When more cyber security is too much

The view that more security tools mean better protection still persists, but security researcher Etay Maor argues that success in cyber security lies in simplicity…

“Growth creates complexity, which requires simplicity” – Mike Krzyzewski.

There is a widespread misconception that the more security tools a company uses, the better its security situation. It is therefore not surprising that companies use more than 70 security products on average. Furthermore, it is hardly surprising that with each additional offering, complexity increases and efficiency decreases. While this may not be a major problem for Fortune 100 companies with their virtually unlimited security budgets, it is a challenge for everyone else.

One of the fundamental problems in cyber security is that product diversity leads to complexity. The layered security approach that organizations have adopted over the years is designed to protect against the ever-changing threat landscape and the growing complexity of attacks.

However, each layer consisted of several unconnected offerings, which meant that security researchers became integration engineers. They had to try to link all the elements together. How exactly do you capture and correlate signals and indicators from different sensors, filter them, normalize the data, scan for false positives, assess the relevance of the data to your requirements, and more? How are multiple threat feeds captured, prioritized and checked for false positives? How can you ensure that everything works seamlessly together to ensure the best possible security posture?

You can’t do that!

The proof is in the so-called dwell time – most threat actors linger in organizations’ networks for weeks (if not months) before launching their attack.

At this critical stage of the attack, IT has many ways to detect, contain and even prevent an attack. While on the organization’s network, attackers gather passwords and secure their continued existence on the network using tools already on the system, such as WMI or PowerShell (or LOL, which stands for “Living Off the Land”) to custom tools Performing privilege escalations, lateral movement to identify crown jewels, preparing exfiltration tunnels and more – all while bypassing security controls.

This disproves another old cyber security myth that says: “the attackers have to be right just once, and the defenders have to be right all the time”. This myth is an oversimplification of what really happens in a breach. In fact, the exact opposite is true. The attackers have to be right every single step of the way to achieve their goal, while IT has multiple potential choke points where they could have detected, mitigated or prevented the attack. Why do Sec Ops keep overlooking these signals?

More technology does not mean more safety

In many of these cases, all the signals were present but somehow overlooked. This raises some key questions: Do new tools add fat or muscle to the security stack? Do they make the analyst’s job easier – or do they just create more complexity? Do they now need to monitor another screen to detect a potential signal? Do we start a new integration project with every tool that takes weeks or months? Will the whole thing be delayed even more if team members leave? Will we lose focus on security and end up with integration and testing instead?

Attackers have several advantages over defenders: they have the initiative, are far more agile, adapt and change faster. However, a close look at many breaches revealed that they still use the same tools and techniques – phishing, password cracking and vulnerability scanning. It’s not the “what” that they have changed, but the “how”.

We need to rethink our defenses. Instead of constantly adding new functions, we should make better use of what already exists in cyber security – not simplified, but clearer, more comprehensive and more manageable. The goal: efficiency through focus – not through function.

We do not support you with a multitude of different security systems from different providers – we support you in establishing security systems that bring you exactly this simplification that brings you transparency and relief

I look forward to your questions!

Andreas Marreck

Key Account Consultant