Lately, the Preventative Doesn’t Work Quick / Well Enough So All Heads Turn To Reactive Security has had its effect. But not the intended effect of doing both, just the latter it seems [yes, I know].
And, where the FLOT hadn’t been up to it before, often by lack of proper budget, the hardly sufficient funds have been shifted. Recipe for …
Indeed, the Reactive part had been neglected much too long, but a shift was not asked or, but a doubling of efforts on both sides (?). Hence, the now ‘new’ SIEM et al., may have had all the attention but that doesn’t mean success (yet!), objectively.
And subjectively, maybe less — ’so what did you do with the money ..?’ — also caused by the shift-not-double of allocations (budget, in Count da Money, time and supremely capable staff).
Not so strange, when you go, at a strategic level, from one point (/) solution to another…
So, the way out ..?
I.e., find the balance and play chess at Grand Master level on all boards (including B~ see last Thursday’s post below). Starting at the front, your attack surface, by means of Activity-Based Access Control and Integrity of Systems. And all other stuff you did in the past but have to bring back up to snuff and clean out like Augeas’ stables (thinking of your ‘user administration’ here).
And then realise that all this is still asymmetrical to the hilt, so absolutely not enough. Do not throw away what you built over the last year / and a half but extend it… With smart fill into the matrix of this. Which should be much cheaper than (thinking, faintly trying) to tighten your FLOT shut; the thin red line that it is. And with this blended approach also much less hindering the Good ones.
[Oh, edited to add after schedule-time: this. For the balance… But will, I think per Feb 27, return with a high(er)-level view why ‘preventative’ and ‘in control’ are definitiely two distinct things…]