From Andy Rappaport, Chief Architect at Core Security. We asked the Black Hat crowd a few questions about the state of information security. Here's my take on the findings! Your security team wants more money. No surprise here. Everyone wants a bigger budget, but we recommend focusing on effectiveness and efficiency. Find ways to automate, and free up your experts. Measure what’s working and what is not. Don’t just be a security geek – be a numbers geek, too. Measure your attack surface. Are your limited resources being allocated in a way that maximizes security? Be ready to prove it.
Enterprise security teams can’t handle the number of alerts they’re getting each day. This is a growing problem. You’ll never be able to tackle every vulnerability or security gap in your environment. If you’re playing whack-a-mole – prioritizing vulnerabilities by CVSS score alone – you’re doing it wrong. At Core Security, we solve this problem by identifying attack paths to critical assets. Think of it like working backwards from the hacker’s end-game. If a juicy security gap exposes an isolated machine – that’s less important than one that exposes some downstream crown jewel. Close the gaps that lead to the high-value targets first.
“Ignorance” is the biggest factor keeping today’s organizations from being secure. The human is the ultimate security endpoint. It’s our responsibility as security professionals to educate these users. It’s time to go beyond building an acceptable use policy or leading a one-time training session. Try revisiting best practices and test employees regularly to ensure they’re walking the walk. For example, if you implement a phishing test and find employees need training on the topic, test them again after the training is completed, six months out, a year out, etc. It’s also interesting that only 2% of respondents cited advanced hacker techniques as the biggest factor keeping today’s organizations from being secure. The basic stuff is what concerns them the most. And it should be – end users represent a huge attack surface.
Hacking into the average enterprise is about as hard as stealing candy from a baby. These responses could either be telling us that the Black Hat crowd is extremely confident in attackers’ capabilities (and rooting for the home team), or that that the average enterprise is unprepared to fight off today’s cyber criminals. It’s most likely that there is some truth to both of those conclusions. Also of note – you shouldn’t be giving candy to a baby in the first place.