Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

A Sheep in Wolf’s Clothing: Technology Alone is a Security Facade

The power of the technology to defend our IT systems is only as good as our ability to evolve it in the face of ever-changing adversary tradecraft

The power of the technology to defend our IT systems is only as good as our ability to evolve it in the face of ever-changing adversary tradecraft

After over 20 years in cybersecurity, I firmly believe that technology alone has not, and will not, win the war on cyberattacks. The idea of a purely technical solution providing lasting protection is flawed from the outset. The claims of security vendors that only bring technology to the cyber fight is the equivalent of a sheep in wolf’s clothing. It sounds great and looks convincing, but almost never lives up to the hype. Now, I am not saying that technology is not important, even critical, in this fight. It is critical if it is informed properly. 

As attack surfaces grew and the exploitation of IT systems became known, and eventually mainstream, the importance of threat intelligence became clear. This insight is still critical today and provides an important service to companies that want to understand their attack surface or have experienced a breach. Today, we also recognize that threat intelligence in continuum and combined with technology is also critical. 

Cyber threat intelligence has a few key principles it must follow for it to be effective. I will approach this from an email security perspective since that is the area in which I am most involved.

1. Threat intelligence sources must be agnostic to vendor technology

If you only get threat intelligence from your email filtering or secure email gateway (SEG) vendor, you are missing huge swaths of threats. SEG vendors are happy to report the threats they caught but undercut their own reputation by highlighting threats they miss. Similarly, you cannot depend solely on the vendor that provides your mail client or mail service to provide quality indicators of compromise (IOCs). A range of sources is needed, and ideally, you should get your data from across vendors and platforms. 

2. Your user base is a valuable source of intelligence for your enterprise

The recipients of emails are where threats are seen first. Therefore, a well-trained workforce that reports the threats that reach their inboxes is gold and represents the tip of the spear in phishing tactics and tradecraft. These threats traversed your technology defenses and made it to the victim.  If your userbase can report these threats quickly and easily, and your Security Operations Center (SOC) teams can respond, you can get on top of these emerging threats. So, ask yourself if your insight into phishing threats is informed by your user base as well as other users across the globe. Do you have a suspicious email reporting mechanism? Do you train your employees to recognize today’s phishing threats? Do you encourage reporting across your workforce rather than discourage it through punitive programs? All these factors make an enormous difference in how much knowledge you have coming to you and how diverse and timely it is.

3. Threat intelligence must be timely and actionable

Threat intelligence that is indecipherable, lacking context, late, in a complex format, or unable to be ingested where it is needed is worthless. It can be more than worthless because it can distract critical resources and waste your employees’ time. Threat intelligence feeds, and the tools that consume them, must be properly aligned with each other and with the current landscape. This highlights the importance of putting in place an approach to catch emerging threats that made it past email filters, like SEGs, to ensure that vulnerabilities do not create a costly blind spot for your organization. Utilizing your own workforce as sensors ensures timely awareness of bad emails that made it into employee inboxes and enables your SOC or managed service provider to get to work faster. Then, implementing an internal process to distribute these insights throughout your entire technology stack empowers you to become your own source of highly relevant intelligence stemming from actual threats that targeted your organization. And with this intelligence, you can apply it to your organization’s training programs, such as phishing simulations, to make these important exercises more relevant. 

I am very much a technologist that loves building great products. I also believe technology alone will not solve cyberattacks. I know the power of the technology we build to defend our IT systems is only as good as our ability to evolve it in the face of ever-changing adversary tradecraft. Therefore, vendor agnostic technology, married with actionable, globally-sourced, and continually evolving intelligence, augmented by humans, is needed to defend our enterprises. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...