We have to take a more aggressive approach to security across the board - because those who attack our networks aren’t signing a code of ethics and they aren’t following a playbook. They will do anything and everything they can to achieve their goal (which can be money, PII or obtaining information for more nefarious use at a later date). Part of this is getting past any concerns about testing – as it can be inconvenient, disruptive and might even potentially embarrass someone...But I’d argue breaches are MUCH worse.
Now I realize you can’t make everyone get on board at once. Some people need to warm up to the idea of testing and this led us to develop simulated attacks. When we launched INSIGHT just under a year ago we knew that our algorithm had the “GPS” to calculate attack paths and then actually exploit those across an infrastructure. (The idea - this would help organizations who can’t or don’t want or can’t afford to hire red teamers or folks who do this testing as a service).
Seems pretty straightforward, but not everyone is ready for full scale testing. So, to help organizations “get there” we carved out attack planning capability and put that into the latest rev. of INSIGHT (announced this week). We wanted to help organizations to see (basically, simulate) what paths of attack can lead to their most critical information. Then if you want, you can take the next step. I’d say this represents a good job of us listening to the market: build what they ask for, not what we "think" they need.
Security people - whether you are one, or work with one - sometimes get too focused on over-communicating things like “We just stopped 34,765 malware attempts.” Well is that good or bad? Are we excited we hit that number or are we worried there were that many attempts? How many times have you heard someone jumping up and down with their proverbial hair on fire, saying there’s a [fill-in-the-blank] vulnerability – without context?
The business doesn’t understand why they should care. So let’s help them “get there” and contextualize security for both the executives and the business. Listen to what they business is telling you and needs from you to be successful. Talk less about the bits and bytes and more about what is critical to the business and you’ll find the path to true partnership is not as difficult as exploiting an OpenSSL De-allocation vulnerability (oops, there we go again;-)).
-- Mike Yaffe, Director of Enterprise Product Marketing