In recent years a disturbing trend should have come to light to anyone closely following the security industry. We have seen a large uptick in investment in security tools by organizations, but we have not observed a decrease in breaches and ransomware attacks. This should be raising a serious question among security leaders as to what we as an industry are strategically doing wrong. Why are we not getting improved outcomes against attackers with all of this increased investment?
This presentation will attempt to answer this question by demonstrating an evidence-based approach to information security management that focuses on using emulation of attacker techniques as a means of quantitatively measuring control efficacy. Examples will be given to illustrate the evidence-based approach and how it readily reveals that security tooling alone does not often provide the level of protection that one might assume. The presentation will illustrate how to identify weaknesses in current tooling and control sets and develop needed compensating controls to ensure that security teams are providing actual security to their organizations and not just the illusion of security.
Takeaways:
- Evidence-Based approaches to cyber security as a means of measuring control efficacy and not just control existence
- Operationalizing threat-informed defense
- Using purple teaming for detection and control engineering