This is a depressing post about security in the real world (what … another one?)
In any case, we are having those enlightened debates about log analysis (via SIEM/UEBA), network security monitoring (via NTA or, if you’d like, NDR), endpoint detection (via EDR) and overall about SOC. Even threat hunting comes up. All very exciting! Very stimulating!
But guess what all these security technologies have in common? They all rely on something that the cyber security team does not own or control: IT infrastructure.
To SIEM and even to log, you need configurations changed, credentials obtained, access allowed or agents deployed; then logs need to be gathered and directed to the analysis engines.
To NTA, you need access to traffic via taps, packet brokers or span ports; you also need the network infrastructure to work harder to capture data and not just to network.
To EDR, you need agents deployed or admin credentials obtained (if lucky to have an agentless EDR ); these may mean additional performance requirements too.
All this relies on IT. This also means that many discussions about layered defense, detection and response, monitoring just die, because – hey! – often the good guys seem to prefer to fight other good guys. Specifically, the good guys in IT fight the good guys in security.
Am I too cynical here? Not really – you all secretly know that IT dysfunction kills security (example)!
For example, Augusto wisely pointed out that “organizational challenges” sometimes make the network monitoring be chosen ahead or instead of endpoint monitoring.
What does it really mean?
This: imagine that you are comparing a great EDR vendor (good + fast + cheap, pick all 3 at 1/2 the price, detect APT, does not affect performance, UI is beautiful, support team sends you thoughtful gifts) and a shitty NTA vendor (costs a lot, drops packets, generates mostly “false positives”, befuddles with their UI, support team does not pick up the phone and only sends you bills).
However, you – the security manager – are friends with the network team at your organization, while the desktop team hates your guts. They’d rather the organization be hacked, because they want you to be fired as a result. They will never allow any “horrible security agents” to be installed.
Would you be able to make a sensible technology decision? I’d vote NO. You choose the network monitoring over endpoint monitoring as your first, and very likely also your last step in your detection and response strategy.
Similar frictions happen between the vulnerability assessment function (part of security) and platform teams responsible for patching. I’ve seen examples of “great vulnerability scanner + great system management tool + BAD team friction = total failure.”
So, Anton, why was this written? For two reasons:
- First, to warn the vendors: sometimes your technology is great, but it totally fails in the real world. Innovate, but think about real world challenges and deployments.
- Second, to remind the defenders to play along and seek to minimize “fighting the good guys.” Defend, but also build bridges between different groups of the good guys.