It's been over a year since the Equifax breach made headline news. But I have the feeling that organizations haven't looked at the Equifax breach as a lesson in what is currently wrong with the cybersecurity industry.
The Equifax breach could have happened to any enterprise. If you don’t agree, you may as well stop reading, because you’re not going to agree with anything that follows.
The truth is, the Equifax security failure was as much the cybersecurity industry’s fault as Equifax’s. If we want to prevent the next large breach, we need to understand what the industry got wrong, and stop ourselves from making the same mistake again.
My most critical takeaway from the Equifax breach is that the basic activities to secure our networks were pushed aside by the latest "buzzword" solutions. In the post-Stuxnet / pre-Equifax era, vendors,analysts, security advisers, and venture capitalists jumped on the “detection and response” bandwagon, pushing the message that investing in preventative controls was a waste of time and resources. The industry was flooded with solutions that were designed to detect attackers post-breach, and security operation centers became the main focus point of the industry. Psychologically, it's clear why - APT’s are sexy, the technologies to detect them are cutting edge, and let’s admit it - no one gets promoted for patching a vulnerability in the network. On the other hand, if an attacker gets caught and stopped in action, well, then it’s time to break out the champagne.
There’s plenty of evidence that Equifax wasn’t just a marginal event. There's the Singhealth breach, all the organizations who were hit by the WannaCry campaign, and probably many more that remained undisclosed. But Equifax got all of the headlines because of the sensitivity of their data.
In my view, the Equifax breach brings to light a bigger issue when it comes to cybersecurity and the way we prioritize our technology investments - we've allowed ourselves to be enticed by cybersecurity companies, vendors, and experts that have been touting the latest and greatest technologies like AI and machine learning. These 'bleeding edge' solutions, although very important and revolutionary in many ways, should only be a part of our wider security strategy - and can’t be treated as a silver bullet.
At the micro level, enterprises should instill the understanding within the organization that Equifax is a wake up call to get back to the basics of security - proper vulnerability and risk management, configuration management, IT hardening and hygiene, SSO, two factor authentication, and more. But at the macro level, this is a wake up call for all of us vendors and practitioners - there are no silver bullets in security, so we should stop promising them to our clients.
As stated above, if the Equifax breach has taught me anything, it’s that I as an emerging vendor in a field that is being disrupted and gets a lot of focus and attention, and as a security practitioner, have the power dictate security mindset and methodologies, and as Ben Parker said: “with great power comes great responsibility”.
So I’m not going to lecture about how important it is to properly manage your security posture and remediate known security gaps - you know that already. Here’s what I want you to focus on instead:
If you’re a vendor - don’t promise silver bullets. You probably have tech, and hopefully solve a real problem. But both of us know for a fact that security problem is so complex, no single solution can solve everything, and by marketing it that way you might contribute to the next Equifax-like breach.
If you’re a security executive - be thoughtful about what you choose to invest in and don’t expect one or two products to save the day.
If you’re a cybersecurity marketer, as I was until a year and a half ago - know that Equifax wasn’t only a wake-up call for security practitioners, it was also one for cybersecurity marketers. Provide meaningful and real content to your clients and prospect.
So in my next pitch, I will not talk about Equifax, instead, I will focus on the Vulcan platform, its benefits, and how it assists its customers is solving real security problems, (but not all of them).