Yes, But Does It Actually Work?

Yes, But Does It Actually Work?

Blog

Yes, But Does It Actually Work?

Comparing and Choosing Cybersecurity Tools

RSA Conference Survey

A survey conducted at this year’s RSA conference summed up a looming problem in the cybersecurity realm. Forbes reported that:

  • 53% of the responding businesses feel they have wasted more than 50% of their cybersecurity budget and still cannot remediate threats
  • 43% of survey respondents say their number one challenge in threat detection and remediation is an overabundance of tools
  • 10% of organizations lack effective tools for remediating cybersecurity threats

Conglomeration of Tools

As we enter a time of economic slowdown and rising threats, now is not the ideal time to reduce cybersecurity budgets. Rather, you need to ensure that every dollar you spend leads to real measurable results. The typical midsized company has 50 to 60 security tools, and enterprises can have up to 130, according to Anomali. The best way to evaluate your unique conglomeration of tools, people, and practices is to look at how effectively it stops attacks. Ideally, this testing would also serve as a training opportunity for your security team. That’s where PacketWatch’s Active Security team comes in.

An Example

I recently spoke with a CEO who completed a merger with a competitor. He assumed the other company had spent as much on their cybersecurity tools as he had. The challenge he faced was how to sort out the tools they would use going forward in the new organization. He just wants it to work.

Opinions abounded from team members about which tools to keep and which to retire. Tempers flared when each team member’s ‘sacred cow’ was placed on the chopping block. I suggested he consider a slightly different approach. I advocated that he set forth a simple goal to the team — keep the set of tools that performs the best in stopping or detecting likely attackers from getting to the crown jewels. Hard to object to that.

Simple Goal

“Keep the set of tools that performs the best in stopping or detecting likely attackers from getting to the crown jewels.”

To make this happen, I suggested he bring in an outside “Red Team” (PacketWatch in this case) to work side-by-side with his internal defenders – creating a custom “Purple Team” exercise. With PacketWatch’s Red Team members emulating the Tactics, Techniques, and Procedures (TTPs) of identified threat actors, the participants could objectively say which tools could best detect, deter, or defeat the threat actor.

The ineffective tools could be retired and/or processes modified. Another benefit of Purple Teaming is the experience the internal team members would gain from seeing an attacker’s behavior and learning how to react quickly using the tools. That turned out to be a winner for the CEO, and it can be for you too.

Next Steps

Your cybersecurity budget will likely face scrutiny from your CFO this year. Why not arm yourself with a proven methodology for optimizing your security tools and retiring any ineffective ones? The result will be a more efficient use of your security budget and some real-world experience defending your network from adversaries for your team. If you’d like to Learn More about a PacketWatch Purple Team engagement, call us at 800-864-4667. Our team of Active Security experts will scope a custom exercise for your organization.

Tags:

Under Pressure. How will your cybersecurity team do?

Under Pressure. How will your cybersecurity team do?

Blog

Under Pressure. How will your cybersecurity team do?

(Queue the song “Under Pressure” by the British rock band Queen and singer David Bowie [i])

“Under pressure, you don’t rise to the occasion, you sink to the level of your training”

~ Anonymous Navy SEAL

Under Pressure

Nothing could be truer than the quote above, often attributed to an anonymous Navy SEAL. When things get real, your training kicks in. Training is not just filling your head with stuff, but actually performing it. Try. Fail. Learn. Get it right. Perfect it. And doing it again and again. The better the training, the better the students learn. This truism is the bedrock of high-performing, effective teams everywhere.

Small Teams

Somehow the business world hasn’t taken this to heart yet. As cybersecurity threats have escalated, the business world’s search for an effective solution has evolved. After a period of denial, the great hope was that some AI-powered “black box” would solve all cybersecurity concerns without having to do anything. That didn’t work. Next, let’s outsource to a cyber insurance firm. The only problem is that it’s pricey, and you don’t control the process. The insurance company does, and they aren’t always on the same team as you. So, we’re left with one solution—an in-house or hybrid human-based solution, probably a small group of folks charged with the impossible. Stop any and every attack, 24x7x365 from any source—script kiddie or advanced persistent threat (APT). It’s got to be 100%, every time. There might be some pressure building there.  

The Challenge

Here’s where the challenge comes in. You see, the people on your incident response team, as defined in your IR policy and procedures (if you have one), most likely have never been hands-on with a complex incident (If they had, you probably couldn’t afford to keep them). They may have studied cases, taken classes, read tons of materials, and have an alphabet soup of certifications. But they probably have never executed your Incident Response Plan. They’ve never seen what the adversary’s tactics, techniques, and procedures (TTPs) look like in your technology stack. Do you have sufficient visibility? Is your logging up to snuff? So, how will your team perform in a high-pressure situation? How about with no sleep for 48 hours? Where are the gaps? You need to know. Your company is on the line.

Train Like the Champs

How do you overcome this? You train. And then train some more. This type of training is called Adversary Emulation or Purple Teaming. Regardless, the concept is to step through a targeted attack using real TTPs but without all the dangers of a real attack. Team members are divided into two groups, a Red (Offensive) Team, and a Blue (Defender) Team. PacketWatch team members are on both teams and provide the technical resources to emulate the attack. At each step, Red Team and Blue Team members get together to:

  1. Review the actions that occurred
  2. Analyze the result of those actions
  3. Determine the effectiveness of the current controls
  4. Identify the gaps
  5. Recommend changes
  6. Discuss other lessons learned

Custom Active Security Engagement

The PacketWatch team can fashion engagements tailored to your firm’s specific needs. Whether you need to test tools and visibility, your incident response capabilities, the effectiveness of specific controls around groups of assets, your defenses against a particular targeted threat, or a combination thereof, PacketWatch’s Active Security Team will build an effective engagement for you.

With an Active Security Engagement, you can:

  • Validate your security controls and incident response processes against the tactics of real threat actors representing the most significant risk to your industry vertical.
  • See and experience how real attacker tactics and exploits appear in your security tools. Identify gaps and assess the capabilities and maturity of your team in realistic scenarios.
  • Improve your organization’s readiness for detecting and responding to the next attack. This hands-on exercise is a better experience than just reading a white paper.

Why PacketWatch?

The better the instructor, the better the team learns. PacketWatch is a team of elite experts from a wide range of backgrounds, including the military, government, law enforcement, commercial enterprise, and the intelligence community. We respond to hundreds of complex breaches each year. Knowing and countering adversary tradecraft bolsters our effectiveness in quickly identifying and eliminating threats. We bring that real-world experience to bear for you and your team. That makes us the best for delivering this type of engagement for you. Planning, rehearsing, and testing with a high-performing team is key to ensuring your team’s success.

Ultimately, it’s all about the quality of your team’s training. That determines the outcome. Enable their success with a PacketWatch Active Security engagement.

Give us a call or Contact Us to give your team hands-on experience defending complex attack scenarios.

[i] “Under Pressure” by the British rock band Queen and singer David Bowie was originally released as a single in October 1981.

Tags: