Security Budget Judo

Org Charts Determine Risk

A lot has been written about companies struggling to invest enough in CyberSecurity, given today’s epidemic of data breaches, ransomware, identity theft and other damaging online attacks. However, the discussion needs to be had at the next level of granularity. All budgets across the enterprise are allocated along organizational business unit lines, often divided down through the hierarchy. IT budgets are no different. Conway’s Law basically declares products are a function of their producers’ org charts. That’s a very appropriate strategic framework to apply against escalating security challenges.

TELEMETRY Tsunami

We propose a company’s CyberSecurity maturity, health and subsequent 1st to 3rd party risk can be similarly predicted via its org chart and related budgeting. Security analytics is a great example. As companies and/or their managed security providers grasp the volume of telemetry (traces, events, logs) they need to process, a heterogenous data flow hierarchy often emerges due to difficult budget tradeoffs.

It Takes a Village

Filter.png

A first wave of data is processed and filtered by free solutions such as the Open Source ElasticSearch distribution. The next subset of data requires closer scrutiny with better processing / filtering. That’s where many security teams decide to license or subscribe to the Elastic ELK Stack and related Security products such as a SIEM and Endgame EDR. Finally, where security analytics performance, efficiency and product maturity are most critical, enterprises reserve the smallest subset of their data for the premium charged by Splunk’s highly regarded solutions in this space. Notably, Splunk has already identified data pipeline integrity as a significant risk to mitigate within their own homogenous portfolio.

threat Risk to Self-Harm

However, this budget-driven heterogeneous data pipeline is itself a major security risk. Every one of the six common data transformation arrows (data collection → buffering (x3) → aggregation/processing → indexing/storage → analysis/visualization) represents an attack surface for MITM threat vulnerabilities and other popular Cyber Attacks.

Original image via logz.io at  https://logz.io/learn/complete-guide-elk-stack/

In particular, as machine learning data science advances make their way into security feature sets, Data Poisoning will become an existential threat to mitigate. Left unaddressed, this risk will effectively let attackers silently train the AI algorithms which their victims pay for a false sense of security. This goes beyond paying for a Red Team attack / pentest, all the way to literally enabling your Cyber Abuser.

Chain of Custody = Economic Security Hardening

The heterogeneous data pipelines built by SecOps teams out of budgetary necessity, inherently lack end to end data integrity. In light of the various vulnerabilities of these pipelines highlighted above, this is completely counterproductive. The chainkit service offers an elegant solution.

Pipeline Chain of Custody.png

A chain of custody can be wrapped around every component of (security) data pipelines, including the entire pipeline itself. Leveraging your choice of blockchain(s), this establishes an irrefutable mathematical (cryptographic) proof of integrity for all your analytics, including the security data pipelines most often targeted by adversarial attacks.

Chains of custody implemented in this manner are highly robust, substantially raising the cost of an attack. Bad actors and their malware would need to compromise thousands of independent nodes distributed across the globe on well-governed and decentralized blockchains. That’s a completely impractical economic proposition today. Which means even attacks with escalated Admin/root privileges cannot evade hardened monitoring or tamper with underlying data sets and pipelines covered by these Chains of Custody. Just imagine how easily this detection model can be applied to monitoring and compliance of Waterfall CMDBs, Declarative Configurations, DSC and many other valuable resource within your organization!

Cyber-Target.png

Budget Judo Changes CyberSecurity Equation

IT CyberSecurity is not without a sense of irony. Budget limitations present a challenging dilemma for security team defense, which turns out is best solved via cyber crime economic deterrence.

Flip the script. Change the equation. Let’s see if we can get #BudgetJudo trending and take a big bite out of the lucrative CyberCrime industry!