One of the disheartening things in security today is reckoning with the true factors of success. It’s not that most security practices are a dismal failure; in fact, it’s likely that the number of prevented threats is significant. On the other hand, a data breach is practically a foregone conclusion for any organization with valuable data. Even intelligence agencies and security vendors do not seem to be immune from a breach. Security seems essentially powerless to prevent breaches and attacks.
One lesson from golf can illustrate why most security practices fail to protect against motivated attackers and what organizations and security teams can do about it. Golf instructors coach players to look at the hole rather than the ball when preparing to swing. A study referenced in showed that, in fact, “golfers achieve better results when looking at the line of a breaking putt rather than the ball.”
False Positives and False Negatives
In a similar way, security organizations have been too focused on the current location of a security event—the ball—rather than the larger context of what is going on and what it means. For most companies, the ball represents an individual security tool. Each has its own purview and methodology. Each creates its own set of alerts, often false positives or warnings that are not meaningful. Sometimes there are false negatives—crucial events that are missed because of a lack of context and corroboration.
By being focused on a ball—or a number of balls—security organizations often miss the bigger picture. Finding an active attack quickly and with high fidelity means that security groups need to gather and correlate details to see the connectedness and progression of an attack. While this can be done manually by experienced professionals, it is difficult to synthesize so many data points together in one’s mind and distill a meaningful anomaly and pattern. The larger and more complex the infrastructure, assets and users, the more difficult this task is for manually-run threat intelligence. In addition, if there are multiple members of a security team, the ability to do this requires prompt and perfect communication between team members to convey all findings.
Extended Detection and Response (XDR)
Hype about machine learning and security tools abounds, and a good deal of that hype is unwarranted. Machine learning is, however, extremely well-suited for this area; specifically because of its ability to integrate and correlate vast amounts of security data from disparate tools and sources, such as logs or sensors. Machine learning can then pinpoint meaningful abnormalities that deliver (with a high level of certainty) evidence for an active attack. This kind of technology was originally called extended detection and response (XDR). Somewhat later, practitioners realized that while XDR was the way to solve the problem and effectively “get the golf ball to the hole” under par, limitations due to business practices and technology prevented XDR from working as envisioned. Open XDR arose to solve the problem, ensuring that all data from all security tools and sources could be included for the most comprehensive and accurate results.
All golfers want to improve their game, and the same is true for security professionals. Golfers may find it difficult to shift their focus from the ball to the hole. Doing so seems counterintuitive. From an early age, we are coached to not take our eyes off the ball. For a golfer, it seems sensible to look at the ball and envision its trajectory to a landing near or in the hole. Experts and evidence say otherwise.
For security professionals, shifting focus from ‘the ball’ to a new way of integrating and analyzing data may also seem counterintuitive. The ball—each security tool—is still important in performing some specific functions to protect against vulnerabilities and shore up an attack surface. Keep these tools in place. Ultimately, the larger value is in bringing all of the data together and shifting from many systems with individual alerts to a combined intelligence that highlights incidents rather than many alerts. Shifting to this new mode of security enables success over attackers.
By making security professionals more efficient and more effective, they can ease some of the dire conditions of being overworked, over-alarmed and understaffed. In making them successful and gaining ground against modern attacks, security professionals may actually be able to get out and play a round every once in a while.