This post is a convergence of a few things: our recent foray into more basic security areas (such as from threat hunting to vulnerability management), my experiences at a recent Security Summit and of course recent ransomware-like incidents (from WannaCry to Petya).
So, we analysts lots of do 1on1s at Gartner Events, these are essentially in-person client inquiry. It so happened that I took a decent number of 1on1s with organizations (some large!) that just hired their first security professional (likely a manager, but sometimes a technologist) or that had no full time security people at all (so Director of I&O or even a CIO was talking to me). Many of these organizations were definitely not SMBs! The epiphany that resulted from this is as follows: a lot, A LOT of perfectly great security advice is 100% useless for those guys.
First, everything that starts from “have your security team …” goes into the wastebasket. Next, everything that requires specialty skills (“have your SIEM engineer do…”, “your incident responders will…”, etc) goes for a toss too.
Indeed, even larger organizations buy more boxes than they have people to run them, but for these guys the situation is dire: no box that requires an FTE will deliver value to them due to the lack of said FTE. So, essentially no SIEM, no EDR, no DLP, no UEBA, etc.
Sure, some security tools perhaps can be run by IT operations teams (firewalls by networking, EPP by desktop team). On the other hand, telling these companies to rely on “shoot and forget” [well, relatively so!] preventative controls like …you got it… firewalls and EPP is also bad advice since they are no match for today’s “better” threats. This also gives birth to such clichés like “ransomware only affects ‘security-stupid’ organizations”, etc – not really, but it does affect the short-staffed more than others…
Some of you are reading this and thinking, “Hold my beer, I am going to quit my job and start an MSSP! WIN!” Hold on! MSSP alerts need to be triaged, somebody need to tell an MSSP which security settings you want changed, etc. All this requires people with security knowledge. By god, even selecting the right MSSP requires security talent, otherwise there is a high risk of vendor taking advantage of you. Also, as an MSSP, you’d face some of the same talent shortage and cost issues…
Where are you taking all this, Anton? Three conclusions:
- we are all kinda screwed since “damned if we do, and damned if we don’t”
- if you think you can do security well without security people, you are so deluded – and probably breached too
- however, we need to REALLY focus on making the available people work effectively and efficiently.
This is the only way to survive! “Force augmentation” should be the only game in town.
And, no, it does not automatically mean “buy SOAR tools” because their current implementations often require a lot of good people to jump start the implementation….
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.