The start of the Party Crashers (sign up here if you aren't already) series explored the shifting nature of attackers. In addition to taking a more disciplined, business-like approach, attackers value compromised credentials in their efforts. It lets them look like they belong, making them harder to detect and kick out.

Taking time to realize their changes and how it impacts our efforts drives a need for security to adapt, too. It signals the need to pause long enough to explore our current approaches, adjust our mindset, and then modify our actions.

Success comes when we embrace change. It starts by considering the way we've been doing things.

The challenge of holding on to legacy approaches as attackers adapt

The heritage approach many of us grew into and espoused is the noble desire to secure everything, absolutely. More than a job, this is a quest. We see ourselves locked in battle -- where budgeting and forcing choices based on value and returns in a changing environment are distractions. While moving at a rapid pace, we experience friction with the business as we lament the lack of resources we need to do it all.

While it often feels like we are racing uphill, backwards and barefoot, the reach challenge is less about what we're doing and more about how we're doing it. Recognizing the shift in mindset and tactics of attackers increases pressure on us to figure out how to adapt while serving our organizations.

Over the last decade or so, we improved our ability to capture and correlate information. What we're able to capture and work with is helpful. For many, though, the focus remains on the assets. Individual devices, network information, and the data we can gather. We have more information than ever before.

The rub?

We're capturing infrastructure data and struggling to use it to explain humans.

What used to be significant and important might be less so today. Because of the proliferation of devices on -- and off -- our networks, we have more information, which also means more noise. Sifting through the information to find the signal -- the value -- is a bit more complicated. Historically, we envisioned a strong perimeter and hardened systems. As the network topologies changed, we simply extended the approach. As a result, it gets harder to keep pace.

As an industry, we're using what we have, but looking for the wrong story. For now.

The reality is that perfect security isn't the goal. As we rely on external services, systems, and devices we don't control, it necessarily changes our focus. The story shifts. Our role is to ensure we have better insights into what is essential to the company. To make the right investments at the right time.

Our success depends on our ability to tell a better story.

Ultimately, the key lies in using the data we can capture -- perhaps with some improvements -- and interpreting it in different ways. Capturing trends and building in the context necessary for us to see what is currently eluding us. To share powerful insights with those we serve and guide our actions.

The change we need starts with how we think

The slightest misstep in our industry often carries big consequences. Struggling to keep up with the flood of risks seldom leaves time to consider the tools and solutions we have and how they contribute to our success. Often we're too busy, too scared, or too uncertain how to measure our returns that we struggle to recognize when something isn't working.

As a result, we cling to the investments and decisions of the past -- just in case. Slow to notice when a solution stopped working, we have a tendency to hold on to what used to work for too long.

Yet our attackers, now more disciplined and operating as a business, are far more comfortable assessing their investments. They understand sunk costs. When the tools they rely on demonstrate poor returns, they drop them and move on to the next. Always testing, always improving.

The last few years made clear the bias toward breach prevention isn't working. Now people are warming to the “assume breach” mindset. It marks a pivot from focusing disproportionately on prevention of breach to the realization that breach is inevitable, regardless of the size, industry, or type of organization. It guides the changes necessary for us to adapt successfully.

It helps to answer a simple question: “What happens when an attacker bypasses your preventative controls?”

Consider the methods of attackers to research the target and gain an initial foothold. They access from an anonymized location, stay in the shadows, and work on gathering - and compromising -- credentials. As soon as possible, they want to stop looking and acting like an attacker and blend in.

Instead of crashing the party, the attacker seeks to look and act like a welcomed guest. What happens when they pass the greeting table and look like they belong, name tag and all?

To make the change, we have to get comfortable with measuring and communicating the value we get from our investments and solutions. More, it means understanding and focusing on protecting the areas of highest value with the most effective tools and approaches.

It also means drawing on the experience of others. Consider the anti-fraud strategies used by the largest banks in the world. They rely on a combination of prevention, detection, and response tools and techniques to maintain fraud at or below acceptable levels. They measure, assess, and adapt on a routine basis. The goal is not zero fraud.

Drawing on their work to reduce and disrupt fraud, our goal is to reduce the likelihood and impact of a breach. Ultimately, it means bringing investment and action across the cycle of prevention, detection, and response into balance. Proper detection and response inform prevention. It means questioning if you are detecting the right things early enough. Then determine if the detection drives rapid, prioritized response. Regular measurement, assessment, and adaptation.

Instead of searching for a needle in the haystack, figure out how to be the right magnet.

Our turn to pivot with a focus on accounts

Attackers made the pivot to compromised credentials. It's our turn.

Otherwise, anything a legitimate user can do on your network, an attacker can do by simply compromising that user's account. Intrusion Prevention Systems (IPS) and other controls are not likely to block a finance manager from accessing financial or customer information, or a developer from accessing source code.

While accounts and people are not the same thing, associating activity to an identity requires extra care in terms of privacy. It also means thinking about how to handle service accounts typically created for a program or process to perform a specific function. Depending on limits and use, these accounts are forgotten-but-active. A popular target for attackers to compromise, how are these accounts monitored?

Make the pivot to focusing on accounts to gain an understanding of what people are really doing on the network. Good, bad, or indifferent, it's actual information on how the systems and information are actually used. That makes it possible to detect a different person using a legitimate account. Broader, it also means a better understanding of where and how to make investments across the system of prevention, detection, and response. It helps us change the story.

Embrace the change to raise confidence

To raise confidence in the security of our environment, we must tell a compelling (and understandable) story about how we're preventing, detecting, and responding to problems in our environment. Getting it right requires a shift in our thinking matched by a change in the tools and techniques we use. The benefit is a stronger security posture and more efficient use of resources.


Help me help you

As a conversation, this is your chance to ask questions and get what you need. Let's work together to make the case. Explore how to make the changes. Discuss and experience the benefits.


Share your thoughts, suggestions, questions, and the like below (or hit me on twitter @catalyst) and join us on Thursday to hash it out.