Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

CISO Strategy

Dealing With the Carcinization of Security

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Recently, a friend brought up the term “carcinization” and I must admit, I had to look it up! Turns out the term was coined more than 100 years ago to describe the phenomenon of crustaceans evolving into crab-shaped forms. Today, there are even memes for it. So, what does this example of convergent evolution have to do with security? It’s an apt description of how the security industry has evolved and why security leaders often struggle to determine the right security investments for their organization.

The security industry started out with a series of point products to solve very specific challenges. Organizations used endpoint antivirus, firewalls, IPS/IDS, and routers to protect themselves. Email and web security tools were soon added, along with SIEMs and other tools like ticketing systems, log management repositories and case management systems to house internal threat and event data. Endpoint detection and response (EDR) tools then came into the mix and a few years later served as the jumping off point for the next phase in the industry’s evolution. That’s when the traditional walls between endpoint and network security technologies began to crumble and product categories were no longer clearly defined.

Everything starts to look alike

When the concept of extended detection and response (XDR) was introduced a couple of years ago, industry analysts each seemed to have slightly different, but colliding, definitions of it. Some said XDR is EDR+ (with different opinions as to what the + consisted of) while others said XDR isn’t a solution at all, but an approach or an architecture. Those conversations continue today.

Now the industry is talking about threat detection, investigation and response (TDIR) platforms and depending on who you ask about the difference with XDR, you’ll get a different answer. Some say XDR is an overarching architecture and TDIR is the platform that integrates all the capabilities required for XDR. Others say TDIR is a process. And another contingent says they are one and the same.

The varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies to strengthen their organization’s security posture. At a time when the market should be maturing and moving security to a better place, these discrepancies prevent that from happening.

Use cases, not labels
So, how can security teams cut through the noise and confusion? In the carcinization of security, where everything starts to look and sound alike, it’s critical to focus first on use cases. To do this, start with what you are trying to accomplish, the associated workflows, and the people, processes, and technology required. From there, you can look at where the gaps exist and where to invest to achieve your goals.

Sometimes you may need a specific technology for a specific use case. Or, ideally, you find a platform that can handle multiple use cases security professionals are focused on today as security operations centers (SOCs) mature. These include spear phishing, threat hunting, alert triage, vulnerability prioritization and incident response.

For each of these use cases, context is critical to understand the who, what, where, when, why and how of an attack. With a security operations platform that can aggregate and correlate internal threat and event data with external data on indicators, adversaries and their methods, you can analyze multisource data and understand relevance to your environment based on parameters you set. Once you have the right data and context, you can pivot around a specific piece of data to understand and act. You can parse and analyze spear phish emails for prevention and response, prioritize alerts for triage, identify vulnerabilities to patch first, and accelerate threat hunting. Integration with the right tools allows you to send data back out across your defense grid to accelerate incident response, including blocking threats, updating policies and arming the organization against the next wave of attacks.

The truth is, the walls established to separate product categories should have been challenged sooner for the benefit of security. Organizations considering the latest acronym or spurred by the latest attack may have selected a different, more effective tool or platform depending on their goals, internal resources and capabilities. When everything starts to look like a crab and walk like a crab, we can’t rely on labels. We need to look at use cases, desired outcomes and the best path to get us there.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

SecurityWeek talks to Chief Information Security Officers from Bill.com, FreedomPay, and Tassat about their role and experience as CISOs.

CISO Conversations

SecurityWeek talks to Dennis Kallelis (CSO at Idemia) and Jason Kees (CISO at Ping), two of industry’s identity giants. The idea, as always, is...

CISO Conversations

U.S. Marine Corps and SAIC CISOs Discuss the Differences Between Government and Private Industry

CISO Conversations

While the BISO might appear to be a new role, it is not – and understanding its past provides insights into its present.

CISO Conversations

SecurityWeek talks to Field CISOs, Fawaz Rasheed (VMware Carbon Black) and Nabil Hannan (NetSPI), about this emerging role.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.