In response to the recent joint ransomware advisory published by the FBI, Health and Human Services, and the Cybersecurity & Infrastructure Security Agency, Ascent recommends that healthcare organizations immediately take the following steps to prepare for the coming ransomware attacks.
Working together, IT and cybersecurity teams should consider this their top priority, as we do not want to see another tragic situation as happened in Germany earlier this year, where a patient was turned away from a hospital affected by ransomware. The patient died hours later.
- Print hard copies of your organization’s incident response plan and disaster recovery plan, and distribute them to key staff with the understanding those documents should be taken home today
- Verify that you have up-to-date contact information for your organization’s cyber insurance provider and your general counsel
- Call your cyber insurance provider and ask for a list of preferred DFIR (Data Forensics Incident Response) providers and provide that list to counsel
- Document the decision for who at your organization has authority to involve an external DFIR provider, and if that is initiated via legal, insurance, or self-funding
- Consider curtailing IT and cybersecurity staff holidays for the next couple of weeks and confirm that your on-call rotation schedule is up to date
- Verify that your backup strategy follows the 3-2-1 rule: three copies of critical data retained on two different types of media with one of them stored offline
- Have your IT team confirm you have up-to-date gold images for servers and workstations, and that offline copies of these are stored on at least two types of media
- Confirm that your IT patching system is deploying critical and important patches to your systems based on system criticality and known exploits, including servers, endpoints, and infrastructure such as perimeter security devices
- Implement risk-based multifactor authentication for privileged users to mitigate the risks of credential stuffing attacks and lateral movement
- Use network filtering to block access to domains registered in the past week
- Confirm that your Security Information and Event Management (SIEM) system has adequate storage capacity and that your analysts have well-defined triage procedures for events
- Verify that your netflow data includes outbound internet traffic that could identify any sudden increases in data (indicating potential exfiltration of PHI)
- Use the indicators of compromise published by CISA to automate threat hunting in your network environment
While extensive, this is not a complete list of actions organizations should be taking. Our initial set of recommendations will help to mitigate the immediate risks of a ransomware attack. Continuous planning based on risks will help to support long-term cybersecurity resiliency despite these sustained and evolving adversarial threats to the well-being of our communities. And if this seems like an insurmountable burden at the end of a stressful and difficult year, know that we can help. From on-the-spot incident response to strategic resiliency planning, we can help firms reduce business risk and bolster their overall security posture. Contact us to get started.
Beginning September 30th, cybersecurity teams from Ascent Solutions and Pathfynder worked to defend a client from Egregor ransomware. Egregor’s notable traits are data exfiltration prior to live and backup system encryption as well as requiring victims to contact threat actors to arrange ransom payment via the dark web. Ascent takes an intelligence-driven approach to Digital Forensics and Incident Response (DFIR) activities. However, because Egregor is so new to the threat landscape, there is little actionable intelligence available to drive that type of strategic approach to DFIR activities. Ascent’s investigation into Egregor yielded a straightforward process DFIR teams can use to develop the correct intelligence in order to take action and eradicate further ransomware threats. The response team gathered internal, counter, and external intelligence before asking the critical questions that enabled them to develop a response appropriate to the predicted risk level.
Internal intelligence was collected from the client’s affected computers immediately after Ascent was contacted to respond to the ransomware. The team collected logs and data from the deployed antivirus solution as well as existing Windows event logs. This allowed the development of an initial intelligence hypothesis stemming from the files and executables as well as the client’s associated hashes. The intelligence was actionable at some level, as it allowed the Incident Response cycle to continue. However, it was not enough to drive all required remaining activities. Frequently, DFIR teams stop when they finish collecting internal intelligence. While arguably the most important, internal intelligence alone is insufficient in providing the full assessment needed when a new ransomware is crippling an organization.
The second type of intelligence collected was all publicly available data about Egregor. As it is a Sekhmet variant, it became comparably easy to conduct Open Source Intelligence (OSINT) about Sekhmet, and as the threat actors had provided a ransomware note with their .top and .onion domains, it allowed the team to develop an intelligence profile of the Egregor team. The counterintelligence enabled Ascent to form a hypothesis about the way in which the Egregor team operated, as all public-facing IT systems either confirmed or indicated their techniques, tactics, and procedures. Unfortunately, when taken independently, counterintelligence alone is not entirely actionable information.
The last step in investigating Egregor was gathering external intelligence about the client. This practice of “turning the map around” often fills in gaps left after internal and counterintelligence efforts, aids in forming an initial hypothesis of Patient Zero, and uncovers other potential indicators of compromise. In this case, external intelligence consisted of gathering a current state cyber threat assessment against the client organization. This exercise aims to determine where the weak spots are from an attacker’s point of view, with an objective of assessing what data they might have stolen and what might have the highest value to the threat actor. Like the internal intelligence and the counterintelligence gathered previously, the low amount of data gathered externally was not actionable enough to complete DFIR activities.
Intelligence Officer Makes the Call
It was the intersection of internal intelligence, counterintelligence, and external Intelligence that allowed our skilled DFIR team to probe the model and ask informed questions regarding what was and was not known and, ultimately, fill in the valuable blanks. This level of formal intelligence assessment could then be provided to counsel, insurance, and the client to recommend a course of action based on a predicted level of risk. It also enables a far more informed conversation around mitigation, eviction, and cleanup. There is always intelligence a DFIR team can use – even when that intelligence is simply the lack of something that should be there. For the Ascent and Pathfynder teams, Intelligence-driven DFIR is more than a subtitle—it is an accelerator that allows us to uniquely engage in defense of our clients against any threat.
“I want to break free, I want to break free from your lies, You’re so self-satisfied I don’t need you, I’ve got to break free, God knows, God knows I want to break free.” -Queen.
Freddie Mercury and John Deacon were bemoaning the binding nature of falling in love. In either a sarcastic or paradoxical nature, the songwriter longs to break free of the hold love has on a human heart. The song writers were not security technologists; however, the song should be the theme song for every Security Operations Center (SOC). Today, Security Information and Event Management (SIEM) tools have a grip on the industry from which the SOC cannot seem to break free. Here, we will briefly discuss the problems with SIEM today, detail proven military tactics applicable to cyber defensive operations, and identify opportunities organizations can leverage when transitioning between tools.
Problems with SIEM Today
There are many challenges with SIEM tools today, and most of them are independent of the vendor. The SIEM market is built on the same fundamental philosophies, and much of the capabilities revolving around these philosophies have become table stakes amongst manufacturers. This same theory holds true for problems in utilizing SIEM at the core of security operations. Nearly all products on the market suffer some of the same shortfalls that prevent security teams from being successful with the legacy philosophy that created SIEM.
Alert fatigue is hard to define, but it is easy to describe. Everyone has heard the story of the ‘Boy Who Cried Wolf”. In this children’s fable, we learn of a shepherd boy who likes to torture the town by falsely calling out the dangers of a wolf in the sheep’s pasture. The town runs to defend their livestock and there is no wolf, to only the boy’s amusement. He does this so many times that eventually, as the story goes, when there actually is a real wolf in the pasture, the town no longer believes him. The wolf gets the sheep at the fault of the boy’s dangerously false alarms. Alert fatigue is the same. Cyber security alerts generally consist of false positives, true positives, and benign true positives. If the ratio of false positives is too high, eventually the SOC analyst’s human nature will tune out the nearly identical true positives because this alert has “cried wolf” too many times before. Alert Fatigue as a concept has been around for a while in the industry, however, it has become so commonplace that the phenomenon has been accepted as normal and found at the root of many prominent breaches.
Collect Everything / Watch Everything
The exponential quantity of data available for collection, and the fear of not having the data necessary to piece together a breach, is driving the inclination to both collect every log generated across the enterprise and watch every alert this generates. This if from a flawed opinion that the best practices of centralized log management requires organizations to publish all events in raw format to their SIEM. In most organizations, this 100% collection requirement is both unachievable, and unnecessary. In fact, if most organizations were to faithfully execute this requirement, they would find themselves drowned in log management problems, with security alerts no longer being a priority.
After all logs are collected, security operations often feel the requirement to watch everything. Many organizations purchased their SIEM for the sole purpose of creating alerts. For every correlated log, there is an alert. This foundational misunderstanding has become commonplace and accepted in the industry and is only causing alert fatigue rather than protecting the organization.
Because of centralized storage strategies, organizations feel obligated to continue to pipe increasing amounts of data to their SIEM. This, along with the increasing volume of compute in organizations, usually means they must continue to purchase increasing EPS (Events Per Second) year over year. As the volume increases, organizations continue to struggle getting all this volume into the SIEM without tuning the alerting mechanism – furthering the alert fatigue cycle. This never-ending cycle of increasing the computing processor requirements, increasing the log volume, increasing the EPS, increasing the spend has no end in sight. Breaking free from these challenges has never been more important that it is today.
Military Tactics Applied
Although few organizations have come up with an appropriate framework for combating these challenges, the military has developed some tactics and doctrines which can assist organizations with a new thought process defensible to the security professionals in their respective organizations.
In the military, most operations start with intelligence. Marine Corps Doctrinal Publication – 2 states the fourfold objectives of intelligence:
- Identifies and evaluates existing conditions and capabilities
- Estimates possible enemy courses of action
- Aids in identifying friendly vulnerabilities the enemy may exploit
- Assists in the development and evaluation of friendly courses of action based on the results of the first three
With these primary objectives of intelligence in mind, the military continues to plan military operations – fully knowing that a failure in intelligence will result in a failed plan. These intelligence estimates have effectively driven military operations for centuries and can drive corporate cyber defense strategies as well.
The similarities between the two worlds are greater than their differences. An intelligence-driven approach to defensive cyber security operations and SIEM implementation would help companies determine if they are defending against an actual threat, and not simply a possible threat.
Take Appropriate Risk
Most security leaders today have a low risk tolerance. However, the military approach would contend that accepting risk is necessary to all operations, not only combat operations. Marine Corps Doctrinal Publication – 1, the foundation of U.S. Marine Corps Doctrine states as such, “We must not tolerate the avoidance of responsibility or necessary risk.” (p. 3-7); and “the essence of the problem is to select a promising course of action with an acceptable degree of risk and to do it more quickly than our foe” (p. 4-18); and “the main effort involves a physical and moral commitment,…It forces us to concentrate decisive combat power just as it forces us to accept risk.” (p. 4-22) When organizations look to accept little to no risk with their SIEM, they are falsely hoping they can catch anything by orienting on everything. However, security operations should operate just like military operations on this front and SOCs need to learn to accept appropriate risk so they can orient specifically on the enemy and protect their critical assets.
Marine Corps Warfighting Publication 3-11 highlights the importance of company level patrols when in a defensive position. “[Company Patrols] can provide redundant collection for important [information requirements] and fill gaps in the company’s collection plan.” (MCWP 3-11.1 p. 4-15) These patrols in the military context have a similar function to a threat hunt in the cybersecurity context. Ideally, threat hunts provide valuable intelligence through monitoring and alerting. When conducted appropriately, these threat hunts can uncover threats in places the organization does not have an appropriate control. Applying these military doctrines to organizational SIEM implementations, a security technologist can leverage their SIEM as a compensating control when mitigation cannot be met by other means.
For instance, if an organization knows from their threat and vulnerability matrix that they need to invest in a Privilege Access Management tool to reduce the risk of credential theft, but as of today there is no budget for the tooling, the SIEM tool can provide needed risk reduction through increased monitoring of credential theft. Using this military-driven approach, organizations can more intelligently leverage their SIEM investment to monitor known security gaps rather than just having an approach to “monitor everything.”
A SIEM is a security tool designed to alert a security analyst when a potential threat has been discovered. Usually, these alerts occur when a threat actor attempts to traverse a cybersecurity technical control. In the military defense context, these controls are called obstacles. These obstacles include everything from firewalls to Anti-Virus software. However, when SOCs do not actually watch these obstacles for enemy movement, organizations should be wary of their effectiveness. MCWP 3-11.1 states “Obstacles cannot meet a commander’s intent unless covered by some means of friendly observation and fire.” (p. 7-16) The intent behind the doctrinal placement of obstacles is that they are inherently ineffective if the defense cannot both observe the enemy traversing the obstacle and affect the outcome. Adding obstacles and alerts which security analysts cannot respond to further contributes to alert fatigue, lessening the effectiveness of already operationalized obstacles.
Azure Sentinel: Meeting Market Needs
After hearing this military-SIEM connection, you may be thinking, “what do I do now? How can we break free from this construct?” Changing process and perspective will go a long way. However, your organization wants to take the opportunity to break free from the challenges it faces in alert fatigue, rising EPS pricing models, and a failed approach. You require more than a pivot to military tactics. Ascent Solutions and Critical Start want to encourage you to take this opportunity to fully break free by moving to an innovative and disruptive technology, Azure Sentinel. Sentinel can provide significant advantages and opportunities at this time in your journey to reduce cost, leverage a new approach, and move beyond SIEM to Security Orchestration, Automation, and Response (SOAR).
Due to Azure’s ability to leverage its own cloud infrastructure, Azure Sentinel does not need to abide by the burdensome EPS pricing model. Azure Sentinel not only provides monitoring for its own platform (Office 365 and Azure) for no cost, but only charges cloud storage rates rather than an EPS model. This means organizations can leverage Sentinel in combination with their current SIEM. Many SIEM models use a “heavy forwarder” approach, allowing a forwarding tool to take load from the SIEM. This increases operational effectiveness by reducing alerts and significantly reducing the operational cost of the SIEM.
Leverage A New Approach
Security analysts can easily develop muscle memory from a process-oriented job. Unfortunately, when the subject of the muscle memory is an inefficient process built on a legacy mindset and action-triggering widget, only a completely new approach can revitalize the team. Once the yellow, green, and red lights go away, the analyst is free (or driven) to take a new perspective. In addition, many SOCs operate with dashboards upon dashboards on the finest 76” monitors on the market. However, if quizzed, the analysts behind those screens could identify the origin of only half of the alerts or widgets on the dashboard. Moving to a new solution and a new literal scenery in the SOC can drive different behaviors and perspective.
Security Orchestration, Automation, and Response
SOAR is the bigger, stronger, smarter brother of SIEM. SOAR takes monitoring and alerting and adds process automation through custom workflows. Although the real strength of SIEM will always be the analyst, SOAR frees the analyst to do higher order tasks and analysis. Azure Sentinel allows organizations to build SOAR capabilities in from the beginning. Leveraging Azure cloud infrastructure, SOAR capabilities can be instantly instantiated, built, torn down, rebuilt, and scaled to new, unique levels
Are You Ready to Break Free?
Looking at the fundamental flaws the legacy SIEM approach was built upon, the current sentiment towards the status quo of security operations is no surprise. It is expensive, cumbersome, and tiring. Much of the industries’ turnover and subsequent headcount shortage can be linked to using the same failed methodology and principles – but expecting a different outcome. Pivoting the principals towards proven, military-based tactics, wrapped around a product that enables those principals, allows security teams to refresh their landscape and turn their attention towards dealing with risk instead of alerts. While this seems like a radical assertion, it is what is necessary to break free.
Want to learn more?
Register for our upcoming webinar – Do SIEM Better: Tackling the Modern Challenges of Your SIEM Practices
With the unfortunate events transpiring lately and employees suddenly required to work from home, organizations across the globe are struggling to support a “management everywhere” approach. With the sudden explosion in enterprise access for personal devices, rapidly configured mobile devices (some consumer grade), and almost all of it on unmanaged networks, the endpoint is now the most vulnerable element for malicious activity. This is supported by a recent study revealing a staggering fact that 60% of breaches can be reduced with a patched and compliant environment (Truta, 2019).
Heading into the COVID-19 crisis, organizations likely did not have a mature BYOD or remote work plan in place, thereby leaving those organizations to rely on their best judgement for application and device protections, implementing faster than they would have liked. History has shown that malicious actors can and will craft realistic traps exploiting these types of situations. Taking the time to ensure that managing a device or application from anywhere has become more critical than ever.
Below are some relevant articles with excellent details:
- Security Boulevard: COVID-19 Pandemic Drives Spike in Phishing Attacks
- Microsoft: Spear phishing campaigns—they’re sharper than you think
While many employees already had work laptops available for at home use, this recent shift has organizations seeing a massive increase in the number of personal devices accessing company data. By using Conditional Access and Microsoft Endpoint Management policies together, enterprise IT organizations can control and secure corporate data in approved applications on these personal devices, allowing employees to remain productive and secure. Companies of all sizes must have urgency around this is to make sure that only trusted and compliant devices and applications have access to corporate data.
The global COVID-19 crisis has made businesses look to the cloud to complement their existing on-premises device management infrastructure. Organizations that currently use Microsoft’s Configuration Manager can easily add Microsoft Endpoint Manager’s cloud services to manage remote devices. This provides a holistic coverage plan for enterprise and personal devices. Upon implementation, co-management gives an organization the ability to:
- Enforce conditional access upon signing in for accessing corporate data
- Take immediate actions on all managed devices, including remotely wiping a device of corporate access, applications, and data
- Deploy software and updates faster, regardless of device type
To manage through this crisis and provide your employees the most flexibility while ensuring security, Ascent recommends your organization takes the following steps:
- Extend managing company owned devices everywhere with Microsoft’s Endpoint Manager cloud management
- Provide secure access control to enterprise data and applications for employees using personal devices
- Provide a Microsoft Windows Virtual Desktop experience if necessary
- Simplify management by unifying all platforms under one console
- Enforce Conditional Access to your corporate resources and applications
- Integrate an advanced threat protection service, allowing platforms to combat suspicious activities before they are formally identified
- Migrate on-premises restricted policy management to the cloud
The good news for many enterprises is that if your organization owns Microsoft 365 E3, EM+S E3, or the E5 versions of those licenses, you may already have the technology needed to implement these recommendations. With Microsoft’s Unified Endpoint Management, these policies can be deployed to all platforms. Solutions that are readily available today can dramatically reduce the risk of malicious actors compromising networks, devices, and applications.
Microsoft has published more on these topics, including the following:
- Helping businesses rapidly set up to work securely from personal PCs and mobiles
- Manage work devices at home during Covid-19 using Configuration Manager
Ascent encourages you to talk with us or your trusted IT Services Provider about services to jump start your modern management deployment with Microsoft Endpoint Manager. Don’t let this crisis open your organization to additional issues. Ascent Solutions brings our customers over six decades of experience and over 1,000,000 devices deployed globally. Combined with our core values and industry experts, you can count on Ascent having your needs front and center. Ascent Solutions has helped customers of all sizes and across a variety of industries transform their End-User Computing organizations into a modern management platform leveraging Microsoft’s Endpoint Manager. Ascent is aware that this crisis has required a renewed effort to increase the security of endpoints, while also providing flexibility for end-users. Our extensive experience and expertise in this area has prepared us to help all customers, no matter how unique or sophisticated their infrastructure architecture may be.
What we learned from our first Virtual Happy Hour and why these after-work rituals are becoming more important than ever.
This past week has been a time of adjustment for everyone in the work world. Events that would normally be held in person are now done virtually. This week I attended a Software Developer Group Demo Night which shifted from an in-person event to a Zoom meeting. Although being in person would have been better, the Zoom meeting was exactly what I needed – another way to connect to the outside world and give advice to these emerging developers.
Earlier this week, I went for a run with a neighbor and he mentioned that his work team of 8 were going to participate in a Virtual Happy Hour. I thought it was a great idea to promote connectivity. Here at Ascent we are so interconnected and for many of us this new world of social distancing has us missing the daily interaction with our Stewards.
As I was planning our happy hour, I did some research and found some meaningful tips to ensure this was successful:
- Pick a Video Chat Platform That’s Easiest for Everyone: At Ascent all our meetings and calls are on Microsoft Teams so this one was easy for us.
- Keep Numbers Manageable: As I mentioned, my friend’s team is a small group of 8, however with our numbers approaching 100 consultants, if a high percentage were to attend a virtual meeting, it would be impossible to have conversation. To get a gauge as to how many would attend, I first sent out a poll explaining the concept and determining how many would be interested. From there I made sure that each video chat room had no more than 10 members and then set up the appropriate number of MS Teams Happy Hour meetings.
- Encourage Everyone to Bring A Drink – there is something nicely communal about eating and drinking together. Alcohol is not necessary but having an alcoholic or non-alcoholic beverage in hand will help everyone feel more relaxed and is a good ice breaker for coworkers that you may not know as well.
- Wear Clothes – I joke but remember, this is still a work setting, we want some boundaries.
- Keep the Conversation Light – try not to turn this into another work-related conference call, the idea is to connect and laugh with one another
Some thoughts after our first ever virtual happy hour:
- I found that the virtual happy hour with co-workers was the best part of my day. It’s been great to hang out at home with my family, and I’ve stayed in touch with close friends throughout this period of social distancing, but I missed the daily interaction with co-workers that randomly occur throughout the day. This filled that void.
- For our next one we are thinking of giving everyone access to all the rooms so you can pop in and out of different rooms and mingle more.
- MS Teams was great, but I wished that you could see everyone at one time (currently the limit is 4 windows at one time, but I am hearing that MS is hoping to roll out a change to that limitation shortly)
- As a bonus, there weren’t any glasses to pick up or bar tab to pay when we were done.
This new reality of social distancing doesn’t mean that we need to discard some of the fun things that make us more human. Just because we are currently staying more than six feet away from each other doesn’t mean we have to be apart.
The COVID-19 outbreak is, as we all know, spreading across the world, and the health and safety of Ascent’s Stewards (our employees), Customers, and Partners is our primary concern. Ascent was already set up well for our consultants to work remotely, but we were able to immediately move towards 100% of our back office working effectively from home as well. This involved people change management, altering some of our processes to be just as effective remotely, and of course ensuring that everyone has the proper technology (hardware and SaaS) to get the job done. We rotated within hours, not days, and our Ascent team can do the same for you and your organization, ensuring that you keep your business intact during these difficult times – together we can get through this.
Obviously the core of any remote employee program is the technology enabling it all. Microsoft introduced their free, six-month subscription of Microsoft Teams in their E1 license. Because Ascent helps companies of all sizes implement Teams today, we are uniquely equipped to help any additional company that might need architecture, implementation, or change management help to get a solution in place as fast and pain-free as possible. The speed by which companies can enable employees to work remotely is critical, but more than that, keeping your system secure from start to finish is crucial for preventing sudden and avoidable compromise.
I’m proud of the fast work that the people of Ascent have done to help companies of all sizes make this shift to remote work. Our teams have mobilized within hours in some cases to ensure not only business continuity, but effective collaboration, communication, and progress. Here is just a snapshot how we can help organizations pivot quickly to a remote workforce, either through collaboration tools like Teams, through secure Virtual Desktops on any Bring Your Own Device machine, or with your overall Business Continuity Plan efforts:
Within 2-4 hours
- BCP Support – Many companies are executing their Business Continuity Plans during this outbreak. Ascent can assist with implementing your BCP or help you rapidly develop one which addresses your most immediate needs.
- Backfill Support – While you reallocate your resources to support your company’s COVID-19 response, let us keep your projects going. When you’re ready to get back to business-as-usual, your projects will still be on track.
Within 24 hours
- Remote Work Technology with Microsoft Teams – Whether you’ve recently deployed Teams and need assistance securing it for remote connectivity, you haven’t yet deployed and need a partner to assist with an escalated deployment strategy, or your users need more education to drive fast adoption, Ascent’s team of technical consultants and change managers can help.
- Rapid Virtual Desktop – Our team can quickly evaluate your current VDI and determine how best to help out, including immediate implementation of Ascent’s unique solution to quickly expand remote worker connectivity in the cloud – offering employee access from almost any device to a secure and supported Windows 10/7 workstation.
Within the next week
- Teams People Management Framework – Ascent can help your rapid deployment and adoption of Teams as your workforce moves remote on short notice via Microsoft’s new People Management Framework.
- Remote Technology Advisory Services – With our Remote Access Advisory service, and our Rapid Conditional Access offering, Ascent can help you configure your environment so that remote users and data are secure, regardless of where and on what device they are performing work.
- Privileged Remote Access with BeyondTrust – As you respond to the immediate demand to work remotely, Ascent can assist with your Privileged Remote Access solution from BeyondTrust. Let us help you quickly leverage BeyondTrust’s powerful security suite.
(And I’m Doing Fine)
R.E.M. wasn’t at RSA to my knowledge, but I could not help but reflect on their song while I was there. RSA is still the world’s largest security conference. Once a year, security practitioner’s pilgrimage to San Francisco. At one time, I am sure this was an opportunity for security leaders to assess their risk and look for key opportunities to mitigate it with technologies’ best. However, my experience this year was far from that rich history.
To be clear, I enjoyed RSA and had excellent conversations. I wish to go again next year as the access to other business professionals is second to none. But as I reflected on the cyber security industry and how RSA represents it, I could not help but lament.
Today’s RSA is much more a swag grab fest than it used to be. Vendors fill their booth with marketing distractions, bright lights, and swag upon swag. Just short of T-shirt cannons and dance teams, RSA to me is representative of my greatest frustrations with the security field.
Security professionals have always been defined by their ability to identify, articulate, and manage risk. This discipline is at the core of security professionals and cyber security technologists are no exception. Security professionals have moved from managing risk to managing security controls; from managing controls to managing only their budgets. We find ourselves now in an industry of security technologist who solely focus on getting more and more budget to buy more and more widgets. What happened to managing risk? Why have we strayed so far away? And what can we do about it?
I suggest the only remedy is a hard U-turn back to the core of our discipline. Every time we as security technologists discuss our budget plights, we need to ask ourselves if our risk has been accurately quantified, and how best to manage that risk through transfer, acceptance, or mitigation. Most cyber organizations have completely abandoned this discipline. Rather than developing a security strategy around risk management, their security strategy is a vendor procurement roadmap. This has become so prevalent that most organizations do not even attempt to catalog or quantify their risks. The RSA conference seems to enforce this error – and make it easier to get distracted by the shiny lights, swag, and marketing material.
Those of us in the field who enforce the fundamental disciplines need to encourage our peers to course correct. There is still opportunity to improve our posture when our budgets have declined. We can still mature our security programs without buying every technology by Gartner and Forrester. It may be the end of our field, but we are doing fine.
What I saw among hundreds of booths
At RSA this year, I once again canvassed the partner floor to see if I could spot any trends. While a lot of smart people were talking during the sessions, I find that the booths illustrate where buyers and sellers are placing their bets, so to speak. Believe it or not, I canvassed approximately 270 (!!) separate vendor booths during RSA, stopping either when I didn’t understand what they were selling (which was sadly too often – usually a combination of bad marketing or a bad booth design) or if I personally found it interesting for our business or our clients. I did this same thing 4 years ago, so I also got to see some change in a few years.
With that backdrop, here is what struck me the most…the most popular, the changes, and what seems to be dwindling:
- By over 2:1 in booths, more vendors were focused on endpoints, unstructured data, and people versus networks and firewalls
- Does that mean the network is secure enough, the market is mature, or that the battlefront has shifted? We believe it’s the latter.
- Threat Hunting, SecDevOps software, and Vendor Risk Management were newer entries with multiple booths
- I had no entries on these categories from 4 years ago
- In just 2 years, some of the biggest names are virtually gone in the space and there are some that have carved out a new prominent name for themselves. (KnowBe4 – one of my personal favorites from a few years back).
- GRC booths were rather popular, with almost 20 different vendors helping customers with their compliance needs
- SOAR added to SIEM – I didn’t see SOAR mentioned at all from 4 years ago
- CASB and Cloud Security Market seems to have consolidated quite a bit, with fewer vendors and bigger booths
- I probably missed it, but there are a lot of threat intel companies, and I didn’t recognize ANY of them from just a few years ago
- Going, Going, Gone?
- Firewalls…where have you gone?? Network security as we knew it just a few years back has been replaced by Edge and Endpoint security, including IoT. This is a direct correlation with the growth of Identity Management
- Speaking of disappearing act, physical tokens are virtually gone. In fact, other than a badging system, I didn’t see any.
- Granted, I didn’t stop at the RSA booth, ironically. Not sure they still make them to be honest
- VPN – 2 booths
Granted, all of the information above is anecdotal from my conversations, I do find that conversations in the trenches are as valuable as insights from on-high. I also like where we, Ascent, have placed our bets – we appear to be pacing the industry well which puts us in a great place for our customers and partners.
Last week, two of our Cyber Architects, Jason Floyd and Josh Decker, attended an exclusive Microsoft Security Partner Insider Event in Chicago. At this event, we were provided insider insight into exciting new technology coming to the security space as well as deep training and conversation on the current versions of the product suite.
We had a number of take-aways from the event, but our Cyber Architects were most pleased to be reassured that our comprehension and implementations of the Microsoft security suite was in-line with Microsoft. Our Cyber Architects noted that there were a handful of other strong partners there who focus on one specific product or portion of Microsoft’s security suite, but they noted that Ascent was the only firm of our size and flexibility well versed in the entire suite. All the other full-suite partners were the typical large consulting firms which specialize in multi-million dollar, multi-year projects.
We are humbled by these continued unique opportunities with Microsoft and look forward to delivering the best customer experience possible leveraging today’s technologies while simultaneously preparing our customers for tomorrow’s threats.
It was just a little over 1 month ago that Microsoft hosted their massive partner conference, MSInspire. For the first time in recent memory, it also overlapped with their global (internal) sales conference, MSReady. This was a great opportunity for partners, such as Ascent, to not only hear the content directed to partners, but also directed to their field sellers. After a month, I thought I’d reflect on what I saw and heard, and what I am seeing as the conference concepts are put into action.
What I saw: Beyond all of the excitement, keynote speakers (which are now called CoreNotes, for some strange reason), and the activity in the partner pavilions, I saw a company that is devoted to helping customers leverage technology (theirs and their partners, obviously) and driving technology solutions via partners. Microsoft has spent the last decade moving their company and their customers from an ‘install the software’ model to a ‘consume the services’ model…i.e., the shift to cloud computing and ‘as a Service’ consumption of technology. If your business is still using old methods of computing, assume you’re going to get behind due to your inability to leverage technology to enable business initiatives at the speed your competitors can. I often liken the shift we’re seeing in technology to the old factory model of power distribution. To run a factory floor, you needed your own power supply (such as a water wheel), and immobile stations to consume that power. You also needed staff to maintain your power supply, your power distribution mechanisms, the belts, etc. This was state of the art not too long ago.
In a few years, the picture below will have the same feel.