What keeps Mandiant Intelligence EVP Sandra Joyce up at night? The coming storm
The next wave of security maturity is measuring effectiveness, she told The Register
RSA Conference When Sandra Joyce, EVP of Mandiant Intelligence, describes the current threat landscape, it sounds like the perfect storm.
The threat intelligence firm, which is being acquired by Google Cloud, made its annual cybersecurity predictions for the year ahead. And this year, they all materialized at once.
"We predicted supply-chain attacks four years ago," Joyce said, in an interview with The Register at the RSA Conference. "We predicted deployment of wipers during wartime. And now we're watching all of these things happen at the same time, and in amounts that are greater than ever and at frequencies of scale that are more than ever."
These days Mandiant tracks more threat actors and malware families than every before, she added. "This problem is getting bigger."
But, she said, the security industry is also getting better at responding to increasing threats — even when they all hit at once. And organizations are doing a better job at recovering from attacks.
"If there's anything good about dealing with things like ransomware over the past few years, it's that it has instilled some know-how and resilience into our industry that we may not have had for years," she said.
Mandiant gets called in to assist with "thousands" of incident responses every year, Joyce said. "And what people forget is this: companies recover," she added. "The vast majority continue on. In fact, I can't think of one that didn't."
Resilience is top of mind, according to Joyce, echoing a theme from her earlier keynote.
- Ukraine's secret cyber-defense that blunts Russian attacks: Excellent backups
- Iran, China-linked gangs join Putin's disinformation war online
- FBI: Cyber-scams cost victims $6.9b-plus worldwide in 2021
- Even Russia's Evil Corp now favors software-as-a-service
Backing up data and systems means organizations can recover more quickly from a ransomware — or a data wiping — attack. Most companies understand this, and they know what good hygiene looks like and what they are supposed to do to improve their security posture.
Of course, sometimes there remains a disconnect between knowing what should be done and actually doing it. But overall, enterprises are becoming more resilient because they realize the problem is not going away, Joyce said.
This despite the billions of dollars being lost to business email compromise, organizations are also improving their security training for employees, she added.
How to measure effectiveness?
"The evolution from here is getting to the point where we can measure effectiveness," Joyce said. "More boards are going to ask: What is my investment getting me? And how can you measure that? And I think that that's how we ultimately see how we become more efficient in the security space."
Mandiant's answer to this is its security validation service. It uses the firm's threat intel to measure how well an organization's security controls perform against real-life attacks and hacking techniques, and gives them a score based on their preparedness.
"We run realistic scenarios through validation on things that we saw last week," Joyce said. "And we can say, we have these ransomware actions that we saw in an IR last week, so let's run that against all of the security controls that we have in place."
The validation service sends an alert if the organization detected and blocked the threat. And if security controls didn't work, it also details why not. "It could be the technology works, but it's misconfigured," Joyce said. "Validation is sort of a niche offering, but I think we're going to see it in the next maturity wave."
Oh, and the answer to the cybersecurity skills gap isn't simply hiring more people, according to Joyce. "We don't have enough people to solve this problem, so let's put that to the side," she said. "What we really need is the automation of repeatable tasks."
This doesn't mean buying the latest, shiny security tool that uses AI.
"Everybody thinks about automating the cyber problem from the outside in," Joyce added. "It's within your organization. We need to automate repeatable tasks of the actual cybersecurity work." ®