Leaving BlackHat after another consecutive decade of attending the show, I can’t help but feel that sense of dread that collectively, defenders are losing, not gaining, ground on the adversary.
As impressive as the vendors are with their massive displays on the exhibit floor, it is clear security problems are only getting worse, and the stakes growing higher. We found out last week that North Korea is using more than $2B obtained through cybercrime to fund its nuclear weapons program. Those ransomware payments among other cybercrime are now funding weapons of mass destruction. Yes, the stakes are high and it’s time to change the game, because defenders are losing the game we are in now.
Why is security so difficult?
Walking the floor at BlackHat, it’s easy to understand. Even if you take vendors at their word that they solve their slice of the security pie, there are simply too many solutions aimed at only triaging a piece of the problem. Many solve a ‘problem’ you didn’t even know you had.
Having previously run a product vendor firm, I speak from experience. What vendors often don’t tell you is each product you buy requires a human footprint to implement, configure, manage and, often, to program. Many products are point solutions, meaning they solve one problem, sometimes well, sometimes not. Unfortunately, point solutions are often easy for adversaries to bypass.
In addition, vendor products are notorious for being hard to integrate with other vendor products -- by design. So the challenge enterprises face is there are so many products to address so many threats at different points in enterprise architecture, each with its own requirements for management, and poor native integration capabilities.
A tight labor market compounds the problem
It doesn’t help that the skills required to implement and operate these tools are hard to find. Many of the tools generate alerts, and each alert must be reviewed, triaged, escalated if necessary and resolved in the time frame of the adversary’s kill chain. So for each tool, you need to hire or train people qualified to implement and manage these tool sets. If you can find these people in a tight labor market, you need to be able pay them well enough, continually invest in their learning and retain them in a market where experienced security professionals are being constantly lured by other firms with ever-higher offers. Turnover makes the problem of defending the enterprise much harder as institutional knowledge leaves with employees.
When you’re in a game, you need a strategy and a playbook
It’s often said that, “Defenders think in lists, adversaries in graphs.” Our adversaries are (mostly) human, though some of their attacks involve bots and other automation. As an enterprise defender, you are in a game with an adversary, so you need to start thinking and acting strategically with a long game in mind and a playbook to counter adversaries’ own plays. Trust me, your adversaries are doing this as we speak. They have a mission, objective, a game plan and a set of trusted plays they run against enterprise networks. If you are building lists and checking boxes, you aren’t in the game – you are on the bench while the action is on the field of play … which happens to be your network, cloud assets, plants, partners, and supply chain.
Also, your strategy needs to reflect the capabilities of your adversaries and the assets at stake. You don’t want to be caught playing checkers when your adversaries are playing chess with your corporate assets and brand on the line.
Why Managed Detection and Response (MDR)?
It’s clear the challenges of defending the enterprise are significant: too many products and point solutions, too many alerts and too few qualified people to address adversaries who are on the playing field right now. For defenders not already running with a playbook designed to counter your threats, you are one or more steps behind, reacting not anticipating, and scrambling when the adversary hits pay dirt.
You can build a security program organically to address these shortcomings, but it’s costly – and, more importantly, takes a long time to get to a mature capability. In the interim, the goalposts keep moving as the threat keeps evolving, giving adversaries a longer window in which to achieve their mission.
So, why MDR? The short answer is MDR gives you the ability to go from zero to 60 far more cost effectively than building the capability organically. Managed Detection and Response is a way to jump-start your security program and leap ahead to a security capability that can counter your adversary’s playbook. MDR addresses the short comings of point product solutions by integrating them to get an enterprise-wide view of your assets and threats, while being able to interdict at multiple points of the killchain.
Accenture’s MDR leverages partnerships with market leaders and up and coming innovators to offer the most effective technology operated by highly qualified people trained on these tools. By plugging into Accenture MDR, you minimize your own capital expense in product acquisition, multi-vendor product integration, de-risk obsolescence of owning a particular vendor product and address the recruiting and retention problem by leaving it to a global organization of more than 6000 security professionals. More importantly, it accelerates your time to security maturity to be a formidable target for your threats.
MDR is at the head of its class
What differentiates Accenture MDR is our industry focus, co-sourced model of working with our clients as partners and a playbook that is continuously updated to counter your adversaries’ moves. For each attack type, we orchestrate and automate the detection and response to rapidly resolve intrusions before they cause business impact.
Our plays automate detection and response to threats every organization deals with, including spear phishing, ransomware and malware, to nip attacks in the bud before they become breaches. In addition to leveraging our playbook – which is continually developed and released as part of our MDR platform – our subject matter experts tailor plays to your industry and organization based on your threat profile.
Next in this blog series, we will go into more depth on plays that enable you to counter adversaries turnkey-style … with a global team that is on the field of play today.