Detective capabilities will improve cybersecurity

Around $114 billion was spent on cybersecurity globally last year, according to Gartner. Yet, if you look around, it still isn’t working adequately – there are still large breaches and huge amounts of money being stolen by cyber gangs.

This is the view of Charl Van der Walt, Chief Security Strategy Officer at SecureData, which was recently acquired by the Orange Group. A lot of theories have been put forward as to why cybersecurity isn’t keeping the criminals out – from needing smarter people and better technologies to improved intelligence and stricter regulation, but instead, Van der Walt sees it as a continuous treadmill that organizations need to start taking control of. This means introducing detective capabilities.

Security breaches

The endless race against cybercriminals

“In Africa, where I’m from, the lioness wakes up and thinks she needs to hunt down the gazelle for food; the gazelle wakes up and thinks she needs to outrun the lion. This analogy is like what is happening in cyberspace. In cybersecurity, we wake up and we’re forever running – there is a new attack, a new vulnerability to patch, a new regulation that requires compliance,” says Van der Walt. KPIs are built around having to run.

“Businesses believe if they can stay ahead of the lion, they’ll be OK,” adds Van der Walt. But even more scary, he believes, are organizations who think that if they can run faster than the other gazelles, the lioness won’t get them. This spawns ideas around benchmarking to see how a business is doing against other organizations but leaves much wanting in their own organizations. According to a survey by Dimensional Research, more than 60 percent of enterprises don’t have established, hardened benchmarks to provide a baseline for measuring their own security posture. This means they are failing to focus on the issue itself – that a breach at some point is inevitable and every organization needs to be ready and prepared.

Van der Walt goes as far as saying that cybersecurity now is as unpredictable as running with the bulls in Pamplona, Spain. “There is a sense of chaos. You can outrun some of the bulls some of the time, but you can’t outrun all of the bulls, all of the time,” he says. “One of those bulls, by accident or sheer skill, will get you. The same applies to cyberattacks, which is why our job as security experts is being responsive to what is happening.”

With the fines and regulations that are in place and with more coming down the pipe, the cost of a breach far outweighs the cost of cyber defense. It therefore isn’t about measuring security against return on investment (ROI), but instead getting the best possible protection for the spend available.

Defense strategy

Changing business landscape drives cybercrime

It’s the size and shifting of the business landscape that allows cybercrime to flourish, argues Van der Walt.

Take, for example, ransomware. It wasn’t really a viable concept until the explosion of cryptocurrencies back in 2015, according to Van der Walt, as prior to this, stored value cards needed to be physically posted to an address as payment. “Crime follows business,” explains Van der Walt. “Crime has followed cryptocurrencies. If we want to make predictions about what is happening, we need to look at the evolution of cryptocurrencies.”

Cybercriminals have taken an existing invention – cryptocurrencies – and applied it to supercharge the ransomware business model. Money can now be moved quickly and anonymously – making detection difficult and financing even larger and more sophisticated attacks. Cybercriminals are often selling crime-as-a-service to paying customers; this sort of innovation helps them stand out from the competition.

How do we face down the angry bulls?

Unfortunately, the power balance is asymmetrical – with everything falling in favor of the attacker, according to Van der Walt. So, how do we turn the odds around? He believes that organizations need to move from “a purely protective to a detective approach.”

Organizations, however, understand their environment. This is one big advantage they have over their attackers. “They need to leverage this advantage,” advises Van der Walt.

“A breach or compromise is inevitable. In a mature defense strategy today, it’s prudent and wise to have a detective capability. You need visibility into your environment so you can see and respond,” he adds. “Compliance is also a driver here. If you can’t see what is going on in your environment, you aren’t doing enough.”

Turning detective

Threat intelligence analysts are the detectives in the field of cybersecurity, analyzing data to map out systematic patterns of behavior to spot anomalies that may play a vital role in predicting or preventing attacks.

As Sun Tzu, Chinese General and Military Strategist, said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” The same can be said of cybersecurity and associated intelligence, according to Van der Walt.

Underscoring this, he outlines key points that drive successful detective capabilities. Firstly, an organization needs to understand exactly how its infrastructure, employees and processes work. This may require running an audit, for example. It must also focus on people and principles, not just technology.

It’s also important to follow the so-called "cyber kill chain," which is derived from a military model. It refers to the seven necessary steps usually required to pull off a successful attack, from early reconnaissance stages to extracting data. “An adversary has to go down prescribed paths, in some there are many choices, in others just a few. You only have to break the chain in one place to get a sense that something is going wrong,” explains Van der Walt.

Partner with cybersecurity experts

The cybersecurity vista is changing so fast, it’s difficult for many organizations to keep up. Security programs need to compensate for these constant changes, which is difficult for organizations to get right. This is why Van der Walt recommends that organizations partner with cybersecurity experts that have the scope, intelligence, experience, flexibility and global reach to get it right.

As well as providing a dedicated team of experts and filling the skills gap, a security partner can also provide independent validation of an organization’s security posture. “Finally, you need agility. A security program isn’t something you do once and leave, it has to adapt all the time,” adds Van der Walt.

In choosing a security partner, Van der Walt recommends that organizations look for someone they can reach out to, have a conversation with, is present and has the capabilities they need. “In detection, you’re generally not presented with one big smoking gun. What you see is a whole lot of small things, little signs, breadcrumbs. When detection teams and IT operations teams see these, they need to be able to work together,” he concludes.

Find out the six steps you need to take to get on top of cyber threats.


Charl Van der Walt, Chief Security Strategy Officer at SecureData, is a keen ultra marathon runner, having competed in the Marathon Des Sables in the Sahara Desert and events in the Gobi Desert and Antarctica. He began his career working in cyberdefense for the South African government before forming expert consultancy SensePost, subsequently acquired by SecureData. In January 2019, SecureData joined forces with Orange Cyberdefense. He is a regular and popular speaker at Black Hat conferences around the world.