Speaking on day one of the ITWeb Security Summit 2017 in Midrand yesterday, Louw said organisations should rather invest in employing skilled individuals.
"Spending money on technology before there is a specific set of requirements from a detection team is wasteful, and creates a false sense of security," said Louw. "Through cyber threat hunting, instead of setting out static controls companies can rather make the policy on how to get to the correct controls."
Cyber threat hunting is defined as the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.
Referring to the ‘Paris model of threat hunting', Louw recommends that companies should make threat modelling and attack path mapping a core component of their security strategy. "Make the process by which you, as a company, decide on appropriate policy, not the controls themselves. Companies should look at solving the problem rather than ticking boxes," he concluded.
Spending money on technology before there is a specific set of requirements from a detection team is wasteful.
"At the end of the exercise you have not only checked your defences but you have improved everything and patched issues you didn't know you had before," Young said.