Episode 21 - Automatic Security
We share our grand vision for the future of Cyber Security - AUTOMATIC SECURITY! But don't get it confused with AUTOMATED security. Tune in to find out the distinction. It's a big vision and our conversation touches on a lot of areas of cyber security.
Notes:
We have been listening to past episodes:
E19 – power of small teams was packed with tactical insights
In the trenches - Process & tactical – then back in the practical / tech
But each one of the episodes, the topics, RBA in general – they are actually pieces of a larger vision
A vision of security that “just works”
Automatic Security
For Executive Leadership – “Not breached” , “Not in the news”
For Security Leadership – demonstrable work and improvement
For Technical / front lines – “not getting crushed”
We know there’s a challenge of communication between leaders, security leaders, & security technicians
So let’s try to solve that first:
Definition #1 – Business definition of security, business definition of “security that just works”
Systemic and continuous reduction of risk amidst a chaotic and dynamic environment.
The BUSINESS (board, CEO, business owners, shareholders) care about one thing, and one thing only – the reduction of risk.
OUR job in cybersecurity comes from the “chaotic and dynamic environment”
Let’s repeat this – because this kind of alignment is a HUGE gap in the industry right now.
The BUSINESS (board, CEO, business owners, shareholders) care about one thing, and oe thing only – the reduction of risk.
So what REALLY is the cybersecurity function inside of an organization.
Definition #2 - Cybersecurity is the continuous minimization of the overall risk exposure of your organization.
Risk is broad – but we can summarize it
Risk is the potential for bad things to happen
When bad things do happen – we lose. It has costs, and those costs are “exceptional”
we lose time, money, trust, potential production.
Traditionally – what is the #1 tool we use to minimize risk – both in business & personal lives
It’s insurance – it’s a financial tool we use to shift from max uncertainty to minimal uncertainty.
It works because we can do the math – Car is worth $X, average accident costs $X, Y% of drivers will get into an accident over a 12 month period
Financial management of expected loss – and we can calculate that with a high degree of predictability.
We don’t have that in Cybersecurity – we’ll talk about those numbers and data sets in a future episode within the context of cyber insurance claims
But insurance doesn’t work for cyber – because of the earlier problem – dynamic and chaotic environment.
So we can’t be passive here – we need to actively mitigate risk. Or mitigate the potential bad.
Definition #3 – Cybersecurity minimizes risk exposure by continuously:
Finding bad
Stopping bad
Preventing future bad
IN THAT ORDER – why it’s that order is a discussion for another time.
And you need to do all 3
This definition also describes why we aren’t winning
Why we keep spending more money without improving our outcomes
We have tools, services, technology, frameworks
Each one does one, maybe two of the 3
BUT NOTHING DOES ALL 3
You need to bring all those things together – tech, tactics, and teams to build, execute, & refine
And successfully do this – continuously – at the “speed of technology” and the speed of business
And that is EXACTLY what Automatic Security is – this vision of success
Definition #4 - The VISION of Automatic Security is – from the perspective of cyber security is:
The continuous minimization of the overall risk exposure of your organization by automatically
Finding bad
Stopping bad
Preventing future bad
I know what you are saying – EASIER said than done.
We agree – but here’s how we know its possible – in fact everything we do & build is a step in the direction
RBA itself is a foundational piece of Automatic security
But here’s how we know it's possible:
Example 1: Malicious external IP’s
Find: detection
Stop: decide its bad
Prevent: publish IP to internal/firewall block lists
Time: 60 minutes
Scalability: RBA
#1 Problem – The People
Why? “We don’t block IP’s because attackers can change them so easily”
So what – what if we can block the bad ones automatically & continuously. WHILE absorbing the chaos & dynamics of the internal AND external environment
We just created an automatic and continuous reduction of overall risk for our organization.
More sophisticated example
Example 2: Ransomware/Phishing
Find: reduce malware alerts on endpoints, turned out to be primarily from phishing
Stop: block the attachments and sender of the phish, and file execution on the endpoints
Prevent: enable greater phishing protection on email gateway, santizing links, preventing file types, sandbox attachments.
Time: 6 hours
Scalability: RBA and email gateway
Let’s go back to the business definition to take this home – to leadership, to shareholders, to the board
Continuous reduction of risk by Find Bad, Stop bad, Prevent future bad
Obvious financial good for the business.
But what about the attackers? What’s the financial impact on them? Remember they are a business too. Well if you reduced their probability of success, increased the difficulty level – their costs went up. Their OVERALL costs went up – so you reduced transaction risk by making an attack vector less accessible / maybe even impossible. BUT you also reduced your risk as a TARGET – because any other company that’s not “Automatic” is more likey to get breached before you do.
Summary
The Vision of Automatic Security
Definition #1 – Business definition of “security that just works”
Systemic and continuous reduction of risk amidst a chaotic and dynamic environment.
Definition #2 – Cybersecurity minimizes risk exposure by continuously:
Finding bad
Stopping bad
Preventing future bad
Definition #3 - Automatic Security is the continuous minimization of the overall risk exposure of your organization by automatically:
Finding bad
Stoping bad
Preventing future bad