featured image quest

Cybersecurity Strategy: The Quest for Visibility & Hunting

There is so much emphasis in the cybersecurity market space on after-the-fact visibility into what bad things just happened. So much energy, time, money, strategy, and dialogue about it. The trouble is, it comes at a cost. For every moment we spend reacting, tracking down root cause analysis, examining forensics, peering at visibility, offsetting risks, running playbooks, and all the rest, we lose a moment to get ahead.

Some argue that prevention has failed us, and hence, we should retreat into reactive after-the-fact strategy and tooling. How many times must the bells of resilience and acceptable risk ring in our ears? Those concepts serve the business, and they are needed for us to message internally to other C-suite, directors, investors and customers alike. But these are not the concepts that should form the premise of our cybersecurity strategy as CISOs and SECOPs.

Cybersecurity Strategy: The Quest for Visibility & Hunting

Do we not realize the starkest of outcomes?  Even were we are able to have perfect visibility, perfect forensics, perfect root cause, perfect cyber insurance, and perfect human expertise and perfect cloud-based intelligence and visibility, we still would not have solved the one thing that will always overwhelm and outpace those controls?

Visibility After The Fact Means We Lost

Here we all are…on our heels, drowning in alert data, analysis paralysis, and burnout of even the greatest minds we have in our industry.

Here we are as an industry that continues to pour money and investments, time and strategy, into a massive security stack that strains SECOPs to the brink. We are digging ourselves into a hole that we may not be able to dig ourselves back out of if we don’t rapidly shift strategic focus.

Here we are thinking that hunting for threats already running in the environment is somehow proactive, empowering or worse, sexy.

If you are hunting around in an after-the-fact universe of events, you are not the Hunter…You are by definition, the Prey.
Here we are still chatting about breaches… because those are easy to tally the per-unit impact for, and subsequently offset via insurance. A 2013 story that we are still wrapping our heads around… as if tomorrow’s breaches will be the same low and slow TTP’s we fancy we might hunt for and get ahead of…by days? Weeks? Hours even?

Why would tomorrow’s breach need take any longer than today’s destructive worms?

Why would the same threat actors not employ both data theft and destruction into the same campaign? Oh wait, they already have been for the better part of 2019…

The Cloud Is No Place for Threat Hunting

Here we are, caught up in the Herculean move to the cloud. Yet, are we stopping to assess some of the most fundamentally basic weaknesses it will always have? For all of its virtues, the cloud will always be latent when it comes to addressing run-time threats on traditional IT endpoints. Even all the workloads we are moving to the cloud still have run-time security challenges that can outpace a cloud-to-cloud connection.

The cloud will always be a tethered affair. The cloud will always be on someone else’s steel, upon which there are up to a hundred sub operating systems, half of them Linux, and a large percentage of which have full access to the bus the OS is forced to entrust. The cloud will never be where your users are… the humans you are striving to protect. The cloud is homogeneously strong, and yet homogeneously weak. (See the latest OnApp discovery made by SkyLight!)  Most importantly, the cloud is a temptation… a temptation to build out intelligence platforms. And while it will always exceed in this capacity, it can never guarantee that the intelligence needed to make decisions and take actions faster than an adversary will be computed and delivered in time to actually make a difference in stopping today’s automated threats.

The key challenge for all security going forward can be reduced to this: can you make a high-enough confidence decision, or allow a high-enough confidence automated action, fast enough to matter, and without reliance upon a tether to the cloud?

By the year 2021, over 95% of all new vehicles will have autonomous automatic braking. Ask why this is so. Of course, the answer is because machines react faster than humans, never lose attention, never get tired. Now consider whether you would buy a car where this life-saving technology was being farmed out to a cloud server rather than being done locally on the machine. The point is we use the cloud where it makes sense to do so, and not where it doesn’t.

Why would anyone think it makes sense to try and beat malware anywhere else but on the machine right where the malware is located? The cloud has an underbelly exposed to many swords, chief among them is the time-penalty itself.

We Win On the Device

As this industry heads into 2021, let’s make sure we are lucid in this one critical regard.

We know that attacks have entropy… that they devolve into a fog of war, that they expand, that they cause exponential impact to an organization as every minute, every moment, goes by. 

And yet here we still are, heading into the year 2020, and we still haven’t solved the single most important challenge of our era; the process-level microsecond runtime universe the adversary has always had the upper hand in. They’ve been ahead of us there, and they’ve enjoyed it for far too long. The moment an unauthorized process completes tasks in memory… that very moment, is when we lose security control and are on our heels. Never mind zero days, call this moment zero, after which the pain begins.

What exasperates this even further is that this type of fast-moving threat is now found in both nation-state APT campaigns as well as commodity criminal/underground campaigns, making the sheer volume and diversity of the ‘speed” problem more profound than ever.

An Emotet-weaponized Word document is clicked, and in under three minutes, over 230 file events happen, 12 network connections to 9 malicious hosts are made, 46 new malicious processes spin up and 12 files are manipulated. And that is just on the patient zero host… before the same thing begins to play out host after host in the network, and before any secondary payloads or actions by a human attacker are commenced. This is a code on code battle being fought in the time domain of seconds and microseconds. And yet we see breach reports like 2019 IBM Cost of a Data Breach Report exclaim that the average time to identify a breach is 279 DAYS… a far cry from the 171 seconds (22s for Emotet and 149s for its payload) it takes Emotet to cause a severe impact. The same report offers hope, reminding us that hey, you can save $1.2M on average, if you simply contain the breach in under 200 days. Great…it will only cost you $2.7M at that point! 

All of this is orthogonal to the core challenge at hand: We need to get ahead of threats whether we are talking about ransomware or worm incidents that cost us $75B/year, or we are talking about after-the-fact breaches that cost us another $16B/year, or both. 

Let’s Remember This

The age of the slow-moving breach story has come and gone. Now, we must shift our strategies towards the current and future threat landscape, and realize that every minute we spend tooling for the after-the-fact past, is a minute lost in getting ahead of the adversary in ways that actually move the needle. In our quest to become merely “resilient”, we’ve exhausted the traditional means of risk offset, hindsight due-diligence and after-the-fact busy-ness. We are all collectively at the ultimate precipice, and it is time to leap off, and do so out of sheer necessity…because we cannot look forward and prepare, if we are constantly steeped in the past.