Security operations : New terminologies for old problems ?

The cyber security industry numbers almost 4,000 software vendors worldwide. Despite the approximately 15 percent that leave the market each year, the number is growing every year – and there is no end in sight. This also applies to terminologies, which increase every year. As a result, it is becoming increasingly difficult for decision-makers to get an overview.

It is the same with vendors as it is with terminologies.

Between real successful companies there are many soldiers of fortune and “snake oil” – and just as much marketing wordings and ‘business bullshit’, as aptly described in the recently published book by Jens Bergmann. The market is sheerly flooded with new terminology and marketing messages, which on closer inspection, however, turn out to be empty phrases and artificial words.

Business bullshit in all cyber security spheres?

This applies not only to the market as a whole, but also to niches such as Security Operations Centers (SOC). Want an example? The list is long… Here is a small sample of acronyms:

• SIEM (Security Information and Event Management)
• SOAR (Security Orchestration, Automation and Response)
• NDR (Network Detection and Response)
• EDR (Endpoint Detection and Response)
• XDR (Extended Detection and Response)
• MDR (Managed Detection and Response)
• CTI (Cyber Threat Intelligence)
• Attack surface
• Threat Hunting
• Zero Trust

To understand: The current ‘buzzwords’ MDR & XDR are ultimately just evolutions of the long-established SIEM, SOAR, EDR & NDR, which denoted relevant data collection on end and network devices with a central consolidation of data, at best events, to support SOC teams and automate their operations. What for? So that organizations with as small a team as possible can, operate current technologies in a way that – in addition to automated detection – also detects anomalies that are difficult to realize as early status of an attack as automated detections without too high a number of false positives.

There is rarely anything new behind the new terminologies.

The current terms denote in very few cases really new technologies; at best ‘repackagings’ or commercialization’s of previous open source or personal projects. Technology providers partly do what technically interested, knowledgeable people have been doing for years and put this into paid, ready-made packages – which hopefully will be maintained and further developed in line with the times.

Is there such a thing as the “jack of all trades” of the cyber security scene?

Many vendors of such next-gen solutions – Augmented Intelligence, Artificial Intelligence, Machine Learning, Supervised / Unsupervised, Deep Learning, etc. – claim to be able to cover and fulfill everything. Here it is important not to confuse their visions with the reality.

AI as a panacea? – dream or reality in the near future?

With respect to AI, most of the cyber security industry was convinced early on that artificial intelligence was the cure for all bad. Industry experts continue to promise that AI can solve all of the pressing problems of the day. From the labor shortage, to fully automating the security team through autonomous operations, to detecting “unknown unknowns” – and even protecting against non-existent adversaries – AI is supposed to fix all of it.

Experts know: In reality, more AI has been written in PowerPoint than in code.

One approach may be to view AI less as “artificial intelligence” and more as “augmented intelligence” – and to use it. It is true that artificial intelligence can already solve many things better than humans. But not yet good enough. Moreover, the human = the natural intelligence, continues to be the decisive factor of the artificial.

Well-founded decision-making aids show the way through the cyber security jungle.

How are IT decision-makers supposed to orient themselves in the confusing jungle and choose the right one now from the [seemingly novel] offers and possibilities? How can they efficiently find the answers to the most important questions?

• Which solutions & tools do companies really need?
• Which cyber security systems significantly increase the level of security?
• What processes facilitate the work of cyber security departments and specialists?
• Which selection criteria are relevant for medium-sized companies, and which should corporate decision-makers pay attention to?

In short: CXOs, head of IT departments and all responsible stakeholders need decision-making aids to identify what is pure marketing gimmick – and what actually promises sense & benefit for the entire organization or the interacting systems.

New terms & solutions – old strategies.

While the terminology in the IT industry has changed, the way decision-makers work has remained the same. – And that’s a good thing! Because anyone who really decides on budgets must not be guided by highly motorized marketing promises, but must decidedly deal with the technological aspects, talk to several qualified providers and test different solutions.

IT decision-makers under time pressure – or – Marketing always wins!

The problem: Because decision-making deadlines are getting shorter and shorter, expectations are getting higher and higher, and the urgency for quick solutions has increased exorbitantly in recent years, IT architects, analysts and decision-makers often have far too little time in reality to make truly solid decisions. The result: the best-known vendor, who often shines through marketing, gets the deal. – And not the perhaps more inconspicuous provider, who does not put his budget into marketing, but into innovation and function.

Decision criterias & filter options.

The crux of “brand recognition of a provider versus depth of technical knowledge” raises new questions in the selection process:
• How can decision makers escape the “marketing trap”?
• How can decision-making times be reduced to a minimum without risk?
• According to which filter criteria should one select in order to find individual state of the art solutions?

In principle, what has always been true applies:

Security does not begin with technologies and even less with products; security begins with a process. And which technologies fulfill this process and thus ultimately contribute to security is decided by the process and the individual circumstances of each individual IT landscape.

The future certainly belongs to AI, ML & Co., but it still seems in many parts of the industries that their real, reliable and useful usability is still a long way off.

Security by Obscurity – AI (still) in the Twilight.

What use is it if a large part of the alleged artificial intelligence is nothing more than rule-based expert systems that generate a vast number of false positives and take systems offline on a daily basis even though there was no threat at all?

What’s more, essential processes often still run in a black box. But security by obscurity has never been a good tactic.

There is a fundamental difference between a company pretending to be an AI company – and companies that are proven to use mature details associated with the term “AI” – to solve cybersecurity problems.

Protection against known threats no longer sufficient.

The fact is that mere protection against known threats and attacks is no longer sufficient by a long shot.

IT is like health: It is better to always live a healthy life – and not to react only when an illness has already occurred.

IT decision-makers should therefore make sure that their system is not infiltrated and keep it “healthy”. After all, if they have to act hastily – in the event of an attack – it is usually already too late. The damage has already been done.