In the first two posts (Separating truth from F.U.D. Part 1 and Separating truth from F.U.D. Part 2) we discussed how cyber security problems are not technology issues, but people issues. We also looked at how, despite the fact that vendors are pushing technology that technology alone will never solve a people problem. We saw how technologies are sold by finding low risk junk in IT environments and portraying it as something serious. We also saw how tools tend to generate a large number of false positives, wasting a large portion of a security team’s time. Now the question is – so what did work?

Again, we learned we were stopping people. Just like playing chess against a person, we had to learn who our opponent was. We had to find their strengths, their weaknesses and how to exploit both. We called this threat intelligence. Unless a vendor is giving you information like this about the people who attack your business or your business sector, it isn’t threat intelligence. It’s a feed of random data that will be marginally useful if at all.

With an understanding of who was attacking and how, we then worked on getting visibility into our environment so we could see when attacks took place. Knowing what to look for and then having the ability to look for it is the one-two punch we needed. With both of these in place, we were able to successfully defend our enterprise. Our motto was, “Win Every Attack” and we did. We actually had metrics showing how many attacks we sustained, how far the attacker got before we stopped them and a win/loss record just like a sports team.

These two things may sound simple, but there is a ton of thought and effort that goes into them. How do you even begin to get data around who is attacking and how? Once you get it, how do you track it, keep it organized and up to date? What systems do you use to get visibility? How do you maintain them, get intel fed into them, and then respond to what they tell you. I had a very, very large team to do this. Which brings me to my final learning.

Large enterprises have a fighting chance, because they may sustain enough attacks to keep a team occupied and they can resource themselves to do all these things. Medium and small companies will struggle. It takes specialized talent in threat intel, attack detection, adversary hunting, incident response, and tool support to make this work. All of this is hard to find and expensive.

Even if you can find the talent and obtain the budget, how often are you actually attacked? Yes, you need to Win Every Attack or the future of your business is at stake, but will your team end up being like the Maytag repairman…bored? If so, you’ll have retention problems. The people that do this stuff like to be in the fight. When they are not, they get twitchy.

These teams are like soldiers. They need to be ready to respond at a moment’s notice and they need to respond with discipline and precision. Having a team that detects and responds to attacks once or twice a year is like having a volunteer army go up against a professional army. It usually doesn’t end well for the volunteers. Yes, you can train and practice, but attacks change and advance on a regular basis. It is hard to keep up and do you really want to spend your resources trying?

Toward the end of my tenure as a CISO, we started to find that our approach was so effective that attackers stopped targeting us and started going after our business partners. After informing several of them that they needed to do something about cyber attacks and seeing these challenges play out, I realized the situation they were in. This is my third lesson learned. At the end of the day, this is why I left a job that I quite frankly loved to form Morphick.

When businesses can’t find the talent, can’t get the budget or simply are not attacked enough to keep a team sharp, they need someone that can. Morphick is able to bring all these elements to the table for our customers. We can also do it at scale, which means we can do it at a price point that is significantly below what most can do it for in house. We are one of the few vendors who have actually defended companies. We have a unique view of the problem and a proven method to solving it. We create unique partnerships with our customers to make them more secure. Contact us to learn more.