCare | HCISPP, ITIL Foundations
9 年Good post! I have a few follow up questions. 3) and 4) are rather generic. Please elaborate in greater detail on the approaches and options that you recommend. Also, I would like to get your input on how you see the IR&R plan evolving over the past 2-3 years. Thanks in advance!!
Cybersecurity Consultant Manager
9 年I like your list and don't disagree. "Impact" is actually very challenging for companies to figure out since most do not fully understand their infrastructure and data environment and therefore do not fully know what their threat landscape looks like. Its hard to defend against when you don't even know where even your basic weaknesses are located.