Doctors or patients, who are we building cybersecurity tools for?

Many years ago, in a talent development program a senior executive made an analogy that stuck to my mind for its simplicity. The statement was that those that wanted to progress in the executive ladder needed to think like doctors, not like patients. He went to explain how patients go up to explaining what is going on with their health, how they feel, etc. Some patients will even be more observant and will describe a good set of specific aspects from the symptoms they are experiencing or recent changes with their health that might be indicative of a potential problem (in the security world we name these symptoms “alerts” and the more sophisticated ones we call them “indicator of compromise”), but in any case, they will fall short to know what is actually happening and how to cure it. On the other hand, doctors need to carefully listen, interpret the answers, inquire subsequent questions, conduct additional tests… until they can fulfil their job; which is to provide an accurate diagnosis of the illness and, more importantly, the appropriate treatment to cure the patient.

Of course, that executive was making a point about business management and the need to dig deep in order to understand the root cause of potential business challenges so you can suggest practical ways to address them. But I have to admit that I see some similarities about many of the tools that are being developed for cybersecurity, and specifically in the Detection and Response space. Please don’t get me wrong, I know that we are all well intended but I keep on seeing tools that in essence focus their innovation on finding new types of a detection pattern or a better telemetry that will spot those symptoms more accurately – And with that, they claim that the “detection” is done. Since they have detected that specific symptom, they believe that you have the necessary information to understand the nature and spread of the attack in order to provide adequate “Response” . Reality is proving that this approach is falling short. As a matter of fact, the accumulation of those tools, and the overwhelming number of alerts flooding the security personnel, is amplifying the problem rather than getting us closer to the solution. The actual role of the security analyst is to understand all symptoms and dig deeper until they can do a high-fidelity diagnosis of the situation. Which in turns, yields to a set of activities that will first mitigate the consequences of the attack and secondly inoculate the organization from future similar types of attacks. In the security jargon, (for most types of attacks) without a proper investigation that is conducive to true detection of the attack (how it started, what was done/accessed/exhilarated and how, how many systems were compromised, spread of the attack, etc), there is no effective response.

This basic, but quite pervasive, flaw has been especially clear on the network security space; which has traditionally done a decent job in blocking (not claiming perfect by any means, but effective and useful) but falling bluntly when was coming to perform detection & response. Even when having access to all necessary data.
My involvement with WireX Systems has given me firsthand experience on the new approach that is being pursued in the modern Network Detection & Response (NDR) market category. There are many things I like about the WireX Systems team and its technology, but I want to highlight the maniacal obsession to focus not only in visibility but in the investigation capabilities that will allow the doctor (I meant, the security analyst) to arrive to the final diagnose. While I don’t want to trivialize the relevance of visibility; it is actually of limited help if you cannot perform the required investigation. I would dare to say that visibility is the “easy” part as everything goes through the network.

By the way, let me also make a clear remark to those statements that say “there is no network any more” or “the network has disappeared” or…. What???? Allow me to be pedantic here, but the network has NOT disappeared in any form; the network has morphed. We are not talking any more about CAT5 LAN and Frame Relays…even MPLS is yielding in front of newer SD-WAN, but there is no question that there is a network that connect users (at the office, remote or on the go) to an IT environment that is now distributed between multiple on-prem data centers, multiple cloud providers and a variety of SaaS providers that are also increasing adapting to the new reality of edge computing (this is what the industry describes as “Hybrid IT”).

So, if you can agree with me that the network has not disappeared and everything goes through the network, this is evidently a great place to find the visibility and investigation capabilities for (true) detection and response. There are number of technical artifacts and complicated tradeoffs to navigate so that visibility evolves into an effective investigation. In WireX we gravitate most of it around Contextual Capture that allows to interpret was going through the network into an understandable set of actions with regards to users, applications and data. Contextual Capture normalizes all that network traffic, independently of OSI levels, network protocols and ports into a consistent set of activities and insights. Contextual Capture has also cracked the code between a rich payload base metadata that support true investigation and the practicalities of storage and data retrieval concerns supporting many months (and sometimes years) of data for investigations, in contrast to a few days when storing raw packet captures in traditional platforms. Visibility is foundational for security but it is what is called in mathematics “necessary but insufficient” – to truly understand what happened. The tools need to make all this visibility easily understandable and capable of performing intuitive investigation that will help even an entry level operator to perform detection & response as if he was an experienced analyst.

Just for clarity, I am not saying that network is the only relevant aspect, and therefore I believe that Extended Detection & Response (XDR) is that right path forward, but I am convinced that NDR is an integral part of effective detection and response. NDR is also critical as we move into the world of Secure Access Service Edge (SASE); in which we combine modern network technologies with security built in, but let me leave that for a following write up.

linkedin facebook twitter

Learn more about WireX paradigm shift to Incident Response

Top 3 requirements to turbocharge your Incident Response

Read about WireX Systems Incident Response Platform