A TALE OF TWO THREATS
We can divide the types of threats against businesses into two
high-level categories. The first is what we term the “background
radiation” of the internet. These attacks are generally automated
and not specifically targeted. Much like spam, the attacker isn’t
targeting your business or vertical in particular — they’re hitting
everyone and some percentage of the time, they’ll be successful.
This level of success is still distressing and is mostly due to the
difficulty in integrating effective patch and vulnerability management in customer environments. Attackers only need to find the
single host, firewall, or another device a business misconfigured
— or didn’t patch — to gain ingress.
Thankfully, these types of attacks lend themselves to being defeated by traditional technologies like Intrusion Detection System
(IDS/IPS), Web Application Firewalls (WAF), and anti-virus. While
some businesses will likely suffer a breach due to these types of
attacks, signatures will quickly make their way into your tooling
that are capable of detecting and preventing the attack.
Over the last four to five years, we’ve seen the rise of a second,
more sophisticated type of attack, dubbed the Advanced Persistent Threat (APT). The key difference in an APT-style event is
that an attacker is usually a person or group of highly motivated,
highly trained, and well-equipped operators targeting you or your
business. This is their job. They work eight hours a day attempting to compromise systems, go home, and have dinner with their
families, then come back and do it again.
Tools alone will not protect you from an APT-style attack. The best
way to defend against these threat actors is to oppose them with
an equally motivated, highly trained, and well-equipped defense
force. This typically starts with a 24x7x365 Security Operations
Center (SOC) staffed by security analysts capable of defending the
organization. Augment the SOC with teams focused on defensive
infrastructure, vulnerability management, compliance, and other
functions, and you start to have an operation capable of defending your organization. Once you have the people and process, you
must then equip them with the best tools.
THE SECURITY POVERTY LINE
An old friend of mine, Wendy Nather of the Retail Cyber Intelligence Sharing Center (R-CISC), coined the term “security poverty
line” years ago. She uses it to describe the many businesses out
there that are targets of these types of attacks, but are incapable
of dedicating the resources to building out the type of operation
they need to defend themselves.
The reality is that if you take into account the people and tooling needed in all parts of the business, it’s common to spend $3
million to $5 million for a modern security operation — much of
which is a recurring, yearly expense. This is a significant investment for any business.
A 2015 Gartner analysis reported that there would be a 30 per-
cent rise in SOCs being used by businesses, from less than 10 per-
cent to 40 percent by 2020. The problem is there aren’t enough
qualified cyber-analysts to staff those SOCs. We find that many of
our customers struggle to staff their SOCs to even minimal staff-
ing, let alone a full 24× 7 operation. We also find our customers
have a difficult time finding good security leadership. The average
tenure of a CSO is down to 18 months, so even if an organization
is willing to invest in building a security operation, they are finding
it nearly impossible to find someone to lead the effort or staff it
This lack of staffing has a pernicious effect. In our experience,
many understaffed SOCs get buried in what we call the “
block-and-tackle” of security. The vulnerability management, patching
and, compliance obligations consume all the security operation
team’s time, preventing them from performing the proactive type
of cyber hunting needed to find the APT in an environment
THE MANAGED SECURITY SOLUTION
A growing way that businesses are augmenting their security capabilities is with a Managed Security Services Provider (MSSP).
An MSSP is often comprised of experts who help with strategic
planning for best practice multi-cloud security, tactical day-to-day
security monitoring, and threat analysis to deter, detect, and respond to potential threats around the clock. Plainly put, these
companies have the resources and expertise to handle both the
“background radiation” of the web and the more advanced, targeted attacks for an investment that makes sense for today’s businesses.
Even though security threats are evolving, so are the options to