Humans are experts at denial! We tend to assume that a problem is less likely to affect us if we do not acknowledge it — a dangerous defense mechanism. We see this all over our society: from end-of-life planning, to going to the doctor when something scary hurts, to recognizing that a virus can cause a global pandemic. This extends to IT Security. Throughout my twenty-year career in security, peoples’ ability and tendency to deny what’s in front of them has remained a consistent theme. We can see denial’s footprints in the wave of recent security incidents. It is far easier to ignore best practices than it is to change your entire operational process: “It could never happen to me!”
Security Teams are Overworked and Overburdened with Denial
Currently, security is governed by denial. This is due to an onslaught of alerts and patching work for which there simply isn’t enough time in the day. I have sat in meetings where security decision-makers have said they did not want to do additional tests on their system because addressing new targets would add too much work! In one of my very first sales meetings at Randori, a security decision-maker told me that he did not want to know about risks on his attack surface — if he knows about a risk, he has to address it.
However, this line of thinking will only lead to greater risk in the real world. Meanwhile, when you can see your network the way an attacker sees it, you can prioritize your targets based on actual attackability rather than playing whack-a-mole with a blindfold on. We need to make a change in security — denial is hindering our ability to protect our organizations.
Denial has led our IT Security industry industries astray — and our current outdated security solutions are only exacerbating the problem. Security teams continue to run Penetration Tests even though they objectively know that an annual snapshot of their security perimeter only solves 1/365th of their problem. Vulnerability Management tools drown blue teams in alert fatigue, until they end up ignoring real security threats. Meanwhile, Breach and Attack Simulation tools are choreographed scrimmages which do not adequately prepare blue teams for real-world nation-state level attacks. Despite the known flaws and continuous attacks, organizations continue to increase spend on the same tools without adding much capability.
Security Needs a New Approach — The Attacker’s Approach
I’m sure you’ve heard that the bad guys will get in, and that we have to protect, detect, and defend. The only way to do that effectively is to practice based on reality, not on an artificial checklist we design around our own fears.
Think about a SOC team as a flight crew learning to fly: a fighter pilot goes through several different layers of training: in lectures, on whiteboards, on flight simulators… but eventually they have to get in a plane and take to the sky. If they let their fear of flying keep you on the ground until a fight happens, they’re going to lose.
Current security solutions only take you as far as the flight simulator — Randori lets you fly. In order to be prepared for a real incident, you have to recognize where denial is woven into your process and replace it with visibility: that means logging, monitoring, exposing shadow IT, reducing noise and knowing where an attacker is likely to strike. Once you see your organization from the attacker’s perspective, you can recast your processes to reflect the reality of the situation. For security to succeed in the modern era, you have to understand your organization’s attack surface and continually stress-test your defenses against real attacks.
Randori: Continuous, Authentic and Armed with Hacker Logic
As security practitioners we have to recognize denial in ourselves and in our organizations. Randori’s Attack Surface Management (ASM) solution (Recon) provides a real-world picture of your attack surface from the attacker’s perspective. Randori’s Continuous Automated Red Teaming (CART) solution (Attack) will test your ability to protect, detect, and defend your enterprise against real-world, nation-state level attackers. Randori is your ability to recognize denial, shatter the mirage of your perceived reality and see yourself through your attackers’ eyes.