Insights from Customer Conversations: Understanding Cybersecurity Strategy (Virsec Blog)
Written by Jeff Cristee, Senior Vice President Enterprise Sales, Virsec
After years of working in networking technology, I joined Virsec, a company that provides innovative and patented protection for application and server workloads. Despite my lack of background in cybersecurity, I recognized that talking to customers to understand their needs was the best way to learn. Through over 100 meetings with mid-size to Fortune 100 companies, I identified several universal customer beliefs about their cybersecurity strategy and operation:
What they are doing now is not enough:
Every customer understands that they have gaps in their security posture. Even companies that have deployed all the traditional tools see breaches occur that elude their existing XDR, WAFs, Firewalls, etc. They are still a step slow. Chasing XDR alerts of varying degrees of accuracy increases their sense of futility.
Growing frustration with software vendors and published vulnerabilities:
Host operating system vendors regularly publish newly discovered vulnerabilities (CVEs). Microsoft releases new vulnerabilities for their operating systems on the 2nd Tuesday of every month, providing severity indicators to help customers prioritize patching and remediation if available and supported.
One CISO of a health and hospital system told me that software companies feel absolved once they publish the CVEs and develop a patch. Yet, his team cannot even begin to patch anything less than an 8 or higher on the CVSS severity score, causing him anxiety knowing he has not remediated the majority on know vulnerabilities in his environment. He is asking for them to do more testing to reduce vulnerabilities, not rush products to market and remediate them after they are discovered by malicious or ethical hackers in the field.
Security teams are skeptical of new solutions:
Once customers understand how backstop server workload protection can protect these vulnerabilities from being exploited in run time, they are still reluctant to move forward. Why?
In general, the industry has overpromised and underdelivered. All evaluation of any vendor claims is met with rightful skepticism.
Some companies are facing challenges in maintaining their security posture due to slow decision-making processes by security teams. This often results in known vulnerabilities being neglected for months. For instance, a large bank in North America, which has experienced three breaches in the past 18 months, told Virsec that it would take them about two years to evaluate our solution before deploying it on their production servers.
In the one area that requires rapid innovation and iteration as attacks and vulnerability exploits evolve very quickly, the process follows a long process reminiscent of major purchase RFPs from decades ago, where IT teams could focus on one thing at a time.
POV’s are viewed as a major project, not a test:
To enhance the security of their systems, IT and security teams often conduct lengthy proof of value (POV) assessments of new technologies. Customers want more efficient ways to evaluate vendor solutions in their environment. A quicker, more streamlined process would enable organizations to conduct small-scale tests and swiftly implement new remedies, which can then be scaled up.
The operations teams are often overworked, which leads to frustration and, eventually, numbness:
For many of the reasons listed above, operations teams are overworked, futilely chasing alerts and being called in during weekends to do emergency patching or thwart an attack that is in place. It is no coincidence that many egregious attacks launched by malicious actors occur over Holiday Weekends. Log4j was released before Christmas. WannaCry detonated over Mother’s Day. Volt Typhoon was over Memorial Day weekend. This is designed to demoralize SecOps and ITOps teams.
Teams are overworked, skeptical of new solutions, and frustrated by weekend plans being canceled for work. But with no process to deploy new strategies quickly, they wait and hope they aren’t impacted, knowing their existing tools are a buffer, not a true solution. Security and IT staff often become numb to the challenges and jaded by the fact that there is only so much they can do.
IT Ops, SecOps, and AppSec must be better partners:
This frustration leads to finger-pointing based on competing priorities. IT Ops and SecOps must collaborate for optimal results. Prioritizing security cannot come at the expense of application performance and vice versa.
In many companies, security teams are hesitant to add new tools onto servers as they fear they will be blamed by application teams for any issues that subsequently arise, whether it is related to the security tool or not. IT Ops teams need to be part of any security evaluations for products that will reside on application servers and understand that sacrificing security for application performance is ultimately a losing strategy.
Conversely, security teams need to prioritize evaluating tools that can significantly reduce the manual patching and alert fatigue being experienced by IT ops teams today. Security tools should benefit application teams, not handcuff them.
What is Virsec doing to help customers breakthrough?
We understand that Virsec may not solve all customer issues, but it is a step in the right direction as we have focused on the following:
- Taking a protect-first-then-alert approach to safeguarding application and server workloads, where an estimated 80% of state agency malware attacks are concentrated. This provides crucial protection at the source of critical corporate and customer data.
- Blocking known and unknown zero-day attacks from executing an attack on your application and server workloads.
- Stopping Microsoft and other host operating system vulnerabilities from being exploited in milliseconds – regardless of if they are known (published CVE), unknown, or unpatched. This proactive protection eliminates emergency patching fatigue and provides a critical layer of Zero Trust protection. This includes Legacy out of support systems like Windows 2003, 2008, and RHEL 6.
- Creating a 90-minute POV process that can demonstrate how we implement, operate, and interoperate in a customer environment quickly.
- Pulling together use cases that are as beneficial to the IT Ops and Applications teams as they are to the SecOps teams. Both are partners in a new approach to solving vulnerabilities.
- Working as an additional Zero Trust backstop complimentary to your existing tools within your environment.
- Improving every customer’s security posture on application and server workloads. Every POV and every customer test has yielded significant additional protection against MITRE 25 top dangerous threats. Every single one.
Virsec is in a great position to help solve many of these challenges, but it is going to take a different approach from customers as well:
- Rapid, iterative learning.
- Small-scale pilots that quickly scale to deployments.
- Developing a culture of partnership.
- Re-energizing IT and SecOps staffs that they CAN win.
These things can be done by continually looking at the innovation that is occurring in cybersecurity and developing a process that deploys the most impactful technologies on an accelerated path. If any of these issues resonate with you, I can assure you that you are not alone. Do what I did for more affirmation: Go talk to other customers and users. It has proven, once again, to be the best way to learn.