The Modern Data Security Fabric & the Arbiters of Risk

Speed, Velocity, and Acceleration. The physics of motion are well documented, and we understand how these scalar and vector quantities differ. In InfoSec and cyber risk management the dynamics are not as well understood which has confused our ability to distinguish between motion and progress. This confusion intensifies our escalating risk cycle by causing a mirage of control that continues to lead us down a path of compromise, catastrophe and harm, adding not only to our growing cyber labor shortage but also generating greater societal cyber risk implications.

Let’s start with some basics on the physics of motion. Speed is a scalar quantity which is a measurement of magnitude regardless of direction such as 65 MPH.  In the cyber context a measure of motion would be things like patching hygiene levels, time to detect, time to contain, or a wide variety of other incident, vulnerability, and attack surface management metrics traditionally used in our security operations as well as board reporting on how well we are doing with respect to our cyber defenses.  You know....trying to figure out an equation to "measure stuff that didn't happen."

The problem with using these types of metrics in the cyber context is that we are confusing motion vs. progress. This is a focus on motion which leads to more of the same broad-based spray and pray approach. We create goals for ourselves to patch faster, monitor more, reduce time to detect, reduce time to contain. While these have added some value, they have also added to an increase in our total cost of controls, legal liabilities, and in some cases created a false sense of security in addition to an inaccurate portrait of the actual state of risk.

To achieve real progress in cybersecurity, we need to have measurements that are vector quantities like velocity or acceleration. Vector quantities are a better approximation of progress because they include not only magnitude but direction such as 65 MPH Southwest. So, now we know where we are headed in addition to how fast we are getting there.  In the cyber context of having not only the direction, but more importantly the proper coordinates providing specific proactive direction where action and capital planning can be taken to mitigate risk, is challenging but not impossible.  

In the cyber context, this would be things like understanding pre-breach and the anatomy of attack so that points along the entire attack path can be understood and actions can be taken to break the attack chains that exist.  This sort of attack path reduction is where we can demonstrate real risk reduction because steps have been taken that reduce attacker opportunities, not just on an initial point of compromise, but on the entire attack path that leads from that initial foothold through our organizations to a point of material impact such as the loss of sensitive IP or PII, or a critical system taken offline.  We need pervasive cyber resiliency that ubiquitously makes it economically irrational for an attacker to take aim at our business. If only there was a data security fabric to ingest, format, group, resolve and enrich our security information from our vast organizational tooling.

So, how do we reorient our entire security operations function so that it is optimized to handle the volume of activities it is responsible for?  How do we reposition ourselves from an anchor point of continual reaction to one where our SOC can take proactive action in front of the cycle of risk? First, we need to understand the fundamental difference between being vulnerable and being exploitable. Understanding that separation in the context of your business is critical to making informed decisions about cybersecurity. Secondly, we need the capability to easily map these attack paths and understand the exploitable pivot points that lead from the initial foothold or point of compromise through our environment to the catastrophe that causes material impact to our organizations and our customers. When both conditions are met, we can optimize our security operations shifting from only an anchor point of reaction to one of proactive cyber risk management. 

On the vertical axis we can categorize our work from tactical to strategic. Being strategic means that we are doing what is necessary relating to the identification of the organization’s long-term interests and we have the means of achieving those interests. Our customers strategically want a bend in the curve of the risk they are experiencing as well as a reduction in the total cost of controls. Both of which have been growing for decades for a myriad of reasons, particularly "compliance-informed defense."

On the horizontal axis we can categorize our work from reactive to proactive. Proactive means creating or controlling a situation by causing something to happen rather than responding to it after it has happened. So being proactive by almost every implication would then lower risks and lower costs, especially if you had the specific coordinates (devices, identities, applications, network segments) within your enterprise to break attack paths before an event occurred.

So why then are most security operations anchored in tactical reaction with some limited strategic reaction activities such as incident response, vulnerability management, and APT hunting? Many would argue it is due to resource constraints. They don’t have the budget, don’t have the talent, and don’t have the tools. While this may be true in some cases, consider that we are in this situation because of the paradigm with which the entire security industry has been built. I think in many ways the concept of zero trust is born out of the failures of the security industry. The firewalls, the anti-virus, the data loss prevention software, the hygiene efforts, all those things didn’t actually deliver the trust that was necessary to protect the integrity of the information assets, physically and logically, but were routinely exploited to cause harm to our businesses, customers and stakeholders. 

There has always been this trend in post-breach process to identify the "Who" associated with an attack. We want to know who the threat actor or threat agent is, whether it is a nation-state, organized crime, an insider, or some hacktivist organization to which we can ascribe blame for what occurred and for the damage inflicted. In over a quarter century of working in cyber, I can assure you will struggle to find a more uncontrollable variable, and this is what many gravitate to believing it to satiate all remediation and recovery effort.

Truth is, this would only provide psychological comfort, like an anxious child clutching a teddy bear during a thunderstorm, and quite often distract us from asking the one question that can really make a difference: “HOW did this happen?”  But even those who asked HOW – have answered with simple vulnerabilities – we had an unpatched system, we lacked MFA, or the user clicked on a link. The current focus on the WHO, WHY, and HOW based on vulnerability does the industry and everyone else in general very little service.  We need to rethink, refocus and reimagine the Security Risk Equation to examine the complex details of how attacks really occur to prevent them in the future. We need to have a continuous offensive perspective and threat-informed defense for our control selection and allocation. 

The primary variable in the security risk equation is having the maximum chance to impact risk where an organization is exploitable. I can't manage the threat actors or agents, but I can manage my exploitability to their arsenal of tactics, techniques and processes - the ATT&CK matrices. From a consequence and impact perspective there are only three primary consequences we need to focus on: Confidentiality, Integrity, and Availability (CIA triad).  Each of these have different potential impacts to an individual, to an organization, or more broadly to society depending on the technology or data attacked. When we examine “how” attacks are accomplished we see three core targets for attacks:

• Attacks on identity and access authorizations
• Attacks focused on the execution of malcode
• Attacks that create a Denial-of-Service (DoS)

So, what must always be analyzed, acted upon, and reported to management is HOW an intrusion or attack could be successful, so we can provide prescriptive recommendations and choice architecture on how to eliminate attack paths as well as where to prioritize detection of anomalous activity to intercept attackers before we incur harm. Risk mitigation isn’t just about calculation, it’s about contemplation. This shift in focus to Risk Hunting, Attack Depth Management, Exploitability Management and Avoidance of Material Events is strategically proactive and is where real economic value lives, and this is where the concept of a data security fabric has become increasingly vital in our complex and sprawling security stacks.    

Ultimately, as organizations look to optimize their data management and security operations, the adoption of data fabrics—like Zscaler’s—becomes not just beneficial, but necessary. By breaking down data silos, enhancing analytics capabilities, and supporting real-time decision-making, a data fabric empowers security teams to protect their organizations more effectively in an increasingly data-centric world where security leaders become the data-driven arbiters of risk as we continuously and objectively paint that portrait of risk, laden with integrity.