Technology can only take you so far.
So, you’ve done everything you were told to do.
You understand you have blind spots and weaknesses, you want to improve your cyber security posture, and have assigned a realistic budget to finance the improvements. You watch demonstrations of all the latest products available, and you’re convinced they will deliver what you require. You take the plunge and purchase a new technology or system, whether that’s EDR (Endpoint Detection and Response), a Next-Generation Firewall, SIEM (Security Information and Event Management), or XDR (Extended Detection and Response).
You pay to have it installed by the supplier (as who else is best placed to set it up correctly?), and the project is completed successfully, now what? Are you in a better position? Maybe, but maybe not. Technology does have a habit of setting false expectations, or seeming like a short cut to a good outcome.
Was the technology or new system implemented to fulfil a specific requirement or was it because it looked like a good cyber security solution? What was the ultimate goal?
After implementing a new system analysts can find themselves receiving a high volume of alerts they do not know how to deal with or enhanced visibility of numerous new vulnerabilities with no time to address them. If you are implementing anything new you must ensure you also have in place the other two layers of the pyramid, People and Processes, without either of these, the technology will only take you so far.
Think of a factory which builds cars, yes the majority of the process is automated however there is still the requirement for human beings to be involved at certain stages of the process, and cyber security is exactly the same. Can great technology fill some gaps, automate certain tasks and improve protection? Absolutely. However, is does not eliminate the requirement for human intervention altogether.
No technology is “set and forget”, it needs continual assessment and tuning to ensure it is functioning and configured correctly, . Yes some tasks can be automated but cyber security still requires individuals working within effective and continually improving processes in order for it to be effective. A new technology or system can also instill a false sense of security as you may believe you are now protected against a certain threat or attack vector when in fact you are not.
Try not to focus on “being secure” or asking questions such as “are we secure?” as this really is not a realistic expectation. You do not become “secure” as if arriving at a destination, as in the graphic below.
Instead we should be working towards continual improvement in a circular process where at some points in time we are less secure, and at others we are more secure. It only takes one new vulnerability to change “how secure we are”, so concentrating on point-in-time assessments is not the most effective plan. Adopting a new system or technology can make us feel like we have closed off an attack vector when in reality we may have decreased our overall attack surface, but are certainly not “secure” in one specific area.
Something else to be aware of is that a new technology or system can increase the workload for analysts. A new technology may highlight several new threats you were not previously aware of, generate new types of alerts which have to be triaged and resolved, or reveal new vulnerabilities which need to be remediated. Before implementing any new technology try to ensure it is adequately resourced, that you are clear on what it should deliver, and also expect the threat level and workload to possibly even increase and so think about what new processes and staff resource should be in place to help deliver the intended aims.
Cyber Security is easy, right?
@2codemonte 