Why aren’t today’s tools sufficient to prevent cyberattacks?

Security & GRCThreat & Vulnerability ManagementThreat Intelligence & Incident Response+1 more
1.3k views1 Upvote4 Comments
Sort By:
Oldest
Head of Information and Data Analytics in Software3 years ago
I spent about six years at Visa building data platforms and AI. On that journey, I saw a couple of problems. The volume, variety, and velocity of the kinds of alerts security operators look at was unmanageable. It took us about 3-5 years to get to a maturity level where you could say you got 30%-40% of MITRE ATT&CK and Kill Chain coverage. Then the cloud happened, and the whole game changed again. For the most part, tools are built for on-prem and we are just getting started with cloud. Especially when it comes to cybersecurity operations and detection engineering: it's still manual, and people have to build the rules and models. So we're back to square one.

Now everybody is coming to the conclusion that perimeter is not the way to do things. So there can be a possibility of paradigm shift. Instead of going after the perimeter, we could focus on data. Understanding where your sensitive data lies and protecting that would make more sense. Strategically going after what you need to protect, as opposed to just going after everything.
1 2 Replies
CISO in Software3 years ago

Why can't you take those millions of alerts and use machine learning to not only consolidate them, but to say, hey, this alert should be prioritized over these alerts. And so the right ones get addressed. And if you have the proper machine learning, you can say, “hey, here's this alert. Here's what it means. Here's how to fix it.”

Head of Information and Data Analytics in Software3 years ago

The false positives are so high that people don't trust AI anymore. Some of us have figured out a different way. Think about the scenario. Storage has become cheap. If you have one month worth of data, it's like a joke where a drunk is searching for his keys under a streetlight. And the cop pulls over and asks, "Hey, I could help you search, like should I search next to you under the streetlight?" He goes, "No, no go search in the darkness." "And how come you're searching here?" "Well, this is where the light is, but I lost my keys over there." Meaning you have one month worth of data, you're running all your models on that one month. If your reconnaissance even happened six months to a year before, you don't even have the data. How are you ever going to catch that? So those are some of the things that we solve in terms of how do you teach a machine how to think? Yes, just like a self-driving car, teaching the machines to think from knowledge engineering that you've collected over a couple of years, talking to at least 1600 to 1800 incident responders. That's the reason even when the source data doesn't exist, time to value is quicker, and you get a lot less false positives.

lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
CEO and Co-Founder in Software3 years ago
From a simplistic perspective, at your public repositories where hard coded credentials and keys is the nirvana, I don't have to be intelligent. All I have to do is string searches. So those are some of the patterns you'll see from a government perspective. It's pretty diverse. 2000 was the first year Carnegie Mellon was tasked with secure software development. The government gave them $50 million to develop courses, so every university in the United States would start teaching secure software development. If you remember the 90s we had something called zero detect software. Clean rooms, clean software. We talked about how to avoid software errors. That was the concept and it introduced secure software development. It was never put into practice. 20 years later, we're saying everybody should focus on shift left: catch the errors early, before they become a problem. I'm glad to be going back to the fundamentals. And there's also now in the government a big push on actually vetting out code and also the libraries, the government is going to allow or not allow. So we have long ways to go as a country, I don't think we are anywhere close. But I'm pleased after 20 years, we're heading in the right direction. We're going back to the fundamentals and not a shiny object syndrome.

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Applications & PlatformsCloudData & Analytics+15 more
Head of Enterprise Architecture MERCK Group in Healthcare and Biotecha year ago
Strategy & Architecture
Read More Comments
39k views5 Upvotes34 Comments

What is your primary deciding factor in adopting enterprise search?

Strategy & ArchitectureCloudEnd-User Services & Collaboration+26 more

TCO19%

Pricing26%

Integrations21%

Alignment with Cloud Provider7%

Security10%

Alignment with Existing IT Skills4%

Product / Feature Set7%

Vendor Relationship / Reputation

Other (comment)

View Results
5.7k views3 Upvotes1 Comment

What cybersecurity topics do you think are critical for CIOs to be more involved in, even in orgs that have a CISO?

Relationship ManagementSecurity & GRCSecurity Strategy & Roadmap+1 more
Director of IT in Healthcare and Biotech9 days ago
Cybersecurity governance and risk management (setting up monitoring of emerging threats), data protection and privacy compliance (standardize on data protection across all channels), incident response and recovery planning ...read more
Read More Comments
1.3k views3 Comments

Has anyone been successful switching cloud backup solutions?  We are using CommVault for our M365 data (Exchange, SPO, One Drive, Teams, etc). I'd like to move to another solution, however the sticking point has been that some of the data has a 1 year backup retention period. I'd rather not pay for 2 backup solutions at the same time, so how do we get our data out of one place and into another? One recommendation has been to restore the data to an alternative tenant/location and then back it up with the new solution.  In our case, we're talking about thousands of SPO sites with daily backups which is not likely to work. Any other options, aside from letting the data age-off and being forced into paying "double"? 

Vendor/Product AssessmentVendor/Product RecommendationCloud
Director of IT in Healthcare and Biotech7 days ago
In my experience we've always had some overlap between technologies when replacing one, especially a cornerstone technology. Switching platforms isn't easy, there's a lot of risk, teething issues, staff learning, and time ...read more
Read More Comments
613 views2 Comments

In the past 6 months, have you seen an uptick in targeted cyberattacks on telehealth devices and networks?

Security & GRCNetworkThreat & Vulnerability Management+2 more

No Increase16%

1-5% increase47%

6-25% increase24%

26-50% increase6%

51-75% increase1%

76%+1%

Other2%

View Results
1.7k views1 Upvote