Groundhog Day Cybersecurity

It’s Time We Break the “Groundhog Day” Cycle Playing Out in the Cybersecurity Industry

Earlier this month, I attended the Gartner Security & Risk Management Summit, and my key observation — or, perhaps, continued realization — is that the cybersecurity industry is living in a perpetual Groundhog Day. Just like in the iconic 1993 movie, the same story is repeated over and over again. In the cybersecurity industry, this comes to light primarily in two ways: 1) vendors are repeating decades-old techniques with a variation of new technology here or there and claiming the “new,” “revolutionary,” “renovated” (yes renovated, that is actually how someone described their solution’s capability) products will solve the latest and greatest cybersecurity threats, and 2) organizations continue to focus on shiny technology solutions and marketing buzz, versus what really matters: which revolves around the processes and the people, while realizing that security is an ecosystem with a number of interdependencies.

In short, just bolting on new technologies without real consideration as to how it plugs into your strategy (if you have one) will not magically solve anything. In fact, I’d argue it makes things worse.

Different Day, Same Technologies

I sat in on numerous vendor presentations over the course of the conference, and there is no doubt that history is repeating itself. Take extended detection and response (XDR), for example. There were countless XDR vendors touting their services. But, XDR essentially is a rebranding of the security information and event management (SIEM) and security orchestration, automation, and response (SOAR) technologies that have been around for the last 17 years.

SIEM served as the original correlation point for disparate data sources, but the static rules required to make the technology work as intended resulted in alert overload and a high number of false positives, rather than more efficient security investigations. When traditional SIEM failed to solve all the industry’s problems, new point detection technologies popped up, including user behavior analytics and network traffic analysis. These capabilities created higher fidelity alerts in lower volumes but re-introduced data silos. What was the solution to this problem? Make the old new again. Why not strap a data lake to it and repackage it as a “next-gen SIEM” category? Shockingly, that didn’t work, either. So, now we’ve moved on to XDR.

But the question I pose in this Dark Reading article still holds up: “If SIEM — and later security orchestration, automation, and response (SOAR) systems — couldn’t help us get all data in one place, with the context and information required for accurate security investigations and to make informed response decisions, why do we think XDR can? Especially today when data variety and volume make data centralization impossible?”

The bottom line is that, over the course of two decades, we’ve gone from SIEM to point solutions, to next-gen SIEM, introduced cloud and SaaS security solutions (more data silos), followed by SOAR and now XDR, and we’re still battling the same problem: inefficient security investigations, largely stemming from the fact that it’s impossible to centralize all disparate data required for accurate investigation and response. Rather than addressing the root problem — data centralization — vendors are still battling over who has the best data platform and how they can own all the data. This model is broken. (Let me be self-promotion for a minute and note that Query.AI is an exception. We are addressing the elephant in the room with a first-of-its-kind technology that allows security analysts to unlock access to and value from cybersecurity data wherever it is stored — across cloud, third-party SaaS, and on-prem environments — regardless of vendor or technology, and without requiring data duplication, movement, or centralization. We believe the solution to this overarching problem lies in the ability to access data and glean insights from data regardless of where it lives or who owns it.)

Albert Einstein said: “Insanity is doing the same thing over and over and expecting different results.” This is exactly what the cybersecurity industry is doing — and it’s not just with SIEM, SOAR, and XDR. We’ve seen a similar storyline play out with other cybersecurity technologies over the years, too, such as with the security analytics to machine learning to artificial intelligence trajectory. This product life cycle continues to be so successful for vendors because when it comes to cybersecurity, many organizations have a misplaced focus on technology without a clear strategy, which leads me to my next Groundhog Day observation…

Companies Focus on the Wrong Things

Many organizations still believe the best approach to cybersecurity is purchasing the shiny, new tool that promises to protect against the latest security threat. But, there are three essential components to achieving a strong cybersecurity posture — people, processes, and technology — and companies are neglecting the first two.

Vendors aren’t helping the situation here, either. Knowing the mindset of companies, many vendors take security concepts and frameworks — such as XDR and Zero Trust — and make them about supporting technology, rather than the processes and people behind it. We saw this on full display at the Gartner conference, too.

This misplaced focus on technology has only led to complex IT infrastructures and technology sprawl that introduce security risks rather than mitigate them. You can have the best technology in the world, but if
you are working with antiquated processes and untrained people, then you are as vulnerable as a company that has no security strategy.

We need to fix the processes and people component before we can ever expect technology to fulfill its promise. And, this only can be achieved by building a strong ecosystem founded on security basics. Funny enough, I gave a presentation on this exact topic back in 2010. And, here we are again, having the same conversation, 12 years later.

Processes and People Best Practices

What to do when it comes to strengthening the processes and people components in your cybersecurity strategy is another conversation, entirely, but here are a few best practices to consider:

  • Conduct a baseline assessment of your current infrastructure to identify and prioritize assets in need of protection, as well as security vulnerabilities that need to be remediated.
  • Implement vulnerability management processes to ensure continuous patching.
  • Take a “security by design” approach to software development, so security is built into product development from the start, rather than leaving it as an after-the-fact, bolt-on.
  • Adjust products’ default security settings to better align with your organization’s security needs.
  • Ensure new technology is properly configured when implemented.
  • Vet third-party companies before doing business with them.
  • Gain visibility into your supply chain, so you can secure the complete lifecycle.
  • Build an incident response plan and continually test it to ensure it works and stays current with the changing threat landscape and business requirements.
  • Develop a feedback loop, so the things you learn from incident response activities can be incorporated to continually strengthen your security program.
  • Conduct ongoing cybersecurity education and awareness training to keep employees up-to-date on the latest threats and equipped with response best practices should they be targeted.
  • Build a strong security culture, from the C-suite to the mailroom.

In his book, “The Art of War,” Chinese General Sun Tzu said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” The only way to truly understand the cybersecurity threat landscape and how your organization can defend against it is by focusing on processes, people, AND technology.

Final Thoughts

Despite the overarching challenges that were on full display at the Gartner conference, on a positive note, I left the show feeling validated that the technology Query.AI is bringing to market is unique, in dire demand and will change the security investigation process as we know it — bringing unparalleled value to organizations’ threat detection and response processes.

I am proud to say that we are doing our part to break the Groundhog Day cycle across the board. Our technology is new, innovative, and moving the needle when it comes to more efficient security investigations. And, our platform forces organizations to rethink the data centralization process, allowing security analysts to access relevant data, wherever it lives, to make faster, more accurate response decisions.

We don’t need to follow the same-old cybersecurity journey. It’s time we carve out an entirely new path that leads to a more secure world. And, Query.AI is in the driver’s seat and taking on passengers. Are you coming along for the ride?