Are we focussing enough on Advanced Persistent Threats?

Over the past few years, we have seen the industry form a very clear focus around Identities and Data. Identities (for both humans and machines), and Data in transit, at rest, and whether current or archived. The concepts of Zerotrust and DLM (Data Lifecycle Management) have helped spearhead this, and Zerotrust remains a compelling core tenant in any cybersecurity or risk mitigation strategy.

Gartners 2019 SASE whitepaper postulated its new paradigm very well, effectively flipping the server-client architecture we were used to, to a new people-centric world where users could access services for almost everything from their endpoints. Policies and sets of tools or applications are literally customised to every single users’ personal habits, tastes, requirements and access levels.

From the perspective of consumption and use of technology, the cyber “solutions” market is responding very well to this need and is clearly becoming better at managing these risks. In fact, looking at Gartner’s new Cyber Security hype cycle, it is clear that there are a number of very key developments in core areas which is most encouraging.

There are challenges however in how the market, both commercial and government, is dealing with Advanced Persistent Threats ( APT’s). The unseen and often catastrophic result of these more sinister attacks can be seen in examples like the SolarWinds breach. (A great synopsis of this can be found at techtargets website.) Incursion occurred in September 2019 and in March 2020 they unknowingly sent software updates to their customer base. The malicious injection lay dormant as a trojan horse through QA and testing for weeks on the clients that were infected, and only once in production did the malware activate and provide back doors and the loss of confidential data. This is a highly sophisticated APT and despite all of the money spent, products deployed and hard work, it took just one attack like this to thoroughly breach the defences. The full timeline can be reviewed at CSO online.

The Gartner hype cycle also provides some insight into the challenge as SOAR and OT pass through the trough of disillusionment, clearly showing that they haven’t been able to fully crack the issues around sophisticated breaches, and while SIEM comes close to the plateau of productivity, many of my CISO friends will admit that their SIEM solutions are costly , lumbering and more effective as forensics tools doing little to stop APT’s and move companies “left of bang”.

My XDR friends are of course leaping up to say that this is where the new battleground is, and I would agree to a point. The area is still in its infancy and the hype cycle actually predicts a 5 to 10-year wait for this to reach the plateau of productivity. Looking at many of the XDR and MDR providers, the lack of feeds from different repositories creates challenges, and the “light touch” low CPU usage challenge has forced some to adopt a bifurcated strategy providing an affordable product that ‘kind of’ does the job and a more expensive add-on to really mitigate an attack.
All the while, attacks are taking on new vectors from supply chain to dev-sec -ops to cloud containers, to API’s, and the list goes on.
So here is my challenge. Assuming I have made my point, and while I accept that there is the concept of cybersecurity mesh architecture on the >10-year horizon, what do we do right now to make companies safer and help mitigate from APT’s while we wait?

Do we ask the analyst firms to take a more holistic point of view to APT’s that includes containers, dev sec ops and use cases like those of SolarWinds? How do we help the focus to include some of these very real challenges, and is there room for a completely new set of ‘magic quadrants’ and ‘waves’ that more holistically look at the world of Advanced Persistent Threats?

There has never been a greater need to identify and qualify the companies that are producing great technology that can more thoroughly and holistically defend against APT’s, not just at the endpoint but accross the whole infrasturcture including cloud architecture, containers and development.

I look forward to your comments.