Recently, a friend brought up the term Carcinization and I had to look it up. It turns out that this term was created more than a century ago to explain the process of crustaceans transforming into crab-like forms. What does this example of convergent evolution have to do with security? It is a great analogy for how the security industry has evolved and why security leaders often have difficulty deciding which security investments are best for their organization. Initially, security was composed of a series of point products to address particular issues. Companies used endpoint antivirus, firewalls, IPS/IDS, and routers to protect themselves. Later, email and web security tools were added, as well as SIEMs and other tools such as ticketing systems, log management repositories, and case management systems to store internal threat and event data. Endpoint detection and response tools were then introduced and this marked the beginning of the next phase in the industry's evolution. This is when the traditional boundaries between endpoint and network security technologies started to break down and product categories were no longer clearly defined. When the concept of extended detection and response was introduced a couple of years ago, industry analysts had different, but overlapping, definitions of it. Some said XDR is EDR+ while others said XDR is not a solution, but an approach or an architecture. Now the industry is discussing threat detection, investigation, and response platforms and depending on who you ask about the difference with XDR, you will get a different answer. Some say XDR is an overarching architecture and TDIR is the platform that integrates all the capabilities required for XDR. Others say TDIR is a process. Another group says they are the same. This variety of perspectives as related security concepts take on similar characteristics creates a lot of confusion for security teams trying to evaluate and purchase security technologies to strengthen their organization's security posture. At a time when the market should be maturing and moving security forward, these discrepancies prevent that from happening. So, how can security teams make sense of all this? In the carcinization of security, where everything starts to look and sound the same, it is essential to focus first on use cases. To do this, start with what you are trying to accomplish, the associated workflows, and the people, processes, and technology required. From there, you can look at where the gaps exist and where to invest to achieve your goals. Sometimes you may need a specific technology for a specific use case. Or, ideally, you find a platform that can handle multiple use cases security professionals are focused on today as security operations centers mature. These include spear phishing, threat hunting, alert triage, vulnerability prioritization, and incident response. For each of these use cases, context is critical to understand the who, what, where, when, why, and how of an attack. With a security operations platform that can aggregate and correlate internal threat and event data with external data on indicators, adversaries, and their methods, you can analyze multisource data and understand relevance to your environment based on parameters you set. Once you have the right data and context, you can pivot around a specific piece of data to understand and act. You can parse and analyze spear phish emails for prevention and response, prioritize alerts for triage, identify vulnerabilities to patch first, and accelerate threat hunting. Integration with the right tools allows you to send data back out across your defense grid to accelerate incident response, including blocking threats, updating policies, and arming the organization against the next wave of attacks. The truth is, the walls established to separate product categories should have been challenged sooner for the benefit of security. Organizations considering the latest acronym or spurred by the latest attack may have selected a different, more effective tool or platform depending on their goals, internal resources, and capabilities. When everything starts to look like a crab and walk like a crab, we can't rely on labels. We need to look at use cases, desired outcomes, and the best path to get us there.
This Cyber News was published on www.securityweek.com. Publication date: Thu, 02 Feb 2023 14:41:03 +0000