Rise of the Machines
Cybersecurity Incident Response has only been a part of human history for a couple of decades. Over the short course of time, industry leaders, analysts and vendors have put a heavy focus on the importance of technology solving problems within the craft. In this series, we will examine the preeminent importance of the craftsman over his tools and the role tools should play in making the world safer.
Death to IDS long live IPS
In 2003, Richard Stiennon, an analyst at Gartner, wrote a report titled Intrusion Detection Is Dead – Long Live Intrusion Prevention. This controversial piece marked an important fork in the road for how cybersecurity would develop over the next 10 to 15 years. The article did not create the fork; it represented the desires and pressure that businesses were putting on the security industry to automate the defense of their networks and data.
Machines as Salvation
Businesses did not want to make security their problem. They did not want to create security operations centers or develop talent to staff them. They were demanding that capital expenditures on machines would address the problem so there would not have to be permanent operational expenses attached to a new, complicated division of the business. This effectively moved the responsibility of solving the business problems to cybersecurity vendors to build black boxes to do magic and protect the businesses.
This has resulted in billions of dollars ($130B in 2017) spent on these products. It has created a lucrative industry for startups. Thousands of differing products have been introduced as a result to cover gaps in the infrastructure and deliver on automated protection.
By 2012, the impact of cybersecurity breaches had become mainstream. The morning talk shows make the common man aware of breaches ranging from Target to the Whitehouse. Businesses have woken up to the reality that protecting their digital data and presence requires skilled people.
Machines as Taskmasters
After more than 10 years of business delegating the responsibility of protecting their data and networks to vendors, they began to bring the responsibility in house. The incident responders arrive to find disparate tools left over from the previous age. They are digging through logs and using interfaces that were created to stop security breaches not investigate them. The tools were built to compete against other vendors, not to enable the craftsman. The analyst receives thousands of useless alarms each day that the machines assert as work for them to perform. The people are working for machines.
Security Craftsman are faced with thousands of alarms from different systems with each alarm providing marginal value. With insufficient manpower, the responders are forced to move into perpetual triage. In extreme cases like disaster or war, crafts are forced into a temporary state of triage when there is no possibility of getting everything done. Incident response has been in a constant state of triage for years. This has forced responders to ignore the alarms from their tools and justify the constant failure.
Path to Success
In the following installments of this series, we will examine healthier roles between cybersecurity craftsmen and their tools. We will look at how organizations can use tools to empower them and move out of sustained triage.