Throwing money at the problem without having the maturity to use the products and solutions is a recipe for disaster
When I worked for Microsoft's security team, I had a consulting trip to a very wealthy Middle Eastern country. We were helping one of their most critical government organizations with cybersecurity and during the security audit I asked their chief of security "Do you have Solution X." He replied: "We have it, and we also have five of its most expensive alternatives in our network." Just to be clear: this was the same as having five different antivirus solutions running on the same computer, when you only need one.
They answered similarly to my further questions and finally we reached the point to discuss their staff.
"Who is handling the security systems and solutions you have purchased?," I asked.
"Me," was the answer.
You see, an organization of their size and with their infrastructure should have had a dedicated well-trained team of security experts. Instead, they opted to buying their security in bulk, hoping that the more they buy, the more secure they would become. It is physically impossible for one person to oversee all of the dashboards and security systems they had, let alone analyze the data and respond to it.
Our audit showed the reality there was dire. We had a laugh with the client – they took it positively. They had so many security solutions in place that it seemed like their computers operated at only half their performance capacity. If they did not get hacked yet it was only because the hackers could not work with such bad performance!
And performance was not the biggest issue. Their underlying architecture, the configuration of their Active Directory, their mail server, servers, and desktops were left in their default state or worse! They had slapped a "secure" sticker on an insecure system and had called it secure, in a way. That is what buying security without having the people or maturity is like.
Throwing money at the cybersecurity problem is as effective as throwing slimming pills at someone who loves food more than health. It simply does not lead to more security. Instead, it leads to less performance, less money and just the same likelihood of getting a security breach, be it by insiders or by external attackers.
It also compounds the problem of a lack of security culture in the organization. People grow lazy, looking for vendors and products when they should be looking at the culture, architecture and threat modeling balanced with business objectives and risks.
Throwing money at it does not build Security Culture
Security Culture is an objective to be pursued in everything. Every new IT hire or solution brought into the company should absorb and follow the security culture of the organization and the CISO (Chief Information Security Officer) should constantly work on improving that culture, with KPIs on efficiency, speed and usability. If you do not have a CISO in place to drive these efforts, you could use a CISO as a Service solution, which is actually more effective.
In sports, if you buy all the most expensive players from all over the world, the team may still lose match after match, if all the parts do not become a whole, a team, under great management and a common goal.
In technology, buying expensive parts does not give you a working system. And in security, you may have the best technology and systems in the world and still get hacked as easily as cutting with a hot knife through butter, because having expensive bricks doesn't mean you have an efficient fortress, which requires a vision, good architects and construction workers.
How it should be done
Before I joined Microsoft's security team in the Middle East, I worked for one of the UAE telecoms, in the digital forensics and incident response department.
That company is the positive opposite of what I shared above.
It had around 4,000 employees and 75 of them were tasked with cybersecurity. The digital forensics and incident response team (DFIR) was seven people strong, and the Security Operations Center Team (SOC) had around 20 people working in 24/7 shifts. The function of a SOC team is visibility. They need to look at everything happening in the company's network, on each and every computer, server and network device. If they detect something suspicious and classify it as an incident, it would be sent to the DFIR team for investigation and closure, which then fed the IT team with improvement suggestions to prevent such an incident happening again.
It was a great example of how people and processes are at the core of a well-functioning Information Security Program – not technology, vendors, or products.
Seventy-five people out of 4,000 is 2%. I would say for organizations larger than 1,000 people 2% is the absolute minimum of human resources to have on staff in the cybersecurity department to get closer to a secure state. Yet in most organizations 2% is staffed with IT and security is given as a function to IT and is under IT's management.
Never place Security under IT or under the CTO
By making your CISO (Chief Information Security Officer) report to your CTO you lose the healthy conflict of interest between them and in effect neuter your security department. How is the CISO going to control and audit the IT department, if he or she is under their management? And even if the audit shows discrepancies, they are just going to be swept under the rug or the funding to fix them will be postponed by IT indefinitely in favor of other 'more critical expenses,' in the eyes of the CTO.
The CISO role should be reporting directly to the C-level executives, just as the military reports directly to the head of state in most countries. The military cannot and should not report to the people responsible for infrastructure!
When you place Security under IT you do the same as placing the law enforcement and military of a country under the command of the Ministry of Infrastructure and Construction.
As explained above, IT is the construction and infrastructure task force in a business. They are not qualified to act as threat hunters or security personnel, just as a construction worker is not qualified to be in a Special Operations or a SWAT team – it is a completely separate set of skills.
IT and Security naturally have a conflict of interest, which can be healthy under good management. Both sides should balance each other and ultimately strive to perfect the organization's systems and improve the organization's performance over time.
When you place Security under IT, you let IT determine the budget and human resources for Security. This never works, as you will never get that healthy friction and balance of powers. The only thing you will have is a compliance check – "we have an IT security function" – but hackers don't care if you are compliant or not. In fact, the only thing hackers care about is how well is your information security program functioning. They do not even care which security products you have in your network or how many they are.
How do you move forward if you cannot see the obstacles in front of you?
The biggest challenge with defending a company's IT infrastructure is visibility. You absolutely need to be able to answer the following questions:
1. Were any unauthorized scripts or programs executed on any of our workstations and servers yesterday?
2. Was there any traffic to known malicious IP addresses in the past 24 hours?
3. If we saw malicious traffic or unauthorized execution of malicious code, how did that happen? Can we trace the infection from its initial vector of attack, to what allowed it to execute, to everything else the hackers did in our network?
4. Is there anyone unauthorized in our network today that we have not detected in the past six months?
While many security vendors promise answers to these questions on paper (or the presentation screen) the reality is that you can only answer them if you have the team who can review all activity in the network, analyze it and provide you with their analytical conclusion.
Just finding good analysts is a challenge for the largest, wealthiest corporations out there. Some of these analysts should work as Tier 1 in the SOC team, monitoring the largest set of alerts, sending the most interesting ones to Tier 2, who in turn sends the ones they check and verify as suspicious to Tier 3, who are highly trained analysts with malware reverse engineering, memory forensics and network forensics skills – who in turn collect evidence and send it to the Digital Forensics and Incident Response team.
The Incident Response team is tasked with a full investigation of how the breach happened, why and how to prevent it in the future.
In a mature company with a mature information security team as described above you should see security incidents every day. If you don't see and work on security incidents regularly that only means your cybersecurity maturity has not reached the visibility level it needs to reach.
People in your organization get exposed to malicious code and generate security incidents just because every employee uses the Internet, opens emails, clicks on malicious links from time to time. Even security team members do that, by accidentally visiting hacked websites.
If you are not seeing security incidents in your organization, it is not because you are secure. It is because you have no visibility in what is going on in your network and you cannot answer the four questions above.
If you ask your IT team the same questions, they will reply "No, there were no unauthorized script or malware executions on our machines," which will be the limit of what an IT team can do – their job is to build the infrastructure. They did not see anything in their antivirus dashboard. This obviously means everything is fine, right? Let us take antivirus as an example. There are around 60 antivirus vendors globally and it only takes a hacker 30 minutes or less to create a malware sample encoded well enough so it would not be detectable by any of them. Well organized criminal groups and government-backed hackers can create malware which can stay in your network for eight years or more before it gets detected, usually by chance.
Now think about all the time spent in choosing an antivirus vendor in a bureaucratic process. Is it worth it when we consider the real threat? Just picking one of the top-ranked ones would do the trick, the competition between them forces the top players to offer remarkably similar quality. Antivirus is not the security control you need. It is one of thousands and by effectiveness may be less important than the majority of them.
Building your own team of advanced, persistent defenders
One of the best ways to ensure your organization's maturity in cybersecurity is to build your own team.
My best advice would be to pick people who love reading cybersecurity books and then train them further. This is the best I have ever found on the person's character and professionalism. If they are too lazy to read at least 10 books in their field, they cannot be developed further. But if they do, you have found a great candidate for your security team. Certificates, even popular ones, bring little to no practical value to you as a company. They help candidates find jobs, but that is about the limit of their usefulness, so don't filter candidates based on them having or lacking certificates. Another good filter when hiring is community participation. Have they written any articles anywhere, spoken at any conferences, created any tools or have they in any way contributed to their community? If yes, then you have found a good candidate.
If you don't have threat hunters, a SOC team or a DFIR team in your organization, it makes sense to get outside help and at least assess your current security posture. You can maybe even get outside threat hunters to evaluate if the company is or has been compromised. But please, if you seek outside help, don't do it over email. If you are hacked without your knowledge, your emails are being monitored and the moment the hackers realize they are about to be discovered, they will wipe their tracks (and can cause a LOT of damage on their way out) very well. The only secure method of communication with an external security company is over the phone or using secure messaging apps such as Threema, Signal or Telegram Secret Chats. While government surveillance can intercept these calls and messages, private individuals and criminal organizations still do not have the financial resources to spend between $200 million and $300 million on the capability to do that and the organizations selling those capabilities are likely still not interested to sell to criminal organizations. This may change, as selling to a corrupt government is not hugely different from selling to a drug cartel from a moral perspective, but that is a topic for an entirely different article.
Alexander Sverdlov wrote two books on cybersecurity, graduated with a business degree from University of Essex, has worked at HP and Microsoft's security teams and now runs his own cybersecurity consulting firm – Atlant Security.