On The Long And Winding Road Towards Better Data Security, Is “Assume Breach” A Dead End?

Conversations between practitioners about cybersecurity challenges, tools and strategies have a tendency toward unpredictability. True, there are certain themes, ideas or topics that will inevitably come up – items on the bingo card that the more cynical participants in these conversations can tick off with a practicedly weary sigh – but it is by no means a given that the talk will travel along pre-determined pathways, or even remain between some of the vague or aspirational guardrails that may have been set in place beforehand.

A RANT roundtable held just before the Christmas break proved to be one such. Sponsored by investigation and response automation specialists Binalyze, and with attendees briefed to expect a chat about whether the long-established “assume breach” concept was still worth the candle, the discussion began in one detailed corner of the topic and progressed outward via some apparently random leaps, as the underlying concepts continued to move and flow forward regardless – a bit like a frog jumping from lily pad to lily pad on the surface of a slowly moving stream.

Partly, perhaps, timing was a factor: nearing the end of another difficult year, with all the elements of looking back and taking stock that inevitably colour our thinking, a December dinner maybe encourages more musing atmosphere than might be the case at other points on the calendar. Partly, too, the overarching topic contains many complicatedly interconnected moving parts, each worthy of detailed discussion, so some dotting around from point to point was perhaps inevitable.

But what felt particularly critical – at least to the hack with the laptop in the corner, tasked with taking notes and later trying to condense them into this report – was the huge degree to which the specific contexts of the individual business affect the highest-level strategic considerations. Clearly, every organisation is unique: but even when challenges are widely shared, and there is broad agreement that a particular approach will benefit more or less everyone, the most urgent and important aspects this throws up for an individual security leader can often be entirely different, and are entirely dependent on the specifics of their business.

So, after a wide-ranging and engaging set of opening remarks from Binalyze’s senior vice president of growth, Steve Jackson, what followed was not a series of different specific perspectives on a shared central problem, but a series of individual questions about specific problems experienced by different organisations. This presents certain difficulties for your summariser, since the discussion – as with all RANT events – was held under the Chatham House Rule, and even revealing the sector an organisation operates in could give certain readers enough information to identify them. But some common areas of concern did emerge.

Think For Yourself

One shared challenge appeared to be how best to conduct cyber due diligence during mergers and acquisitions. This came up after a couple of attendees had lamented how the organisational structures within their businesses limited their room for manoeuvre when deploying security controls pre-emptively, and when thinking about the respond-and-recover phase.

   “For us, the challenge is that we tend to think about critical systems rather than critical processes,” one security leader said. “That level of maturity, for us, may be behind other businesses.”

“We operate at different data classifications, and that gives people an excuse not to tell you about something,” another CISO added. “It’s always quite siloed. It becomes quite hard to join the dots.”

Although usually conducted prior to an acquisition or a merger, cyber due diligence may well help with problems such as these even in a business which isn’t in the middle of such a process. Jackson, who pointed out that Binalyze’s platform is being used by customers to assist with pre-acquisition forensic due diligence, was keen to hear how this work was being done in different organisations.

   “It’s quite light touch, and varies depending on the sector: everyone does it slightly differently,” one security leader, whose experience was drawn from different businesses in different industries, explained. “My first step is, let’s have a standard framework, and get those costs and challenges [identified] up front. When you’re buying smaller companies, they want you to leave them alone, not corporatise them. [But then you may] have to buy bolt-on solutions,” which can happen without proper oversight, they warned.

That’s assuming such a process is allowed, of course. Using forensic tooling during an acquisition could be problematic, another senior security leader argued. “There’s competitive disadvantage to sharing some information prior to an acquisition,” they said. “The idea of deploying forensic tools is alien.”

Jackson described how Binalyze can square some of these circles for customers. The firm supplies an agent “that sits on the network access,” he explained. “The company [can then] deploy that into the target environment, and once it’s there, we provide forensic visibility – basically run a compromise assessment.”

But even if it can be done for or by one firm, others around the table said, that doesn’t mean it will be possible for everyone.

   “That use case will not work in our enterprise,” one security leader said. “There is a level of competition law that would prevent us from doing that.”

Jackson also added that another way in which Binalyze is being used in due-diligence projects is in cyberinsurance, where the due diligence is performed prior to the policy being issued. Still, other CISOs suggested that if they were to attempt to do this on the systems of a company their firm was looking to acquire, it would not go down well. This part of the discussion was drawn to a close by one participant, who noted that “nobody does M&A because of security: they do it because of the business.”

Fixing A Hole

The conversation headed down a different but adjacent avenue when RANT’s co-host for the evening, Matt Summers, divisional CISO for Philip Morris International, asked about regulatory requirements. Acknowledging that there may be reasons why detailed access to systems ahead of an acquisition may be problematic, he suggested that in certain contexts, such access may well be mandatory. Indeed, access requirements may be considerably more detailed than simply getting a decent picture of the network, with red-teaming – simulated attacks, designed to test defences with realistic threats – sometimes being mandatory.

   “From a regulatory perspective, [some processes] require red teams,” he noted. “In finance, for example, the threat intelligence phase and the red-team phase, they’re required to do it.” This sparked some spirited exchanges around physical security maturity, though these were inconclusive.

Various participants noted the slow pace of gathering data during due diligence, red-team campaigns and through security tools, never mind understanding it. Summers stressed the importance of providing visibility of areas that SOC analysts would not normally have oversight of. What those teams can do with that information emerged as a problem for many around the table, but, Binalyze argues, their tool can not just help to triage this information and make sense of the flow, but also enables analysts, who presently may be confined to lower-level tasks, to carry out work usually devolved to more senior team members. In effect, the company says, this will help both to advance the maturity of the organisation, and ensure that junior staff are given compelling enough work, and opportunities to advance, which ought to help the business with the ongoing challenge of staff retention.

   “We give [SOC teams] access to more guided forensic data,” Jackson explained. “We don’t just give them data without context – we prioritise it. If you give that to your Level One and Level Two analysts, it shifts them up and to the right a bit. The outcomes are generally good. Of course, there’s some initial training we have to provide, but it’s not particularly extensive.”

You Never Give Me Your Money

The clash between regulatory requirements and meaningful business outcomes was a prevalent undercurrent to much of the conversation. In response to a question from Summers about whether any attendees took data from red-team activity as a basis for testing their respond-and-recover controls, one CISO summed up their view pithily.

   “Knowing I can rebuild a server is great – but if you don’t tie it back to business outcomes, it’s crap,” they said. “You need to understand the value chain that’s supported. It’s a waste of time, effort and money, unless it’s to comply with a regulation.”

The vital importance of having a detailed and nuanced understanding of the specifics of what is important to each individual business – and the likelihood that, in most cases, this understanding is lacking – was raised in this context by another security leader.

   “If you ask a business, ‘What are the Top Ten systems that’ll bring you to your knees?’, they wouldn’t be able to tell you,” they argued. “How can you protect the business if you don’t know what it relies on?”

Business priorities and detailed understanding of security may not be one and the same thing, another CISO warned.

   “Top of mind for our board is: ‘What happened to Jaguar Land Rover – could it happen to us?’,” they acknowledged.

“There’s a good point about disparity between investments across the different business processes,” Summers agreed. “Do you think we’re not investing enough in understanding the business context around controls, and perhaps over-investing in the wrong respond-and-recover tools?”

This question prompted a response which seemed to unite and crystallise a number of the different strands of the discussion.

   “I think, generally, the cyber world is disproportionately funded,” one CISO replied. “Most of our loss events are due to bad luck – people pressing the wrong button and doing the wrong thing. We lose far more from people screwing up than from people trying to screw us. There are tools that tell me there’s stuff that’s misconfigured, and there’s lots to patch – but I’ve been hearing that for 20 years.”

“Why don’t you fix them, then?” asked another leader, pointedly, to laughter around the room.

“Because the likely loss will be less than the cost to do it,” the CISO replied. “It’s literally not worth it.”

Tomorrow Never Knows

With the hour of discussion nearing its end, Summers brought the conversation back to the original objective. It has been some years since cybersecurity moved, conceptually, from being about building robust defensive walls to keep threats out, and on to assuming that threat actors would gain access and therefore prioritising limiting their ability to extract anything of value. But since adopting that position, has anything meaningfully changed? Threats still get through; ransomware and other attacks still succeed in their aims and objectives; businesses are still investing heavily in security tools yet still suffer breaches, losses and service interruptions. Is it time to let this shibboleth slide away into the background?

   “I don’t assume my car’s stolen or my house has been burgled,” he noted. “Is saying ‘assume compromise’ just something we say to make ourselves look smart?”

“I’m going to take this back to regulatory compliance,” one security leader replied. “Times for mandatory reporting are reducing, yet most of our suppliers are not finding out [that they have had an incident] until very late. How can you prove you weren’t aware until six hours beforehand?”

“Boards are paranoid about this,” another leader agreed. “How can you prove you didn’t know? And will this make you liable for a fine?”

“Who’s going to ask you to prove that?” another CISO pushed back. “You can only report something when you know it.”

“Exactly,” another leader replied. “But how do you prove that you didn’t know?”

“The kind of tooling we’re talking about can help,” Summers said. “Because it can give forensic data, it has chain of custody, and you can produce the report faster. And if you can get to the root cause, [stopping the incident from spreading] becomes easier. You can remediate it once you know what the root cause is.”

Summing up, Jackson agreed that “the assume-breach mantra is a little tired these days,” and proposed a refinement of it as perhaps being more appropriate to today’s realities.

   “We should assume we’re under scrutiny, and that there’s risk there,” he said. “But it’s clear from what we’ve heard that there’s a lot of complexity.”

Binalyze is a cybersecurity company delivering AIR – Automated Investigation and Response. Binalyze builds on the threat intelligence and alerts from your security stack – using AIR to dive deeper into systems, uncover root cause, and deliver the visibility and forensically sound context your tools alone can’t provide. This empowers security teams to investigate both proactive and reactive threats faster, respond with certainty, and stay ahead of attackers with precision. Find out more here!