Two KPIs Essential for Measuring Security Tools
Last month I discussed cybersecurity effectiveness, particularly in regards to the growing threat of fileless attacks. But effectiveness is only one piece of the equation.
First and foremost businesses still need to go about their business. Unfortunately, it has long been the case that the more effective a cybersecurity tool is, the slower and more intrusive it is and the more effort it takes to manage it. The complexity and pain of managing – not buying, managing! – security tools often forces companies to reconcile themselves to unacceptable exposure, for example to security-related business disruption, for want of resources to manage cumbersome defensive technology.
Security supports the business best when it is simple, keeping out of the way, not distracting from business objectives or forcing it to change the way the business works. Two KPIs, speed and ease of use, are essential measures for any security tool. Speed and ease of use add up to simplicity and bring security, IT, and the business together.
Start with speed
Time is not the friend of cybersecurity. Once an attack infiltrates an endpoint, it sets in motion a chain of events that drives up cost and effort, for security, IT, end users, and the business. This is because attacks are dynamic. They persist, do reconnaissance, collect intel, propagate to additional endpoints or operational technology (OT), and ultimately set themselves up to ex-filtrate data or shut down the business.
As attacks progress, the effort of using detection tools to monitor, detect, analyze and investigate grows too, increasing at each stage. This adds cost, on the one hand, and raises the likelihood of a miss due to human error, on the other. For example, in many notorious breaches, the attack was known but allowed to thrive because of incorrect judgment calls, inability to outrun the attack flow, or case management overload.
Nobody can make every alert a number one priority, so expertise and luck become the thin red line between success and a breach. But if the attack is prevented deterministically before infiltration, the effort of finding and remediating it drops essentially to zero. So does the risk that it will slip through the case-management cracks, since there is no post-infiltration attack chain to deal with.
For example, Moving Target Defense prevents attacks instantaneously, before they get a chance to infiltrate. So there is no need to detect them. And if you don’t need to detect attacks, you don’t need to monitor; and if you don’t need to monitor, you don’t need to analyze. And so on. Simple.
Ease of use
This is pretty straightforward to measure: The more things a product has to do in order to do its job, the more it is going to get in your way and the harder it is going to be to use. Tools that monitor and scan, or hook APIs, or apply policies, can get in the way of end users and cause conflicts with other security tools and applications.
In a Moving Target Defense model, the solution morphs the run time environment and creates a decoy. At that point, it is finished. No run time component, interference or conflicts. It also means the DLL can be very small so that it is trivial to install and uses no CPU at run-time.
This type of approach relieves IT of some of its biggest security headaches and keeps end users from calling the help desk. It also helps the business. It obtains a high level of security without the onerous restrictions on common-sense business activities.
Speed and ease of use together address concerns about the negative operational impact of preventive security technology. Moving Target Defense embodies both, modeling the paradigm of ‘Set and Forget’ and the adage ‘Less is More.’ IT and the business both benefit.
Morphisec will be part of the panel discussion “Evolving Your Security Strategies: Protecting Key Intellectual Property” on Monday, October 16 at Midmarket CIO Forum.