In 1984, the movie Red Dawn depicted a group of high school students who attempt to fight back a Soviet invasion of the United States. The teens commandeer sophisticated weapons and use guerilla tactics to counter the attack of their homeland. Despite their resourcefulness and bravery, the better trained and coordinated Soviet-led forces take their toll.
Today, many organizations are implementing what I call “Red Dawn Security.” The metaphor is not far off. Companies are under constant cyberattack from nation states and well-resourced criminal enterprises. The Russians are back, but are fighting with phishing emails instead of tanks. APT29 is the new MiG-29. Organizations often respond using guerilla tactics with fancy high-priced weapons (un-tuned security tools) and (often poorly trained and understaffed) internal security teams. Unfortunately, not every high school has a student body able to take on nation-states.
Nevertheless, to draw from the limited supply of qualified candidates, security organizations have added slick “next-generation” security tools. Of course, it is hard to attract and retain qualified security talent if you just do basic blocking-and-tackling security functions. So, staff are encouraged to do “cool” things like purple teaming and threat hunting. All of these are legitimate things to do, but the tools take constant tuning and the defensive techniques require a lot of training.
Good security is a delicate mix of processes and technology working together and constantly exercised and improved. Most organizations are buying more tools than they can handle. In fact, more tools don’t help, they often make things worse.
Are things really that bad? Yes. At Bobcat Cyber, we simulate nation-state attacks on customer networks to see how well their defenses are operating. The security performance is almost universally poor. Those high-priced security tools never seem to work as well as advertised.
The vast majority of companies need to leave cyber defense to the pros. Organizations should find a reputable Managed Security Services Provider (MSSP) and keep them accountable through independent testing that simulates real-world cyberattacks. Let’s end Red Dawn Security.