Left of Boom presented at ISSA 2019

by Brian Contos,

Summary : The term “Left of Boom” was made popular in 2007 in reference to the U.S. military combating improvised explosive devices (IEDs) used by insurgents in Afghanistan and Iraq. The U.S. military spent billions of dollars developing technology and tactics to prevent and detect IEDs before detonation, with a goal of disrupting the bomb chain. This is an analog to cybersecurity as we strive to increase the incident prevention capabilities of our security tools and where we can’t prevent attacks, augment prevention with incident detection and response tools. If you feel that you don’t have the cybersecurity evidence to know, empirically, what’s working, what’s not, how to fix it, how to verify the fix worked, and how to make sure it stays working across your security tools, your people, and the processes they follow, this presentation is for you. There is an urgent need for evidence in cybersecurity regarding the effectiveness of specific systems as well as the overall security systems of systems. Are my security tools preventing, detecting, logging, correlating, and alerting? Does the new configuration, patch, rule, or signature result in what was intended? Are systems that were working before still working or have they drifted from a known good state? Without evidence about our security effectiveness, how can we ever empirically answer these questions and get our organizations to the “left of boom?” Studies across endpoint, network, email, and cloud security tools have established that, on average, we’re only getting about 15-25% effectiveness out of our incident prevention security tools. When it comes to incident detection, it’s as low as 25-35% effectiveness. And for SIEMs, their ability to effectively correlate and alert ranges between 0-45%. We haven’t put a big enough dent in our risk profile and we’re wasting time, money, and resources by not getting value from these security tools. In most cases, the problem isn’t that we have bad technology or ineffective security teams. Instead, it’s an inability to effectively measure, manage, improve, and communicate the security effectiveness of our security tools in a scalable manner that results in actionable evidence. From a leadership perspective, we’re not able to communicate our security effectiveness to executives based on evidence because we don’t have the evidence. This is devastating, as cybersecurity isn’t about cyber risk – it’s about the financial and operational risk from cyber. Without evidence, executive decision makers can’t do their jobs effectively when it comes to protecting shareholder value, revenue, and reputation. This presentation will demonstrate automated methods to mitigate these problems. It will identify approaches that you can apply to improve the effectiveness of your security tools, security teams, and processes. Following this presentation, you’ll be able to develop your own strategy to get “left of boom.”