For decades, the cybersecurity industry has been shrouded in secrecy. This is partly because of the misunderstanding that cybersecurity often relies on obscurity as its primary form of defense. As the thinking goes, if adversaries don’t know about or understand the security controls that security vendors have in place, it will be easier to defend against cyberattacks.
While the reasoning may seem sound, it’s based on a dangerous false equivalency, not backed by empirical evidence or historical context. The evidence? Data breach statistics continue to tick upward at an alarming pace.
Organizations cannot rely on secrecy or static detections to identify threats and successfully stop cyberattacks. These tools are great at detecting a specific identifier for a file, for example, but an adversary could still easily make a minor change that entirely throws off the mechanisms for that detection. To mitigate this, layers of defense must cover many points of the attack surface. Weaving together a tapestry of defense mechanisms increases the effectiveness of a security solution and provides organizations the opportunity to break the attack lifecycle at multiple points.
In addition to layered protections, cyber defenders also now have a better understanding of how adversaries operate. The MITRE ATT&CK framework, a curated knowledge base and model for adversary behavior, outlines the phases of an attacker’s lifecycle and the tactics and techniques used to undermine a security defense. MITRE ATT&CK has provided cyber defenders an accessible and transparent playbook for defending their enterprises by providing a common taxonomy of adversary actions.
Security vendors should find opportunity in this same spirit of openness and transparency.
Open security — a methodology that shifts the dynamic of a security company’s relationship with its customer — has the potential to transform the cybersecurity industry by bringing security practitioners together to create a more resilient response to enterprise threats.
Why open security?
There is still a misconception that openness is inherently less secure. Many security vendors hope that by not providing the mechanisms used in their detection of a threat, it will make it harder for an adversary to identify weaknesses in their software. But today’s cyber criminals already have the tools to understand if a security system can identify them before they even breach a system.
Given this reality, open security offers an opportunity to short circuit the problem by reducing the time to detect when a new threat slips through the cracks. When a security guard is reviewing security camera footage, they know exactly where the cameras are pointed and where they are not. This helps them identify the vulnerable areas that are outside of the camera’s line of sight and can help them determine if any further investigation is required. Understanding gap coverage means that security practitioners can uncover where they need to supplement their existing security tools or more carefully and proactively monitor for threats. It enables security teams to build the best possible defense for their specific environment — not just environments that are perceived as having an adequate defense.
Adopting open security takes a village
Another benefit of open security? The community that is born from vendors being transparent about their security controls, detection rules, and threat logic can be a force multiplier of best practices across the entire industry. When vendors engage their experts with experts from across the broader security community about new threats they’ve observed or innovative methods for detecting nuanced attacks, it creates greater scalability of system defenses — not just for the enterprise but also for their customers.
It’s important to remember that security goes beyond threat detection; it’s also about the ability to take action on that threat. How can an attack be stopped, and what can be learned from forensics to strengthen defenses against similar threats moving forward? When vendors make security open and transparent, it allows them to continuously improve their tooling beyond what they would have been able to do using their limited internal resources.
At Elastic, our commitment to open security started with opening our security artifacts. By sharing the patterns of behavior we look for to identify threats and our mechanisms for stopping an attack, other companies can leverage the work we’ve already done to strengthen their own defenses. This has enabled us to solicit feedback from the broader security community and gain a more diverse perspective on our current protection methods, creating a more collaborative approach to cybersecurity and facilitating continuous improvement across the industry.
Ultimately, open security is about trust. Trust that your security software will protect your company against the latest cyber threats, and trust that it will operate in a unique environment without interfering with day-to-day operations.
By combining our collective resources to accelerate our response to cyber threats, we have the potential to drastically reduce the quantity and impact of cyber attacks that occur every year.