It’s Time to Move Cybersecurity Forward
The cybersecurity industry's approach to tooling and infrastructure is badly outdated.
Cybersecurity is 10-15 years behind IT.
That may seem like a big claim. But recent events have shown that our industry’s approach to tooling and infrastructure is badly outdated.
The heart of the problem is far too many cybersecurity vendors are selling products that are essentially black boxes. The prevailing mentality among tool providers: “Buy our product, and you’re protected. We’ll keep you safe. You don’t have to worry about how.”
Even things like update management, version control, and change windows become part of that dubious promise—something for vendors to handle so customers feel secure.
But when security vendors treat their solution as if it lives in a bubble, isolated from the rest of tech, it leads to problems. Local security teams can’t see what vendors are doing—and are denied basic control and management of their tools. Vendors don't know how their changes will impact customers.
As we’ve seen, this approach can have unintended, even catastrophic consequences. But despite what LinkedIn influencers and opportunistic marketing teams would have us believe, the problem isn’t limited to a specific security company, it’s industry wide. It’s time for a change.
What cybersecurity can learn from IT
There’s an important lesson for our industry in the recent cybersecurity disruptions, and it mirrors something IT learned long ago. Tech industries are successful when they adopt a practitioner-focused, engineering-centric approach to core tools. For cybersecurity to move forward, we must do the same.
At a high level, we must:
Stop seeing security tools as products that deliver protection, and focus instead on knowing how we’re protected—what some have described as the shift from promise-based security to evidence-based security.
Give teams full control of tools and infrastructure so the stack can be observed, tested, validated, and customized to suit their unique needs.
Offer practitioners API-first access to tools and the ability to manage deployment, configuration, updates, and testing as they see fit.
Build security tools using the principles and best practices that IT professionals already embrace, e.g., automation, scalability, CI/CD, infrastructure-as-code (IaC), and so forth.
These changes would give teams full visibility and control over their operations—including tool testing, updates, rollouts, and rollbacks. The net effect would be greater stability in production environments and better security outcomes.
Security benefits of an engineering approach
Our industry has some of the most skilled, innovative people in any area of technology—but they’re often stuck working with tools they can’t see into, can’t customize, and can’t control.
The benefits of moving to an engineering-focused approach would be immediate:
Security teams could create fine-grained detection and response logics much more easily, protecting their environment in ways that aren’t possible using one-size-fits-all tools.
Manual workflows and processes could be automated, freeing skilled team members to focus on higher-value tasks.
Practitioners would be better able to implement mature, proactive security practices like detection-as-code (DaC).
An organization’s security posture could be tested, empirically and regularly, with greater rigor and assurance than current solutions allow.
Clearly, this transformation won’t be accomplished by any one company. It’s going to have to be an all-hands effort.
The good news is that forward-looking cybersecurity vendors are already making strides in the right direction. See, for example, Red Canary’s Atomic Red Team for testable security, Sublime Security’s open, engineering-based approach to email security, and the MSSP Soteria’s extensive work on DaC, just to name a few.
For many of us in cybersecurity, it can be hard to hear that we need to play catch-up with IT. I’m sure that some won’t want to hear this message. But the sooner we, as an industry, adopt the successful practices that revolutionized IT, the better. Cybersecurity teams need the same benefits that transparency, scalability, and automation deliver to other technology professionals. Because then, instead of being hamstrung by our tools, we will be empowered by them.
Are there any specific items we should be looking at surfacing?
Expel tries to show both the decisions their team makes and the detection logic they use for coverage
https://expel.com/blog/expel-workbench-history-unparalleled-mdr-transparency/
How could they do better?