The growing value of information and systems coupled with the shifting nature of attackers puts a lot of pressure on security professionals to demonstrate results. Adding to the challenge of balancing competing interests, resource constraints and budgets is the need to figure out how to improve.

The increasing interest in compromised credentials from attackers demands our attention. Focusing on accounts and looking for compromised credentials requires action. The challenge is taking the right action. Equally important is finding a way to address the resource constraints and find the budget to make the changes. Otherwise, this becomes a costly endeavor with a request for more people and more money - and no certainty of results.

Get ahead of the curve by focusing with three actions that lead to success.

The key to detecting compromised credentials: discover the signal in the noise

Changing our mindset from ‘prevent breach' to ‘assume breach' creates a need to improve detection and response capabilities. If an attacker (individual or group) already breached your preventative measures, what do you need to look for?

The advances in logging, improvements in storage, and rise of ‘big data' to try to make sense of everything leads to a natural desire to simply capture as much information as possible. The real and costly downside to this approach is working to find valuable and timely information in the flood of available data.

The common result from this approach is a large volume of alerts. Alerts often require manual intervention to assess. Too many alerts amounts to noise, preventing the team from honing in on actionable intelligence that guides immediate action. Alerting for the sake of demonstrating “something” is expensive and frustrating.

Ultimately, it means logging and looking for the right things. To tell a story about people means looking at the information differently.

When we focus on credentials to establish normal patterns of usage, it's easier to detect when credentials are compromised. The concept of behavioral analysis isn't new. The challenge of building an effective and efficient solution means capturing and analyzing the right things. There is no single indicator (in most cases). It means the need to consume and look at multiple indicators.

Consider and assess current efforts by asking, “Does this level of detection increase or decrease my workload?”

Ease resource constraints with smart automation

It often feels like we lack the time in security to address everything that demands our attention. Layer in the challenge of tracking down and verifying alerts, and it's possible to miss the trail of attackers in the noise. When struggling with finding enough time and energy any change in the process and environment needs to ease constraints instead of adding new ones.

The good news is the solution to better security does not always require more people. While many teams would benefit from additional qualified headcount, immediate gains are possible when we consider the role of automation.

Realizing the benefit of automation requires time to consider what needs to be automated, and the smartest possible way to do it. If you automate a broken process, you get just an automated broken process. This is where it helps to visualize and draw out the current process, reflect on it, then map out an approach that improves efficiency and effectiveness.

Making the right investment here means more than automating a key process. It means freeing yourself and your team up to focus on areas of higher priority, more value. Even better, by adopting a system that gives you accurate insight into how people use the systems and information, you'll know where the areas of higher priority and value are.

You can even bring those insights to the business and partner with them to make the right decisions regarding actions and investments. You'll get back time, energy, and maybe even some peace of mind knowing you're capable of doing more and focusing on the things that need your attention.

Funding is more important than budget

Naturally, making the change requires the funding to make it happen. Instead of letting this serve as an obstacle, turn it into an opportunity. 

Consider the difference between budget and funding. Budgets tend to include specifics and line-item amounts. They are a way to align spending with priorities and projects. Often times, the budgets are tied to specific solutions or elements. Most organizations, yours included, have funding. It could be from unused budget, unexpected revenue, or a variety of other resources.

To convince others that funding these changes is a good investment, follow these three basic steps:

  • Focus on the outcome: consider and explain the functional outcome that better detection of compromised accounts means to the business (and/or to the person who has the budget). A key benefit of focusing on accounts, looking for compromised credentials, is a keen insight into what is really happening on the network. Join the conversation to explore more.
  • Map the outcome to the investment: tell the story. Use the elements from this series to demonstrate how the investment creates a business benefit. Include a clear explanation of measuring the results to prove the investment paid off .
  • Use industry trends and information: draw on the research and other available sources to demonstrate that to be in line with others organizations, you need to modify your investments a bit. While people feel getting too far in front of the pack is risky, they also don't like lagging too far behind. It's not the lead argument, but more of a supporting player in the entire process.


The key is making the case that the available funds are better spent on the effort at hand than something planned, an action already-in-progress (cut your losses), or doing nothing. Demonstrate the value of the approach using these additional considerations when making the case:

  • Save money: depending on your budget, you might be able to make the case that a shift in approach saves money. Maybe it means selecting a different product or solution (something not known or available during the budgeting process). It could demonstrate a reduction in the need for consulting.
  • Improve capabilities: equally successful is demonstrating -- through a distilled, articulated story -- how this change increases capabilities of the team. Often considered the ability to ‘do more with less,' it presents the opportunity to demonstrate a rapid return on investment. That breeds confidence that you understand the business and make smart decisions. 
  • Cost avoidance: penalties, fines, and other costs tend to be higher in the wake of an incident (whether or not it rises to the level of a breach). Since the landscape has shifted over the year, this is a chance to make some changes to reduce the potential of higher costs later.

For many in technology, this is an uncomfortable process. Embrace the temporary discomfort to realize the gains for you and the organization. Invest the time and effort to strike the right balance and connect with the decision makers and influencers controlling the available funds. Success isn't about gimmicks. This is about having candid conversations where everyone comes to a mutual understanding.

Action demonstrates strength

We often worry about making a mistake. Worse, we want to make sure others see us as competent and in control. That sometimes gets in the way of the candid conversations we need to have with others.

We get concerned that driving a change is a signal that we somehow screwed up.

We didn't. You didn't.

Things are changing. Strength is realizing those shifts, mapping a plan, and acting. The next part in the series looks at the specifics of building a successful solution. But first -- join us this Thursday to learn how to invest in yourself and your team. Explore the benefits of detecting the right things, at the right time, and in actionable ways. Do more with less, and get the funding to make it all happen!