Defending against the threat, not the adversary
This makes a lot of sense since many organizations we talk to spend a lot of energy being afraid of the next, big, "bad wolf" that the media tells them is at their door without taking into account the actual threats they face. The point is that the adversary isn't static and the threats posed by different adversaries aren't unique. When you're in the crosshairs of an attacker there isn't a specific way they're going to come at you because they come with a label. Now, there is still some truth to adversary-based defense since we know from research published by various organizations that specific big-name attack threats have signatures and patterns that are endemic to them. It’s like a real-life criminal often has a 'signature' that identifies them so do many of the named threats out there. Anonymous for a long time was synonymous with the LOIC (Low Orbit Ion Canon) tool they used to DDoS websites, and to some extent that's still true. But the critical thing to remember, which Art said, is that adversaries adapt to your defenses. And while they may have a particular signature initially that identifies them, when they want to infiltrate you, they'll adapt.
Art's point, and one that was echoed through the room, was that organizations that are seeking to defend themselves - I mean really defend themselves not just check a compliance box - need to consider more than just what the 'current attacker' threat is. Organizations need to consider factors like:
- their industry
- the global markets and climates in which they service and operate
- their employees
- their technology stacks
More than the latest media hype or competitor experience, organizations of all sizes need to think about where their own weaknesses are, which ones will hurt the most when exploited and why it matters to them.
This takes us to an interesting point… CISOs need to understand their business better (how many times have you heard this before?) than they understand the latest headlines. It makes a ton of sense to me... And while knowing what's going on in the world of security globally is important, the CISO must be able to answer the CIO’s question of "Hey, are we safe against <threat du 'jour>?" with business context. The CISO needs to be able to explain why the threat may or may not be relevant to their business model.
I know this isn't ground breaking or revolutionary for many of you and I'm thrilled if it isn't. But for those who are struggling and always end up chasing the latest threats without really understanding what your adversaries are looking for, or why, it's a wake-up call, I think. It was also refreshing to have such a frank conversation from the SVP of our business here, with the media which seemed to take this to heart.
I also am excited to hear Art talk about this as I kick off the SDR2 program ... more on that hopefully soon.
