Fresh Thoughts #125: A Recent Security Conversation...
- Newsletter
I had a conversation last week. It didn't go as expected, so I think it's worth sharing...
Security Foundations
[Customer]: We're thinking about doing proactive threat hunting. What do you think?
[Me]: Great. But why?
[Customer]: Well... we were told it was best practice...
[Me]: It is for some businesses. Is yours one of them?
[Customer]: What do you mean?
[Me]: Let's start at the beginning... Do you have the security foundations in place? Meaning:
- MFA (multi-factor authentication)
- Antivirus/EDR
- Backups
- Patching
- Security awareness training
- Hardened configurations
- Device Management
- Conditional Access
[Customer]: Yes.
[Me]: Fantastic. And what are the main threats that you face as a business?
[Customer]: Phishing scams—we've had a few staff members buy store cards over the years and provide the serial numbers, but the email filters and security awareness training are working well. And ransomware—while we have mitigations, we would prefer not to rebuild the IT infrastructure.
[Me]: Anything else?
[Customer]: Well, the usual - making sure customer-facing systems are patched and up to date...
[Me]: It sounds like you have a great foundation.
Unintended Impact of Proactive Threat Hunting
[Me]: So, let's think about threat hunting. You aim to find something not picked up by your antivirus/EDR or your Conditional Access proactive risk monitoring... Would this task be something to add to someone's task list, or would it be a new hire?
[Customer]: Hmmm... not sure.
[Me]: No problem... Let's assume that someone proactively finds a possible issue... Who will analyse and assess the threat you are facing? And who is going to design and implement the mitigations?
[Customer]: Hmmm... not sure.
Strategic Competitive Advantage?
[Me]: Let's look at this from a different angle. Are you in a high-risk industry that is constantly at risk from cyberattacks? I mean industries like banking and finance, defence, healthcare or a sector handling large amounts of highly sensitive personally identifiable information (PII) data?
[Customer]: Erm, no...
[Me]: Ok, no problem... Are you planning on making proactive risk hunting a core part of your business or a strategic differentiator against your competition?
[Customer]: No... I take your point.
The Outcome
Were they going to continue to pursue the idea of proactive threat hunting?
The customer decided to sleep on the idea.
The next day, I received a call... they were going to investigate proactive threat hunting but with clear guidelines.
The customer had a young, talented IT team member who was keen to work on threat hunting.
However, rather than adding threat hunting as a teamwide task, it would be part of this specific staff member's professional development. They would be given time to work on threat hunting and gain knowledge and experience, but it wouldn't be recognised as one of their performance KPIs.
The situation will be reviewed in six months to determine whether proactive threat hunting offers a strategic competitive advantage.
...I suspect that a straight "No, we aren't going to do that." decision was too uncomfortable without further information.
Final Thoughts
What is right and best practice for one business or sector is not necessarily best for all other businesses.
The critical foundations of cybersecurity are the same across all businesses and must be rigorously enforced. However, beyond this, the choice of security solutions depends on:
- the threat landscape you work in
- your individual business appetite for risk
- your business's chosen strategic direction
This level of nuance is often missed in an industry prone to selling - just one more security tool.
Unless the security tool or process directly addresses a business need, it should be questioned.
Cybersecurity is a cost of doing business— just like finance, HR/recruitment, and legal.
July 2, 20243 Minutes Read
