From battlegrounds to sporting fields, it’s often noted that the best defence is a good offence. The strategic weight of this well-worn adage holds firm for businesses looking to reinforce their cybersecurity.
In the attack landscape, cybercriminals often join forces to disseminate sensitive information, share sophisticated tactics and expose corporate vulnerabilities. While intelligence can be harvested by attackers globally and weaponised against any sector at any scale, CTOs and CISOs are left putting out fires individually rather than working together to proactively prevent them.
Tony Meehan, vice president of engineering for security solutions at Elastic, believes that democratising data in the same way that cybercriminals do will keep businesses a step ahead.
“Don’t get me wrong, confidentiality is still really important,” says Meehan. “I’m not asking for every security team on planet Earth to go and post all their detections on GitHub tomorrow. But we do need to find ways to collaborate more openly and share knowledge, techniques, and best practices.”
As infiltrations become more prolific, coordinated and commoditised, organisations can’t afford to let cybersecurity skills gaps or outdated defence strategies hamper their responses. “The attack surface has become way bigger. I don’t know if we can make a dent in this problem with the same approach of the last 20 years,” Meehan continues.
As an industry, we shouldn’t be embarrassed about the flaws we find, but how long it takes us to fix them and the lack of investment in finding more. We should want to find flaws
Meehan, who worked at the United States National Security Agency (NSA) for a decade on programs to collect foreign intelligence, outlines three main problems facing today’s defensive teams when defending their organisations.
The first is the speed of digital transformation post-pandemic, which opened up holes due to businesses’ accelerated transition to the cloud. The second is the growth of nation-state attacks, something that wasn’t a concern 10 or 15 years ago. And the third is talent scarcity in the security space which makes it harder for individual teams to keep up with new and emerging threats.
“The goal of a good defence is to make the adversary work harder. I think the journey to achieving that really needs to be built around an open community,” says Meehan.
Elastic’s own search-powered solutions are built on this premise of openness, regardless of whether data lives on a single or multiple cloud setup or on-premise. The company has helped the likes of Adobe, BMW and Zurich Insurance find what they need faster while keeping mission-critical applications running smoothly and protecting against cyber threats.
Meehan appreciates C-suites may feel fear or scepticism over sharing sometimes sensitive information. But to fight off sophisticated attacks designed by malicious collectives, organisations must achieve the same level of transparency as those trying to get in through the backdoor.
Removing organisational data silos is one answer to deliver greater visibility of what information is where when it is attacked. However, corporations must actively pursue new routes for collaboration if they want to transform the preeminent cybersecurity culture. According to Meehan, this closed-off culture that prioritises privacy at all costs means companies rarely understand how their purchased vendor security products work; they just accept that they will.
“When confronting the trends of the last couple of years, it’s paramount to really understand what your products are doing for you,” he says. Additionally, data sharing to a far greater extent – detailing threats, foiled attacks, and successful infiltrations – will empower teams.
Meehan likens this to the successful sharing of YARA signatures, commonly used to identify and detect malware. “Openness enables knowledge sharing, which will help elevate your team. You can even share specific detection methods in smaller groups without ever exposing them to the world,” he says.
Increased openness means the entire security community learns and grows. Meanwhile, the attack surface shrinks as it becomes harder for malicious actors to find bypasses across multiple companies. Meehan explains: “All of our detections are in the open. That’s an excellent starting point. Even if you’re not using our product, you can still go and use our detections.”
But security has traditionally adopted a very closed culture, meaning potential vulnerabilities can go unexamined. At the same time, attackers could spend every day for months searching for gaps.
Meehan accepts that few security vendors want to poke around in their own products because they don’t want to be confronted by the holes they might discover. But this reluctance is evidence enough that the system is broken.
“It’s very hard to get people to spend that much time looking for these things, so we have to have a conversation around doing more things in the open,” he says. “If everyone is being a little more transparent about their security controls, threat logic and detection rules, that becomes a force multiplier for all teams’ best practices. Not everyone has to start from scratch.”
The combined efforts of partners and volunteers as part of the Shields Up initiative following Russia’s invasion of Ukraine is a prime example of collective defence in action. Openly sharing vital information has helped Ukraine become a cybersecurity heavyweight. “Supporting one another is a natural reaction. In Ukraine, it was the obvious thing for us to do,” Meehan explains.
While companies do share data, the practice is primarily relationship-driven and isn’t as formalised or progressed as it should be. If the majority of organisations are solving the same problems at the same time, the system needs to be revised.
“As an industry, we shouldn’t be embarrassed about the flaws we find, but how long it takes us to fix them and the lack of investment in finding more. We should want to find flaws,” says Meehan. The more comfortable companies are with internal scrutiny, the harder it becomes for outsiders to game the system.
Appreciating the need for greater sharing will make a tangible difference to the people and products that systems are designed to protect. A new cybersecurity culture that promotes open information and close ranks will set organisations on a path to victory.
Q&A: The data silo dilemma
Visibility is the first step towards security, and that means embracing openness, explains Mike Nichols, vice president of security product management at Elastic
How are data silos creating security challenges for organisations?
Since Covid-19, businesses have exploded into the cloud much faster than expected. In the rush to support remote working, companies began pulling data from more applications and sources than ever, which opened them up to exploitation. It’s also much harder now to break down information and identify which portions are most critical to operations. Companies are finding they don’t have the right expertise internally to understand or monitor it all at scale. And the sheer amount of information they need to sift through can be overwhelming.
When your systems are compromised, it’s not just about spotting the intrusion; that’s only half the problem. Preventing someone from being inside long enough to cause damage is crucial.
When your systems are compromised, it’s not just about spotting the intrusion; that’s only half the problem
Minimising the dwell time of your adversary is effectively a data access challenge. You may have seen an initial alert but can’t gain access to the areas you need because the designated expert is away, the data isn’t available to the analyst, or the data simply doesn’t exist. Analysts can’t connect the dots if they’re segregated from the data they need when they need it.
What’s the next step for businesses to respond effectively to cyber threats?
People silos are as tricky as data silos. You might have an endpoint expert, a firewall expert, and an email expert - but they all work in isolation. Unified visibility is the first step towards security, and that means embracing openness.
With an open schema or framework, the power goes back into the hands of the customer as opposed to the vendor. You control your data and your rules, and you can freely switch out technology vendors as new products emerge.
Your analysts need to be in a position to act quickly when a security incident happens. But the more silos there are, the longer that process takes, and the business risks greater exposure. Removing those restraints for your analysts can make a big difference to the damage toll at the end of the day.
How can security teams improve their decision-making?
I’ve had many conversations where the breached business or organisation doesn’t even know what happened or what was stolen. So how can your analysts make decisions about business risks if they don’t understand what the data looks like and where it was when it was attacked?
Building that understanding and improving visibility are fundamental areas to invest in before you even think about the technology. If you don’t understand where your data and assets are within an environment, that’s a big crack in your security foundations.
You need to be able to perform root cause analysis in real time. When an adversary attacks, it’s not over in seconds. There is a window where they make enough noise in the environment for security teams to detect and intercept the ultimate breach. They’re always going to get in, but as long as you recognise that, you can really prepare. If silos are broken down, and security analysts know what data is where they can react fast enough to stop data from being destroyed or stolen.
What advice do you have for CISOs to get ahead of data challenges?
First, ensure your security operations are not viewed by the rest of the organisation as a silo or as a team that sits behind closed doors, only emerging to tell someone they made an error. Instead, talk with your business leaders consistently and regularly to get to know their processes and requirements directly. When your team interacts with the rest of the business, you gain key insights that will accelerate response actions and improve explanations for alerts and requests coming from those teams.
Second, own your own data. And make sure your security vendor does not lock you into their ecosystem. By insisting on open standards for data storage, data analysis, detection engineering and more, your teams can be agile in adopting new technologies and vendors to suit your security needs as they evolve.
For more information visit elastic.co/explore/security-without-limits
