The quick and the dead is an English phrase from William Tyndale’s translation of the New Testament. The word quick, in English, comes from the old Anglo Saxon for alive, and nothing could be more apt. To be quick is to be alive, and nowhere is this more true than in security where we literally are in a race, albeit an asymmetric one, against an intelligent, adaptive opponent. For this reason, security is about ultimately about rates
The adversary is innovative, motivated, funded and enjoys the advantages of asymmetry: they only have to be right once to succeed, while the defender has to play a perfect game. Given the focus and investment, the rate of improvement in the proficiency of attackers is increasing faster than, by-and-large, that of the defenders. The first step to being futureproofed is to be present-proofed; and the essence of that is to be quick and adaptive and to seek to maximise the incremental improvements and the pace of advancement. In a word, security needs to be more agile with people, with processes, and with technology.
Using the word agile, however is a loaded term in technology because it is at the heart of the DevOps revolution, writing better and more sustainable code and owning code in production as much as in the back office. For many, the agile R&D movement can feel a bit revolutionary or even cultish. It is, after all, a complete change in how engineering is done, shifting to user centrism, owning production code, and an emphasis on pragmatism in what we now call DevOps. The agile manifesto, though, has extremely valuable lessons and can lead to a similar revolution in SecOps if we apply the principles correctly: the user isn’t to blame, policies have to account for real human behaviour, a focus on processes, owning results, a dedication to incremental improvement, working policies, collaborating on with the business, responding to change. In this world, perfection is the enemy of the good to paraphrase Voltaire, and incremental improvement is the heart of accelerating how effective security operations are.
As an example, Indicators of Compromise (IOC) are no longer the star in the fight to detect and prevent advanced attacks as we have had opportunity to learn time and again and most recently in Operation SoftCell. In SoftCell, every instance of malware, from China Chopper to the now venerable Poison Ivy, had a unique signature. Every single time it was used and placed in the victims’ environments, it had a unique signature. This meant that finding it in one place did nothing for finding it again, and checking public sources with the file hash became a feedback loop that actually helped the bad guys know what machine was potentially the battleground and a lost asset. In other words, IOCs can be a liability and made to work against us.
The adversary is always on the attack and has effectively found ways around IOCs. The only time an IOC bell rings is either when the attacker makes a mistake or when they intentionally drive a diversion to increase noise-to-signal ratio. There will always be a role for IOCs in reducing noise, stopping the low-hanging fruit of the threat world, tuning out noise and adding color to security operations; but security is a chaotic system with an intelligent opponent. Anything we do that is static and predictable can become a liability. This might seem the antithesis of most process management, but it’s not. It’s just the new reality for operations and one that we can adapt to if we focus on being adaptive as a core principle.
The heart of futureproof security operations is a lean-in, detection mindset; an agile methodology; and a dedication to incremental improvement. This inevitably leads to new behavioral telemetry sources like EDR and its succesor XDR, to decrementing “just capture it all” from the SIEM years and to an emphasis on reliable and hard-to-predict-by-attackers automation. This is the path to a world where the attackers only have to get it right once to a world where they have to be right all the time and still expect to fail.
By Sam Curry, chief security officer, Cybereason