Security by design vs Security Techs

Facebook is already facing immense fallout massive breach from exploited a security vulnerability to steal account credentials of as many as 50 million users. These events often cause questions to be asked about whether there is another plan in the background. If one of the largest technology company in the world can have their data compromised then any company regardless of the security measures they may have in place is also vulnerable. Or in terms of design is weak, if you look at the bad side of the security case, such as zero-day the main purpose is already. Always bad players do not have to do them.

The three major component is very critical for any harmful action(not only cyber). These are intent, skills, and opportunity. If at least one of these three factors is not on the table, it is impossible to damage anything. Cybercriminals have recently aware that information is money, and that vulnerabilities and flaws still exist beyond our speed of innovation. The recent breach in some ways because of how seriously Facebook takes security. On the other hand, when you look at the details of the breach it was completely mysterious. They have lots of security technologists, I don’t know if technologies such as static masking, DB encryption, deception are being used, but would be good if used. Another point is that they’re moving fast, and the compromise itself and the vulnerability itself was the chain of attack stages of whole errors that actually went wrong at the same time.

Security is not a matter of technology, it is a process that can be managed if you take necessary actions. I’m not talking about being 100% safe btw. Critical threats are often identified as APT and using zero-days as a malware, not just because of the capabilities that the adversaries wield, but also because of their ability, design, idea, and operations against targets. Focused and funded adversaries will not be targeted against security boxes on the network alone. Cyber Criminal have recently realized that data is the new oil.

Cybersecurity force does not simply wait to respond to alerts or indicators. They need to actively search for threats to prevent, minimize and simulate. Even if you found any kind of cyber threat under real circumstances, that doesn’t mean you’ll eliminate it. This is the same as the offense of any offender by the relevant law enforcement units. Additionally, real cybersecurity goal does not only related to finding threats to be measured as successful. Cyber Security decision makers should essentially test an organization’s capability to detect and respond to adversaries. Another important thing is that to consider creating the hypothesis-driven approach to validating, detecting and analysis of an incident.

Why? because in real attacks, the deception is always on the table, the indirect attacks are more real. as in the martial arts. It is not a good thing to consider that the attack is made directly to target. Complexity is an inherent thing as always.

Some important bad examples of security measures

• Spend lots of time reviewing logs from the SIEM then formulating custom queries into SIEM. (you must have a supported security hypothesis.)
• “Response is triggered by SIEM alerts or AV alerts.” (but this is not the goal. If you are unable to identify the first initial contact in the Cyber Kill Chain, there will be losses.)
• “We have antivirus deployed on most endpoints and wait to threats” (If you make investments and just wait for a security incident. Facing with the badass real threat is inevitable)
• “Analyst just watches logs and endpoint events. Non-baseline behavior analytics or triggered events create a potential incident. (you have to develop a security hypothesis, so you need to know about offensive tools. It is impossible to solve the problem with the unrelated chain of events in the last circle of the attack)

Responding to security threats can be a resource-intensive process, and should be an analyst-focused, not technology. Technology itself will help us as a tool. Security process always depends on the structure imposed by hypothesis-generation, the reality is not simply a compromise assessment or continuous security monitoring etc. An ultimate goal is a baseline approach that drives security goals across the organization by making sure that human adversaries are met by human defenders who are taking full advantage of the environment that they defend.