As your enterprise seeks out a SIEM or security analytics solutions, you should have some idea of what you’re looking to secure. As we’ve said before, trying to secure your enterprise’s network all at once is a fool’s errand more likely to cause problems in the long term.
However, what if the real vulnerability in your enterprise’s cybersecurity is your mentality? What if the defender mindset is poisoning your efforts at SIEM deployment, maintenance, or selection? And if this is true, how can you fix it?
To learn more about the dangers of the defender mindset, we spoke to David “Moose” Wolpoff, CTO and Co-Founder of Randori.
Here is our conversation, edited slightly for visibility:
Solutions Review: So you mentioned prior that you feel the cybersecurity industry is “stuck.” Can you elaborate on what that means?
David “Moose” Wolpoff: I think anyone looking at the data or talking with those on the front lines will tell you that the way the industry practices security today isn’t working. As an industry, cybersecurity is chasing a moving target and despite throwing billions at the problem, it’s falling further behind each year.
Security today is reactive and grounded in a false set of beliefs, including that it’s possible to stop every attack and fix every gap. That’s a defender mindset and no amount of money will make it successful.
The sad fact is, most security solutions are designed to pass industry tests and simulations, rather than protect against real, motivated, and resourced adversaries.
Rather than looking to stop yesterday’s attack, enterprises should be focusing on what’s out there right now – to understand the way hackers think, how they make decisions, and the techniques and procedures actually being used. Companies who approach security from an attacker’s perspective have a better understanding of their actual risks and can identify where they are most vulnerable.
SR: Does this stagnation indicate a failure to understand hackers? Is it desperation? Is it something else?
DMW: I think it shows more than anything that the industry is chasing the wrong goal, having aligned the wrong incentives, and as a result, receiving diminishing returns on investments despite increased spending. Attacks have not gotten substantially more complex nor have the techniques being used, such as phishing, malware, and basic exploits.
While some of it is due to a lack of understanding, the bigger issue is one of incentives. Organizations continue to reward and encourage the defender mindset, and have not made the institutional commitments needed to drive change and improve security. It’s still easier for teams to get a budget to bolt on another tool than it is to invest in training or muster the political will to change long-held IT processes and procedures to truly move the needle.
SR: How can enterprises and organizations think like hackers? What are hackers thinking?
DMW: When we talk about organizations adopting a “hacker mindset”, we are talking about reframing the way organizations approach security.
What I have seen repeatedly over the years is most organizations are stuck in a defender mindset – meaning they view the world in terms of bigger walls and deeper trenches – rather than opportunities and objectives. Far too often, the question I’d be asked after an engagement was, “Okay, cool. What tool do I need to add and how do I reconfigure our SIEM to get the right alerts?” However, the problem was far more fundamental than what they were asking – and usually stemmed from poor IT hygiene, policy failures, or human error.
The best defense starts by first understanding an attacker’s goals and objectives and then working back based on that knowledge. Not all weaknesses and assets are created equal. Start by looking at your organization from an attacker’s perspective to determine where you are most vulnerable. Then use that information to determine next steps and prioritize efforts and spending.
SR: How should enterprises set up their incident responses to better respond to attacks and attackers? And do you have any suggestions on how to best practice those plans?
DMW: The most important thing an enterprise can do is routinely test their Incident Response (IR) team and processes in place in the event of a security incident.
When it comes to IR plans, I’m a big fan of Mike Tyson’s quote: “Everyone has a plan until they get punched in the face.” While having an IR plan in place is an important step, practicing how teams respond under pressure is the only way to know if your organization is prepared and able to respond.
When I’ve seen organizations fail, it was not because they lacked a formal IR plan—it was because they never practiced it. So, when something did go wrong they were unable to account for things like knowledge gaps, poor communication, or insufficient training. These things rarely jump out on paper, but become instantly apparent in practice.
Thank you to David “Moose” Wolpoff, CTO and Co-Founder of Randori, for his time and expertise on the defender mindset!
Other Resources from Solutions Review:
- The 10 Coolest SIEM and Security Analytics CEO Leaders
- Get Your Employees to Embrace SIEM Best Practices!
- 4 Tips to Make Data Breach Detection Easier For Your Enterprise
- Enterprises: Don’t Become Complacent in Your Cybersecurity!
- Comparing the Top SIEM Vendors — Solutions Review
Latest posts by Ben Canner (see all)
- 5 Key Security Analytics Capabilities for Security Operations Centers - October 17, 2019
- 40 Percent of Security Practitioners Don’t Report to the Board - October 15, 2019
- What Do SIEM Components Actually Do For Enterprises? - October 10, 2019