Is the cyber security industry itself contributing to bad security?
As a cyber security company, we interact with a wide variety of organizations; from small medical practices in the United States to large international airlines. It’s a unique opportunity to engage with cyber security and IT professionals across the world who all share a common goal: to safeguard their organizations’ infrastructure from cyber threats and ensure continuity of business operations. It’s one of the most rewarding and important aspects of our business: we have the chance to learn the issues our partners, clients, and prospective clients are facing within the cyber security landscape.
A Flooded Cyber Security Industry
Across the spectrum, we find many cyber security and IT professionals who are misinformed, confused, and/or frustrated. While cyber security is a complex challenge with many domains, we believe most of these falsities/emotions are created by the very industry that is trying to help: the cyber security product and service vendors. With a desire to combat cyber threats (and make money), vendors have flooded the cyber security landscape with questionable marketing, lofty promises, ineffective technology, and solutions that often feel like vendors are trying to “capitalize” on the cyber security market by fitting their square-peg product into the proverbial round hole.
Some examples we have encountered:
- Co-managed detection and response — what exactly does “co-managed” mean?
- Vendors labeling their service as Managed Detection and Response (MDR) when they actually provide limited detection capabilities and “respond” with suggested remediations
- Vendors posturing their solutions as adding considerable security protection when they truly offer very little true security against today’s typical threats and modern hacker tactics and tradecraft
- Vendors promoting their solution using slick marketing or demos when much of the protection is available in a consumer’s existing security solutions
- Traditional Managed Security Service Providers (MSSPs) trying to rebrand as Managed Detection and Response when they merely offer log collection and analysis
- Vulnerability analysis solutions that claim to offer extensive security beyond detecting vulnerabilities
- The recommendation that a network-only based solution is adequate; or that detecting and stopping a breach in near real-time is easily achievable with just log analysis
- Endpoint protection that promises to protect against all known and unknown threats
- SIEM vendors being dishonest about how challenging a SIEM is to operate for real-time threat triage (it’s true that a SIEM may pick up an anomaly or detect something suspicious, but who has hours to piece together disparate SIEM logs or metadata to actually understand the alert?)
- SIEM-as-a-Service or SOC-as-a-Service that do little more than automatically compare log data and/or network traffic against threat intel subscriptions but claim MDR
- That an advanced endpoint detection and response (EDR) solution alone is sufficient at protecting an organization
- That machine learning and artificial intelligence are currently mature enough to “solve the problem”
- Expensive services that monitor the dark web; most organizations would be more secure by prioritizing resources on monitoring, detecting, and eliminating a possible breach at the earliest sign of compromise instead of on dark web notification services
Will This Cyber Solution Make My Organization More Secure?
When you consider that the cyber security market is set to grow from its current market value of more than $120 billion to over $300 billion by 2024, it’s easy to understand why so many “solutions” exist and why vendors get creative. Unfortunately, this makes it difficult for security and IT professionals to fully understand the differences between technical solutions and services. It becomes challenging to understand what a solution actually provides, how it works, and whether it actually makes the organization more secure in the long-run. Furthermore, many security and IT professionals have limited time to fully evaluate solutions and all too often we see organizations purchase cyber solutions based on only marketing or hype.
The purpose of this post is not to downplay the importance of useful, even critical, security solutions like endpoint protection, firewalls, security services, or even SIEMs. While we would like to encourage all our peer vendors to be more upfront and transparent about their solutions and respective limitations, we all know that’s not how the business world works. So instead, we want to offer some guidance to consumers:
- Commit the time, energy, and resources needed to carefully vet and understand cyber security solutions
- Do not be convinced by slick marketing or a canned demo; ask tough questions; almost all demos or marketing play to a solution’s strengths, not its weaknesses (in fact, we’ve seen some “impressive” demos that do not involve the actual solution at all)
- To successfully evaluate a security product or service, consumers must understand how hackers breach infrastructures, leverage malicious toolsets, move laterally within an organization, and carry out their attack. Complete deep technical understanding is not required, but the consumer should be able to ask a vendor about the typical stages or tactics in popular or common attacks and how the solution would perform
- Work with vendors that are upfront and honest and have a commitment and passion to security; these vendors are trying to develop breakthrough solutions while also helping to educate and inform
Evaluating Your Cyber Solution Options
Since Blackpoint specializes in Managed Detection and Response, we wanted to suggest a few questions consumers can ask when evaluating MDR solutions:
- What technology does the service use or support to provide MDR? How does it integrate information from disparate systems and present to analysts for investigation and triage?
- Where does your understanding of today’s modern threats come from? How often do you evaluate new or emerging threats against your service? Do you have a threat team that understands and evaluates the constantly changing threat landscape?
- If you’re offering “response”, what is the response capability? Do you offer active response or just recommendations/remediation steps?
- What threats are you capable of detecting? How do you detect these threats?
- How are you conducting your threat detection and analysis? Machine learning? Threat-intel comparison? Human investigation and analysis?
At Blackpoint, we built technology and services that we truly believe will improve an organization’s cyber security posture. During engagements with our existing and potential clients, we do our best to educate and inform consumers as much as promote our products. We recognize that a better understanding of modern cyber threats and hacker trade-craft helps all of us better protect our businesses and make smarter cyber security solution decisions. After all, in the end we all share a common goal: to keep organizations safe and secure.