Is prevention-first security possible when IT is moving at machine speed?
In Partnership With
Bigger isn’t always better in cybersecurity. Organisations arguably have more data, more tools and more vendors than ever before. But a surfeit of point solutions isn’t doing anyone any good. It threatens to drown the SOC in noise while expanding the attack surface for adversaries. At the same time, the bad guys have become past masters at hiding in legitimate traffic and abusing regular tools. Shadow IT adds more opacity and headaches for your average CISO.
In this context, is prevention even possible? Or are security teams doomed to repeat an endless reactive, detection-first cycle? Some of London’s finest cybersecurity leaders gathered at a RANT roundtable recently to debate the issue with each other and their hosts at Bitdefender.
Trying to catch your shadow
A common refrain from those round the table was the scale of shadow AI in their organisation. In many cases, the pace of technological change is so fast that security teams don’t have time to work out a strategy for managing usage before the landscape changes again.
“They all want to try out the new tools,” said one CISO. “But it’s moving ahead of us. They want advice and we can’t figure out our own strategy to give them advice. I’m between a rock and a hard place.”
Another security leader struck a similar note. “You’ve got to get involved but you don’t know what your advice is yet because it’s moving so fast the advice changes,” he said.
Amid this uncertainty, the IT security team must try to manage risk without impeding productivity, said another, describing a “stampede” for the latest AI tools in his organisation. “The challenge for us now is if we say ‘no’ people are just going to go around us,” he said. “It’s very important we say ‘I can see you doing this, but we’d rather you did it this way’; so you’re giving them a solution.”
The solution for some is “enablement rather than blocking”, by buying powerful enterprise AI tools for their users. That way, at least the security team knows that proprietary data is not leaking out of the enterprise, one CISO explained.
Another attendee claimed that simple economics may well come to the rescue of security teams, in that when AI inference becomes unsustainably expensive for business leaders, they may be more inclined to adopt controls.
“The crazy days we’re seeing now where everyone is doing anything they like is going to come to an end pretty soon, because it’s getting expensive” he predicted. “As soon as it gets expensive they’ll say ‘we don’t like that anymore’. Cost will put a break on it and they’ll want more control.”
Get your priorities right and your governance in order
However, that imagined future is not quite here. In the meantime, attendees round the table agreed that visibility into usage is critically important. But, as one CISO argued, visibility alone is worthless unless it generates insight.
“People get comfort from data, but if you’re not getting meaningful insight into that data it’s useless,” he said. “Shadow AI and IT mean your perimeter is now a long way from that database you might have in your SIEM.”
All of which would suggest that a security strategy based around detection is at risk of potential blind spots. Similarly, important signals can get lost in the noise – or “basic nonsense bubbling away on a day-by-day basis”, as one attendee described it.
“You can’t take your eye off the ball in terms of what you can see just because you’re worrying about what you can’t see,” he argued.
Another agreed, adding that understanding where to focus the efforts of the security function is key.
“We can’t control everything. We have to be clear about our risk appetite,” she said. “For the minimum viable business and critical data services our appetite is low, but the rest of it is always slightly higher. You have to get comfortable about the discomfort of not being able to control everything.”
Making them pay
Others were not so fatalistic. It is possible to stop threat actors in their tracks with the right approach, one incident response leader suggested. In a recent red team exercise, the ‘adversary’ attempted to abuse legitimate tooling to gain an advantage. But an eagle-eyed member of the team spotted that the update they were trying to perform was not being deployed inside a legitimate patching window.
The other important element was that the engineer that spotted the issue had the confidence to push back and investigate further, he said, highlighting the importance of a strong culture of “challenge” in the organisation.
“The context of the detection and then having the confidence and backing to challenge the person that validated the malicious activity and take it further were key,” he said. While impressed, others round the table agreed that this level of SecOps is only for the most mature organisations.
In the meantime, technology is here to help. Bitdefender Global Director of Cybersecurity Services, Nicholas Jackson, explained how the vendor’s new PHASR approach can dynamically reduce the attack surface and reduce abuse of legitimate tools. It does this by disabling unnecessary tools and services on a user-by-user basis, minimising their risk exposure.
“It means that you’re not giving an attacker access to legitimate tools, forcing them to bring in external resources which will then trigger XDR technologies a lot quicker,” he explained. “So you’re less likely to get false positives and you’re making their life more difficult.”
Like any security solution, it’s not a silver bullet. In fact, it’s designed to run alongside other tools. But for CISOs drowning in data, shadow IT and machine-speed threats, it’s reassuring that they can also make things uncomfortable for their adversaries.