What SMBs Can Learn From Google’s Project Zero
In 2014, Chris Evans, a Google security engineer, assembled a team of elite white-hat hackers to scour the web in search of zero-day threats and potential incidents of compromise. The task force touted some of the biggest names in cybersecurity – Tavis Ormandy, Ben Hawkes and “American hacker prodigy” George Hotz. They called themselves Project Zero.
Earlier this year, while performing a routine process known as fuzzing – which involves inundating software with random data to identify vulnerabilities – Ormandy discovered something unusual: “strange chunks of memory strewn about.” Upon closer investigation, he was able to trace the anomalies back to a San Francisco-based company called Cloudflare. The company, which helps operate more than 6 million websites, including the FBI’s and Nasdaq’s, was hemorrhaging data. The company’s Chief Technology Officer, John Graham-Cumming, would later liken the bug known as “Cloudbleed” to an oil spill.
If there’s a silver lining, it’s that Cloudflare responded swiftly, even by Project Zero’s standards. But the key takeaway here is that if it hadn’t been for Google’s team of experts, it’s hard to say how much longer the leak would have lasted. Sure, Project Zero is an extraordinary initiative that clearly has already done much good. But by no means can it play the role of the world wide web’s police force, not when hackers are so prolific.
So the question small and medium-sized businesses need to ask themselves because of hackers targeting SMBs is this: Do we have a Project Zero for our information systems?
SMB hacking is stealing the show
One of the most widely discussed aspects of Verizon’s 2017 Data Breach Investigations Report was that the majority of data breaches and incidents discussed in research originated with companies that employ 1,000 or fewer people. This isn’t necessarily surprising. For more than a year now, hackers have been homing in on SMBs, primarily because larger enterprises can afford better security and are waking up to an unfortunate reality, which is that the threat landscape is teeming with adversaries.
“Security experts are in high demand but low stock.”
However, when you factor in the cybersecurity talent gap, the fact that hackers are targeting SMBs suddenly seems much more alarming. Firstly, security experts are in high demand but low stock, which means they’re inherently more expensive. Not all SMBs have the funding necessary to hire a team of security engineers to build, manage and monitor a security operations center (SOC).
Secondly, the alternatives for SMBs – endpoint security software and MSSPs – leave a lot to be desired. Endpoint security, and other out-of-the-box InfoSec solutions are not nearly sophisticated enough to perform in the absence of security expertise. Most MSSPs also miss the mark. They will manage a company’s security solutions, but they can’t provide the 24/7/365 monitoring and support needed to protect critical information systems. So where exactly does that leave SMBs?
In desperate need of their own Project Zero.
SOC-as-a-Service: Your personal Project Zero
The closest any service comes to providing Project Zero-like benefits to an individual company’s entire IT ecosystem is SOC-as-a-Service. This service supplies continuous threat hunting, and not just for known vulnerabilities. Security engineers compile existing threat intelligence to filter out known exploits, as well as proactively prowl the network in search of suspicious or unusual activity that may be indicative of a compromise.
Additionally, SOC-as-a-Service grants unfettered access to advanced security experts who can holistically improve security posture through regular vulnerability scans and network health assessments. In this way, they can provide a more profound optimization of an organization’s threat detection and response capabilities.