The human species has always had a fascination with speed. The first recorded athletic contest was a foot race at the very first Olympics in 776 BBC. Sir Roger Bannister shot to international fame in 1954 when he became the first person to break the four-minute mile. Chuck Yeager is celebrated for breaking the sound barrier. And.. almost as soon as the automobile was invented, we’ve been hard at work setting and breaking land speed records.
Why, then, are we content to be so slow when it comes to threat detection?
According to the 2019 Verizon Data Breach Investigations Report (DBIR), a successful attack can unfold in a matter of minutes. Yet the timeline for measuring detection and containment is most often expressed in terms of weeks or even months. Think of how much damage a hacker can do if they have two or three months inside a network to get the lay of the land, conduct surveillance, and follow through with their plans.
If you are a CISO who has assembled a team and crafted a plan to protect your enterprise, these statistics need to get better. You have a mandate from the CEO and board of directors to keep resources safe. You operate under the scrutiny of regulators and oftentimes, CISOs end up in the role of scapegoat.
That’s why CISOs need to speak up and demand that the vendors they rely on do better, move faster and deliver on the outcomes that the industry actually cares about. That was the undercurrent of discussion at our CISO Manifesto event earlier this year when a panel of experienced and respected security experts, and a room full of CISOs from across the spectrum of industry, expressed frustration with, what security CSO Rich Mason, president of Critical Infrastructure, described as an operating environment that is vendor-defined and practitioner-delivered.
Speed of detection and response is one of the areas that need to become practitioner-defined and vendor-delivered. When it comes to the role of speed in cybersecurity, we know the thresholds we have to beat. The volume of unique malware samples that are created and unleashed each second of the day demands that, for prevention, defenses must be able to detect potential threats and render accurate verdicts in less than a second. That is a far cry from the weeks and months we’ve been conditioned to expect. As for containment, researchers at Crowdstrike have determined that the most skilled hacker teams, operating with the backing of adversarial state sponsorship, can compromise a network in under 18 minutes. That is faster than the days the DBIR says it takes for most enterprises to isolate and neutralize the threats they find.
What are the other metrics? And how do we measure them across vendor solutions in a consistent way across industry.
Anne Marie Zettlemoyer, vice president of security at Mastercard, put it more bluntly: “Until you are able to measure, how do you know your tech is working? Until you know, you’re managing by intuition; you’re managing by anecdote.”
We’re holding a roundtable event called the Cybersecurity Combine on September 19th at Hero City at Draper University in San Mateo to dive deeper into this. What are the right “tests” for enterprises to use when evaluating new security products, in particular, AI-based threat detection? Think of it as similar to the annual NFL Combine, during which players go through a series of physical and mental exercises to measure attributes like speed, agility, strength, and intelligence.
The discussion will be moderated by Rich Mason and co-hosted by DataSec, Inc. Visit the event’s website for more information and to register to attend. I’d love to see you there and to get your input.