The Vectra Masked CISO series gives security leaders a place to expose the biggest issues in security and advise peers on how to overcome them.
I’m always asked what keeps me awake at night. Being targeted by APT groups? New ransomware strains? But if you’re worrying about being attacked as a CISO, you’re probably in the wrong line of work… It’s not our job to prevent attacks from taking place, but to catch them, stop them from escalating, and ensure infrastructure recovers. We must keep a clear head, assume we’re always being targeted, and accept we may already be breached to protect our organisation effectively.
This holds true as attackers become more organised – constantly tweaking threat vectors, studying widely-used security playbooks, or testing their attacks against ancient security tools like IDPS (intrusion detection and prevention systems). By relying on signatures to detect known threats and following the same old approaches, you’re always going to be caught out by modern attackers, who already have the tools to bypass these dated defenses.
But I still see 90% of CISOs today are “playing it safe”, clinging to old playbooks and legacy tools like IDPS. Perhaps it ticks a box for them by filling a control gap, or maybe the board is tired of security asking for new products, or these tools are just seen as “tried and tested”. The inconvenient truth is that we can’t sit on our laurels in security, or we’ll be completely exposed to attacks like Sunburst and Colonial Pipeline. And the reality is there is plenty of innovation happening and alternative options out there from smaller players.
The old ways aren’t working, so CISOs must be brave, throwing their playbook aside and stripping out dead weight. It’s not about toys for the boys anymore. We need to be honest with ourselves and the board here, explaining these methods have served their purpose well for a time. The landscape has changed, and we need a new threat-led security model that puts the security posture of data first.
But, to get the buy-in needed for threat-led security, you must separate the wheat from the chaff. This means replacing legacy tools with solutions that fit better with data-centric security models to give you better value for money overall. For example, a signature-based system that throws up thousands of contextless alerts can be replaced with a solution using AI and Machine Learning to spot only the riskiest behaviours and flag them up to teams.
As high-profile breaches continue, it’s only a matter of time until the board realises your trusty playbook is not working. It’s time to change your approach, use the innovation already out there today and keep your organisation safe.
This blog originally appeared in The Register.