Posted on CEO Tim Prendergast Discusses the Emergence and Adoption of Cloud Security

Screen Shot 2016-04-14 at 4.06.29 PM

Cloud computing has received a lot of attention these days, but the most important cloud service could be the one that protects enterprises (including other cloud businesses) from malicious attacks. The industry might have finally come to a turning point now that corporations, both big and small, are starting to realize the value of cloud security.

“The markets have matured to adopt what cloud security really means,” said CEO Tim Prendergast, who was interviewed by Richard Stiennon as part of IT-Harvest’s 2016 Video Interview Series. “When it started out there was a lot of confusion about the various layers. I think as we’ve seen people progress along the maturity curve in cloud, they really started to understand the unique needs the environment has that are different than they were at a datacenter.”

Prendergast, whose company offers an easy to deploy cloud policy management platform, said the industry has been “able to identify solutions and suites that will work really well for them in addressing the new challenges they face as they move in these very dynamic environments.”

Understanding the Challenges of the Cloud

Prendergast said there has been a dichotomy where there are innovators and the very early adopters who really understand the challenges of the cloud because they’ve been doing it for the last two to four years.

“They tend to find the value in the platform very early and do a homogeneous spread across their entire environment,” Prendergast explained. “So they’ll say, ‘Okay, we’re going to use it as a standard and cover all our infrastructure with it.’ And then we have a lot of emerging players and the early majority. It might be a bank or manufacturer putting their first workload in the cloud, and they want to start with a good basis from the ground up on the development and test environments.”

Evident has found that as these firms progress toward production, they will increase their platform coverage.

“And then over time they mature additional workloads and continue to grow,” Prendergast added. “I think the constant that’s driving this is the cloud is being used more and more everyday, not less everyday, by these companies.”

Going Above and Beyond

Traditional datacenters are becoming a thing of the past. Prendergast said that most businesses have replaced the old model (where a bunch of servers and operating systems run everything) with severs that act as a component of dozens of other cloud services.

“But all those other services are only API accessible,” said Prendergast. “There’s no IP address, there’s no operating system, there’s no way to install your own software on it. Evident creates a way for you to actually cover all those services and the layers of governance, compliance, continuous monitoring and protection that you need in a very modern cloud way.”

Prendergast said that this system is actually “creating security workflows where the teams that are managing the cloud infrastructure are moving in a very agile way.”

“It’s embracing security as part of that DNA and as part of that cycle, and not something that happens at the end of a product lifecycle process,” he said.

Posted on

Comodo Using Containers to Block Malware

Screen Shot 2016-04-14 at 3.50.22 PMMalware is a growing problem for both consumers and enterprises. Many have tried to defend against this growing threat, but malware authors are relentless in producing new ways to deploy, infect and harm the PCs of those they target. It’s an ongoing problem that requires vigilant individuals to remain at the top of their game.

To keep up with the rise of malware, Comodo is looking beyond traditional sandbox methods.

“Malware always starts out as an unknown file,” said John Peterson, VP of enterprise product management at Comodo. “The rate of unknown files is so high that it just doesn’t work anymore to try to do a blacklisting or signature-based approach.”

Peterson shared Comodo’s strategy with Richard Stiennon at the 2016 RSA Conference in San Francisco. He said his firm is taking a new approach to malware, which is very clear on how known files (good and bad) should be treated. The challenge comes in dealing with unknown files.

“Once run in a sandbox, you might identify whether it’s good or bad, but during that whole period and process of analyzing the file, patient zero could be infected,” Peterson warned. “We actually eliminate patient zero from having to get infected. We take unknown files and we put them in a container, so that container allows the unknown file to run and execute. You can interact with it because it could be unknown good. But it also could be unknown bad, so we isolate it from the rest of your computing environment.”

Click on Anything

Peterson said that users are able to click on and download anything without fearing their computer systems will be compromised.

“The application or PDF or EXE that you’re actually downloading gets run in isolation,” he said. “It has a separate set of CPU processing that it’s allocating and a separate file system that it’s restricted to. It can only make certain calls to certain places in memory, rendering your computer immune to any kind of malware that might be brought into your environment.”

Sandbox Technology Still Holds Value

Comodo may be going above and beyond sandbox technology, but Peterson said there’s still a place for it in the world of security.

“Clearly there’s an opportunity for us to displace it, but I think there’s also opportunity for us to augment it,” said Peterson. “If customers have chosen a sandbox solution and they want to stick with that, they can – and they can augment that sandbox technology with our containment technology. Containment technology is like a cousin to sandboxing. Sandboxing is analyzing a file to determine its true state, whereas containment is actually putting a file in a container and allowing you to interact with it while keeping it isolated from the rest of your computing environment. We do both.”

Posted on

Skybox Security’s Gidi Cohen is a Big Believer in Data-Driven Security

Screen Shot 2016-03-25 at 9.00.08 AM

It’s not uncommon to hear an Uber-like startup – those operating in the so-called “on-demand economy” – announce a massive raise from any number of venture capitalists. But in order to draw that same level of investor trust in other fields (say, cybersecurity), you’ve got to have something really special.

Skybox Security definitely fits into that category. The company, which is led by co-founder and CEO Gidi Cohen, recently announced that it had raised $96 million from Providence Equity Partners.
“We’re big believers of data-driven security,” said Cohen, who sat down with Richard Stiennon for a one-on-one chat during the 2016 RSA Conference in San Francisco. He attributed the investor support to the company’s ongoing growth and success.

“We grew over 50% year-over-year for a few years in a row,” said Cohen, whose company is known for guarding an enterprise’s attack surface (the sum of all threats an organization may face) from malicious individuals. “We’re continuing to do so this year — and in a very profitable way.”

A Different Point of View

Cohen didn’t want Skybox to follow in the footsteps of other startups, which typically grow their top-line while enduring (and perhaps accepting) “a huge amount of losses like it doesn’t matter.”

“It got to the point where there’s actually an appreciation for companies that grow very well but can do it in a competent and efficient way, which is what Skybox has been doing for quite a few years,” said Cohen. “That was very noticeable in the industry and the financial markets.”

Cohen said that in Skybox’s specific space, the company is “uniquely successful” in capturing a significant part of the enterprise market.

“We are winning almost everything we’re competing on, in the markets due to the scalability, the platform capabilities and the visibility we provide,” he said.

Unique Analytics

Cohen is proud to speak about Skybox’s “unique” type of analytics.

“Our analytics is much more about modeling and simulation technologies that can actually put together all of those disparate datasets,” he explained. “There are different silos of data, firewalls, endpoints, vulnerabilities. We put them together with a technology that actually helps the organization understand what is exposed, what’s exploitable, what’s not, and how to deal with that.”

Cohen said that this type of analytics is something that Skybox has been doing for many years.

“We have quite a few patents in the space and it’s a very unique offering,” he concluded.


[IT-Harvest has initiated research into the firewall policy management space. Skybox Security, although it has a broader offering, is included in this research. A market sizing report will be available at]

Posted on

Looking at the entire IT security industry

When IT-Harvest was launched we took a stab at cataloging the entire IT security vendor space.  It took six months and a team of five to collect information on 1,200 vendors. We also invested in a developer to create an app which we sold subscriptions to. That effort was curtailed when I joined Fortinet. After relaunching in 2008 we continued to track those vendors but a year ago decided to make a concerted effort to gather and put into categories as complete a list as possible. I presented some of the results at RSA this year on the RSA TV stage:

Screen Shot 2016-03-23 at 1.54.20 PM

Immediately after RSA I began working with friends in Israel and India to cast my net wider. We found 41 total vendors in India and 228 in Israel. Those numbers were published at my new column as an IDG Contributor: Stiennon’s Security Scorecard.

Screen Shot 2016-03-23 at 1.59.59 PMI will be revealing lots of great data about our space in future columns. In the meantime I am using that data to create market sizing reports. Those are available at

And yes, we will be building an app to make our entire database available to subscribers.

Posted on 1 Comment

IT-Harvest analysis: Threat Intelligence Market Growing at 84% CAGR. To Hit $1.5 Billion in 2018

IT-Harvest analysis: Threat Intelligence Market Growing at 84% CAGR. To Hit $1.5 Billion in 2018
Birmingham, Michigan March 16, 2016 Technology News

(PRLEAP.COM) IT-Harvest, an independent research firm covering the cybersecurity industry, has published a Market Research Report on the threat intelligence sector. The report includes 21 vendors that research and provide threat intelligence to the enterprise. These include iSIGHT Partners, recently acquired by FireEye, Cyveillance+LookingGlass, Digital Shadows, Intel471, RecordeFuture, and Flashpoint Intel. A growing segment within the space includes the 10 Threat Intelligence Platform (TIP) vendors, led by ThreatStream, ThreatConnect, ThreatQuotient, and BrightPoint Security. TIPs collect threat intelligence from multiple sources and integrate with internal data and enforcement technology to maximize the value of threat intelligence.

Key findings:

The 2015 threat intelligence market was $190 million and is growing at 85% annually. The TIP space accounted for $61 million and is growing at 84%. In addition the total 2015 market for threat intelligence products was $251 million and is on pace to exceed $460 million in 2016. At current growth rates the market for threat intelligence products will exceed $1.5 billion in 2018.

The seventeen page Market Research Report is available at It provides a guide to the industry and a summary of each vendor’s capabilities.

About IT-Harvest:

IT-Harvest uses a unique methodology to track industry sectors. This human augmented machine analysis is integrating automation with human insight to perform comprehensive market sizing analysis. The Threat Intelligence MRR is the first of such reports, to be followed by: User and Entity Behavior Analytics (UEBA), Firewall Policy Management, Deception, Security Analytics, Cloud Security, and Information Governance.

To contact the author, Richard Stiennon, email:

About Richard Stiennon:

Richard Stiennon is Chief Research Analyst for IT-Harvest, the firm he founded in 2005 to cover the 1,440 vendors that make up the IT security industry. He recently completed a year long effort to categorize all of those vendors. He is the author of Surviving Cyberwar (Government Institutes, 2010) and There Will Be Cyberwar. He is a member of the advisory board at the Information Governance Initiative and principal of TrueBit Cyber Partners. Stiennon was Chief Marketing Officer for Fortinet, Inc. and VP Threat Research at Webroot Software. Prior to that he was VP Research at Gartner, when he was recognized as One of the 50 Most Powerful People In Networking by Network World Magazine. He has a B.S. in Aerospace Engineering and his MA in War in the Modern World from King’s College, London.

Posted on

whiteCryption’s Thorsten Held on Protecting Critical Content and Applications

Thorsten Held, managing director at whiteCryption, is focused on protecting intellectual property with cryptography. His company helps enterprises that need a greater degree of security in the area of digital rights management (DRM). Held sees a need for stronger protection of content and critical apps on all devices.
Screen Shot 2016-03-12 at 8.47.56 AM
“We want to give tools to our customers to enable them to do what they feel is the right approach,” said Held. “We provide a lot of consultancy so we help our customers understand the different options and the different scenarios. Each industry has different requirements and we help customers achieve them.”

Held was interviewed by Richard Stiennon as part of IT-Harvest’s 2016 Video Interview Series, which ran alongside the 2016 RSA Conference in San Francisco. He explained that the majority of whiteCryption’s initial customers wanted a secure DRM solution.

“We help customers harden the DRM implementation,” said Held. “The solution itself is known and defined. The content owners, [such as] Hollywood studios, require an extra layer of security. Our key mission is to make sure DRM providers hide keys in their system.”

Broadening the Platform

whiteCryption recently teamed up with Trustonic to simplify security for mobile and IoT app developers. Trustonic’s hardware-level security is already embedded in more than 500 million smart devices.

“The whole idea is to broaden the platform,” Held said of the partnership. “So many devices do come with some IP on board today.  And how do you close that gap, especially if you’re talking about customer-facing solutions? You definitely want to be sure that there’s no limitation of use.”

Held said it is not merely enough to say that a feature runs on 55% or 75% of the available devices. By combining IP with a software-based solution (like the one whiteCryption provides), “You [get] the flexibility to say that either the application or the features of the application can run on 100% of the devices.”

The Value of Security

Held also spoke about the benefit of relying on partners to deliver deeper integrated solutions than whiteCryption provides on its own.

“I think that’s key for most of the mid-sized companies,” he said. “They either don’t have the expertise or the funds to develop everything themselves, so they are in need of a deeper integrated solution.”

Not all companies know why they want to invest in security, however.

“It’s hard to convince them,” said Held. “We have a price tag, of course, and it’s a license fee. If you understand the value of security and it’s part of your business model, it’s easy [to convince an enterprise].”

whiteCryption’s integrated code protection and white-box cryptography solutions protect software applications at the source code level to prevent against unwanted alteration, intellectual property theft and keep secret cryptographic keys hidden.

Posted on

Digital Shadows’ James Chappell Discusses Threat Intelligence, Cyber Situational Awareness, and More

James Chappell, co-founder and CTO of Digital Shadows, knows what large enterprises need to stay protected. He introduced the concept of cyber situational awareness, an all-encompassing take on threat intelligence as it pertains to each customer.

“Our clients are interested in what’s going on around them,” said Chappell. “They want to know what tactics are being used around them and what they should do to align their defenses.”

Chappell recently sat down with Richard Stiennon for an in-depth interview during the 2016 RSA Conference in San Francisco. He provided a unique take on threat intelligence and explained how his company serves its clients.

“The term ‘situational awareness’ comes from the military,” said Chappell. “Just as you might imagine a general stood on top of a hill with a pair of binoculars, trying to work out where to place his assets in the field, and to work out what’s going to come over the horizon at those assets. That’s a good way to look at how you defend a business.”

Screen Shot 2016-03-11 at 3.38.01 PM

Digital Shadows’ James Chappell interviewed by Richard Stiennon

Overloaded Term

Chappell described threat intelligence as being an “overloaded term” that “means a lot of different things to a lot of different people.”

“Part of the market is about data feeds and has some value,” he said. “You can reconfigure the network in response to those.”

No enterprise is afforded the luxury of infinite resources. Chappell understands that every business must figure out how to implement those resources to the best effect, and to do it in a way that’s tailored toward each company’s individual situation.

“If you place yourself in the shoes of an attacker, look at your infrastructure as an attacker would, and then look at the changes in behavior over time, you’re going to learn a lot more,” Chappell explained. “So it’s more context-based — looking at tactics and motivations — and then looking at your own assets within the context of those threats.”

More Attacks

Security breaches are more common and more publicized than ever before. Unfortunately, it could be a while before the situation changes.

“I think we’re working in a much more complicated world,” said Chappell. “Our reliance on technology is going up, it’s not going down. Because of that we’re seeing much more complexity in the attacks.”

In the old days, hackers would initiate DDoS attacks and deface company websites. Now hacktivists steal data and publish it online.

“2015 was the year of extortion, right?” Chappell questioned. “[In] 2016, it doesn’t look like that trend is going to stop.”

If anything, Chappell said hackers have proven that extortion has become a “business model,” ensuring it will continue.

Financial Roots

As far as the company’s history is concerned, Chappell said that Digital Shadows is “very fortunate” to have started out in the financial services sector.

“We did a lot of work early on with Tier 1 banks because they were early adopters of this technology,” he said. “We have actually broadened out much further than this, so now we work with large supermarkets, we work with energy companies, utilities, pretty much anyone in a larger enterprise who’s got a job of defending an infrastructure from a variety of attacks.”

Posted on

That’s a Wrap. Until Next Year, RSAC.

My experience at the annual gathering of what seems like the entire IT security industry is different than most. Each year at the RSA Conference in San Francisco IT-Harvest reserves one of the biggest hotel suites in the city and outfits it as a video studio. Our flawless team of videographers at New Leaf Media haul in several carts of equipment, push all the furniture into a corner, hang an elaborate backdrop, and set up for a three-camera shoot.
While everyone else is busy meeting, going to sessions, presenting, and walking the show floor, I am ensconced in our suite from 8 AM to 6 PM recording video interviews with industry executives, technologists, and thought leaders. Over the last six years we have recorded 150 such interviews.  I use them in my own research and embed them in my writing. If you are new to the IT security industry you could get up to speed quickly by watching these. They are hosted at

Here is the complete list of 29 video interviews conducted at RSAC 2016. We will be uploading them over the next several weeks.

Comodo. John Peterson is an old friend. We have interviewed him before. He joined us to talk about Comodo, which in addition to being the largest issuer of SSL certificates, offers PKI solutions for enterprise and endpoint protection for the desktop.

Vidder. I met Junaid Islam, CTO,  for the first time as I interviewed him about Vidder’s PrecisionAccess. Think white listing for access control. Users and their devices are authenticated before being granted access to only allowed applications.

Untangle. Untangle’s CEO, Bob Walters, explained how this UTM vendor is successfully executing on a go to market strategy for SMB; a rare approach in the UTM space where everyone wants to be an enterprise player.

vArmour. Former Deputy Under Secretary for Cybersecurity for DHS, Mark Weatherford, talked to me about VArmour’s security for workloads in the cloud.

CloudPassage. Amrit Williams, CTO of CloudPassage, and fellow alumnus of Gartner, talked about cloud security and protection across multiple platforms.

Digital Shadows. James Chappell, CTO and co-founder, introduced the concept of cyber situational awareness, an all-encompassing take on threat intelligence as it pertains to each customer.

Illumio. Andrew Rubin, CEO, returns to talk about how Illumine enforce policies across all workloads via a lightweight software agent that is installed in the operating system of any server, VM, or container. It collects network flows and workload information, and programs the native stateful firewall in the host (iptables in Linux, Windows Filtering Platform) to enforce inheritable protections.

Onapsis, the SAP security platform is described by Mariano Nunez, co-founder and CEO.

Cylance. Stuart McClure dropped by to update us on his machine learning informed endpoint protection solution. After two years, Cylance is gaining traction across many enterprises.

Hexatier is the re-branded GreenSQL.  I talked to the newly appointed CEO, Dan Dinnar, about enterprise adoption of cloud database firewalls.

FourV. Casey Corcoran, VP Strategy, described how FourV’s risk management platform calculates risk factors, in real-time, from the flood of existing security and IT systems data.

Flashpoint. Lance James, Chief Scientist, barely took a breath as he described the value proposition and power of mining the Deep&Dark web for threat intel.  Tim Prendergast visited our studio to talk about’s easy to deploy cloud policy management platform.

ThreatQuotient. John Czupak and Ryan Trost tag teamed an interview to talk about Threat Intelligence Platforms (Read more about TIPs in the IT-Harvest Threat Intel Market Research Report just published.)

Fortinet. Once again we talked to John Maddison, Senior VP at Fortinet about their extraordinary growth.

whiteCryption. Thorsten Held, Managing Director, introduced me to whiteCryption’s software HSM. A critical component of trusted communications.

Entrust Datacard. Datacard bought Entrust at an opportune time. I talked with CEO Todd Wilkinson about the growing market for digital certificates for identity.

Gemalto. Jason Hart, VP and CTO, had a wide ranging discussion about hardware HSMs and the wide breadth of enterprise security products at Gemalto.

Barracuda. I talked with Klaus Gheri, VP Network Security, about a new product Barracuda introduced to tie remote facilities back to the head office securely.

Cyren is executing on its strategy to branch out from being purely an OEM provider of URL and reputation feeds to dozens of security vendors. Lior Kohavi  returned to give us an update on Cyren’s stand alone product for advanced malware defense in the cloud.

Solutionary. John Petrie, CISO, talked about the company’s progress since the acquisition by NTT Docomo and future plans to consolidate MSSP services under a global umbrella.

Bomgar. Matt Dirks, the CEO of Bomgar, explained how the company saw an opportunity to expand from a secure remote desktop for customer support to privileged user management.

Vasco. Ken Hunt, a youthful CEO of one of the oldest security companies, described Vasco’s two-factor authentication and digital signature solutions for financial institutions and other industry verticals.

RedSeal. It was a pleasure talking to Ray Rothrock, CEO of RedSeal, once again. He introduced the concept of digital resilience and how RedSeal is building it into their risk management dashboards.

Arbor Networks. It is well worth watching the series of interviews I have conducted with Dan Holden, Director of ASERT, Arbor’s research team. This year, as always, we had a free ranging discussion on the past year’s developments in the threat space and trends he sees in the industry.

RSA Security. I talked with Sanjay Raja, Senior Director of Product Marketing. We had a great conversation about RSA’s product coverage and future plans.

Skybox. This year I talked once again with CEO and Founder Gidi Cohen. Skybox is looking to expand its position in the risk management space aggressively with the help of a recent infusion of $96 million. Ravid Circus chimed in on the technical side.

PhishLabs. John LaCour, Founder, talked about advanced techniques for hardening an enterprise against the scourge of phishing attacks.

Versasec. Joakim Thoren, CEO, introduced me to Versasec’s complete line of smartcard enabling products.

You can imagine that my head was packed full after three days of intensive talks with so many technology vendors. I think I was in a fog by the time I stumbled onto the show floor to see as many exhibitors as possible. I did take 15 minutes to present the results of just completed research on the entire IT security vendor space for RSA TV. Much more on that to come.

Watch this space where we will be posting each of the videos as they come out of post-production. That will give us enough content to talk about until BlackHat when we will be recording more!

Posted on

Have you scheduled your RSAC 2016 video interview?

IT-Harvest is launching some exciting initiatives in 2016. Throughout 2015 we worked to rebuild our database of over 1,450 IT security vendors and group them into more than 80 categories. We are working through the fastest growing categories (threat intelligence, deception, security analytics, cloud security) and getting ready to publish market research reports that catalog all the players, their estimated revenue, and their growth rates. Primary audiences are the investor community and buyers of technology products.

In addition, IT-Harvest Press will be publishing guides to each of these segments in book form. Be sure to look for them!

Also, in 2016, Richard Stiennon will be a regular contributor of articles about the industry to CSO Magazine.

All of this activity means more exposure for your video content: a professional video interview with Richard Stiennon shot and produced in San Francisco just three blocks from Moscone Center. See all 140 videos we have already produced for many of the leading IT security vendors here. Of course you can embed your video anywhere you like and reuse the content.  As always, contact Rich Montoya to get more information.

BrightPoint Security
BrightPoint Security
Video interview
Posted on Leave a comment

Taking the Backroad to a Secure Enterprise

It is often the case that rapidly changing technology allows laggards to leapfrog leaders. Rather than follow the same path as the trailblazers, those who come behind can take a shortcut. A country in South America bent on joining the modern world does not have to string phone lines across its mountains and jungles to achieve universal access to communications. It can build an LTE infrastructure, allowing its people to skip the fixed line stage and jump right to the latest smartphones and apps for Facebook and Instagram.

So too can an enterprise that is poorly defended get ahead of the race to security. The very best security infrastructures can be found at large financial institutions and defense contractors. Both have been battling targeted attacks for over a decade. They have purchased, deployed, and staffed every new technology brought out to combat every new threat: banks to counter cybercrime, the defense industrial base (DIB) to combat cyber espionage.

In 2003 these organizations had firewalls and Anti-Virus. As worms managed to get by their defenses they deployed Intrusion Prevention (IPS) and patch management systems. Eighteen years later they have large staffs populating Security Operation Centers. They have deployed and are managing sometimes hundreds of separate security products, most of them plumbed to report to a SIEM (Security Information and Event Management) solution. They are well positioned to take the next step, which is to incorporate threat intelligence feeds and security analytics to hunt down intruders.

But what about the laggards?  Those that don’t have a CISO, have not kept up because they were under the blanket of misunderstanding:; “we have nothing worth stealing, who would target us?”

We know who the laggards are by the breaches we read about in the New York Times. Universities, retailers, movie studios, industrial control systems, and yes, even federal agencies.

What are the laggards to do once they finally come to that moment when they realize that they truly are targets of attack? Most appear to be frozen in the headlights of the threat. There is too much to do. They need help. They need funding. They need Congress to do something. How can an electrical utility in Detroit attain the same cyber defense posture as Lockheed Martin?

Do it backwards. Learn to hunt and kill intruders before investing in moats, barbed wire, guard towers, and walls.

Start with gathering information from your network. Collect netflow data from your firewalls, routers, and access points. Capture full packets where you can. The technology is there. All these devices just need to be configured to report what they see. Evidence of attacks is in that data. Botnet beaconing? Easy. Exfiltration of intellectual property? Even if it is encrypted you can see it going out. Lateral movement? It’s in there.

You can do this manually, but investing in hunting technology (I sit on the advisory board of one such technology vendor check out Sqrrl’s hunting platform) is the best way to leapfrog. You need tools that allow you to piece together disparate evidence of malicious behavior. You can set an alert for unusual traffic originating inside your data center and heading to China. But you still need to hunt down the root cause, the patient zero of a malware infection., It might be a vulnerable database server, or a mis-configured firewall.  What where the attackers after? Payroll servers? Customer data? Are they using your privileged access to one of your customers as a stepping stone? You can link all the artifacts to tell a story and answer these questions.

The day you start hunting for intruders is the day you start to improve your security.  Vulnerability management is one of the most onerous tasks for an IT department. The existence of a vulnerability in a critical system does not justify taking that system offline to patch it. But discovering an intruder on that system exfiltrating data justifies an immediate response. Revamping access controls is expensive and disruptive to operations. The day you discover someone logging in remotely using stolen credentials is the day you change your access policies and deploy strong authentication technology.

After only several weeks of hunting, finding, and stopping intruders, you will be able to justify expenditures for technology to reduce the work load of the hunters. Upgrading from the firewalls you bought when you first connected to the Internet to a modern full-stack gateway security appliance will stop a lot of noise. The root cause of many intrusions will turn out to be users clicking on links to malicious content. Deploy a secure web gateway to eliminate those issues.

Is there a particular database the intruders are after? Harden those servers, and encrypt that data. Are intruders getting access credentials? Get your IAM under control (Identity and Access Management).  Are you being targeted with bespoke malware that sidesteps your defenses? Deploy sandbox devices to detonate and reveal new malware. Are your suppliers and partners the source of attacks? Share information with them. Teach them how to hunt.

Coming at cyber security backwards in this way can quickly get you ahead of not only the technology curve, but of the attackers. You will have an elite team of experienced hunters equipped with the best technology. Your security program will be driven by defense, not compliance. You will know what to invest in. You will know how to deploy new IT projects without exposing yourself to new threats.

Let the attackers show you the way to securing your enterprise. You will be watching and on the hunt.