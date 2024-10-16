BY Darren Anstee3 minute read

We all know that despite our best efforts, multiple layers of security, and personnel training, preventing businesses from being compromised isn’t always possible. Let’s not dwell on the reasons for this, as they are well known. What’s clear is that the realization that prevention alone isn’t working has driven many businesses to shift focus to detecting compromise as quickly as possible, allowing them to intercede before incidents escalate.

Businesses usually achieve this through a combination of technologies—some network-focused and some endpoint-focused—which leverage various signature-based mechanisms and AI-enabled behavioral analytics. However, the degree to which organizations succeed in detecting threats varies greatly. The sad truth remains that despite the significant investments we collectively make each year, the mean time to identify a breach (MTTI) consistently hovers around 200 days. This leaves plenty of time for bad actors to find what they are looking for once they get inside. Visibility is key to improving this because, as the saying goes, “you can’t secure what you can’t see.” There are two aspects of visibility that I want to talk about, as they materially impact an organization’s ability to defend against today’s threats. The first is where they have visibility. WHERE IS THE VISIBILITY?

Historically, prevention technologies were deployed at external perimeters to keep threats out—which made perfect sense at the time. In many cases, the external and user edges are where we continue to focus detection capabilities and efforts. The challenge here is that if something gets inside, we can’t see it until it touches one of these monitoring points. This leads to the long dwell times we see in numerous threat studies. Today, most organizations have multiple boundaries within their infrastructures. Having visibility at each of these boundaries (or east-west, as it’s sometimes known), provides more opportunities to detect anomalous activity, reducing the chances that attackers will remain undetected for lengthy periods. While doing this requires greater scalability and flexibility in our detection solutions, in my experience, it significantly reduces the risk of a major security incident. THE IMPORTANCE OF CONSISTENCY

The second aspect of visibility I want to talk about is consistency. Pretty much every organization now operates across a mix of legacy, virtual, and containerized platforms, with workloads often spread across one or more cloud environments. All of these environments provide us with some level of visibility, but the mechanisms for achieving it vary in terms of the metrics and granularity they provide. Trying to build a picture of ‘normal’ behavior from these disparate datasets, especially as workloads and data are moved around, can lead to numerous false positives and negatives regardless of how sophisticated your security tools are. This invariably de-sensitizes or overloads security processes, making it easier for threats to slip through unnoticed. A helpful analogy, given the recent start of the rugby and football seasons, is player analysis. Understanding how players are performing, both individually and as part of a team, is essential to maximizing performance. Visibility is key to that understanding. Now imagine if you could only watch the rugby players between the 22-meter lines, with one half of the pitch only showing you where the ball was and the other showing you only where the players are. Your ability to quickly understand what was going on in the game, and how players were performing, would be extremely limited. This is the situation many businesses face today when it comes to detection. They have inconsistent, fragmented visibility.