Lior Div in Network World: Rip up the script when assembling a modern security team

The advanced threats companies face require security teams have different characteristics than the backgrounds analysts typically have. However, most businesses hire security practitioners who have similar professional backgrounds and capabilities. Analysts usually have IT backgrounds, are taught to quickly resolve threats and work in an environment that doesn’t embrace speaking out when there’s a security incident.

The adversaries, meanwhile, have a more evolved perspective on how to carry out hacking campaigns. Attack operations often include people who have a range of experiences. For example, to hack a bank, attackers will hire hacking experts as well as someone with deep knowledge about the financial services industry. Hacking teams often employ experts who have various technical capabilities to help them approach attacks in different ways and switch gears if one tactic isn’t working. Hackers realize that a more diverse team—and the mindset it brings—increases the likelihood of the attack’s success.

In other words, attackers aren’t afraid to use different approaches to infiltrate a company. Diversity and innovative thinking are the essence of hacking. Defenders, though, seem poised to follow the script they’ve always used when building out a security team.

Characteristics a modern security team

Organizations have to rethink what components are key to a security team if they hope to stay ahead of attackers. From my experience, the modern security team needs a few essential characteristics in addition to advanced technology.

1. Diversity is a secret weapon

Companies often overlook the importance of having a security team whose members have diverse perspectives. While diversity adds value to any part of a company, in security it’s pivotal to a team’s success.

Hiring analysts who’ve worked at the same companies or attended the same schools means you may end up with a team that approaches security issues in a similar manner. If they all think alike, they’ll probably miss the same security blind spots.

This point also applies to hiring only people who have IT backgrounds. Security threats can’t be solved simply by detecting malware and re-imaging the infected machines, a common IT approach that’s failing in the fight against complex adversaries.

Instead, look for people who have worked in different companies and industries and have experience fighting a variety of threat vectors. Ideally, your team will include someone with either a military or government background. They’ll have a completely different way of looking at security, forcing your company out of its comfort zone. Military personnel are often familiar with nation-state attacks and malicious intent and understand how complex offensive operations work. And with hackers launching advanced attacks against companies, people who have experience dealing with these threats can apply their knowledge to defend a business.

2. Security requires stamina

Most of today’s hacking operations are persistent, with attacker’s doing everything they can to stay in your network for as long as possible and maximize their return on investment. They’ll include decoy threats in their attack and program malware to stay dormant for an extended period of time, all to trick analysts into believing that an incident is easy to resolve. Analysts need to endure these deceptive tactics and understand that defeating attackers may take longer than they anticipate.

This ties into my next point: analysts can’t become discouraged when an adversary exploits their company’s defenses. Attackers will constantly launch campaigns until one is successful. Companies need to be equally resilient with their defensive efforts and use security incidents to improve their defenses.

3. See something, say something

People shouldn’t be afraid to be bold and speak out when there’s a security problem, even if that means notifying executives about a breach. I learned this lesson during my time in the Israel Defense Forces. We were trained to point out any issues that arose during a mission, even if this meant scuttling the operation. The consequences, like serious injury or even death, outweighed not speaking up.

Unfortunately, not everyone in security shares this mentality. There’s the perception that bringing up an incident, especially a breach, will lead to someone losing their job. I’d argue that not pointing out a hack only allows the incident to continue and risks more data being exfiltrated. Delivering bad news shouldn’t result in a person getting fired. In fact, I recommend organizations reward the person who delivers the bad news to encourage employees to report issues.

As I’ve written in a previous blog, a breach is an opportunity for an organization to unravel a full attack campaign. Treat a hack like the beginning of your security operation, not the end.

Don’t follow the same playbook

Good security teams aren’t just composed of people who’ve spent their career protecting corporate networks or can quickly resolve a security issue. The backgrounds of the people on your security team and how they approach problems are just as important as the technology your business uses to defeat attackers. Discarding the playbook you typically use when forming a security team will improve your company’s defenses.

Lior Div is the CEO and co-founder of Cybereason. This column previously appeared in Network World

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div