Cloud

11/20/2018
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

8 Security Buzzwords That Are Too Good to Be True

If you can't get straight answers about popular industry catchphrases, maybe it's time to ask your vendor: How do you actually use the technology?

There is an important security lesson in this famous saying: "If it seems too good to be true, then it probably is." If we take a step back and think about it, both a great deal and a scam present extraordinarily well. Both appear to offer a must-have solution to a challenge. Yet one is very real and the other very unreal. At the same time, vendors in information security are all too quick to throw buzzwords around in an attempt to convince us that their solutions fit the bill. Given this type of environment, how can organizations understand what is good and true versus what is too good to be true?

It is in this spirit that I offer my thoughts to help organizations navigate eight specific buzzwords that I have repeatedly encountered in the security field:

  1. Artificial intelligence: The list of vendors talking about artificial intelligence (AI) is a long one — and getting longer every day. Don't let the buzzword impress you and throw you off course. Regardless of the problem you're looking to solve, ask the vendor to explain to you how, specifically, it uses AI and how that helps the company solve your problem. For example, if a vendor is praising the AI in its endpoint solution, ask some pointed questions. On what data does it operate? How does it scale and perform on an enterprise scale? At a high level, how does the AI approach identify what is interesting and should generate an alert? What is the false-positive percentage in a large enterprise production environment? How are false positives minimized?
  2. Machine learning: Machine learning is another popular catchphrase. It's easy to be impressed by the science-like sound that "machine learning" has, but at the end of the day, it's just another approach that may or may not help you improve your security posture. As with AI, it's important to understand details around how the vendor uses machine learning. Pointed questions are again your friend. For example, if you're looking at a malware detection solution, you need to understand how the vendor uses machine learning to identify malware while at the same time minimizing false positives. If you can't get straight answers to some simple questions, it's time to ask another question: Does this vendor really use machine learning effectively, or even at all?
  3. Next-generation: My parents are humans. I am a next-generation human. That doesn't tell you anything about me other than the fact that I am one generation newer than my parents. Lots of vendors proffer their next-gen solution. But that just means it's newer than the competitor's. What's more important than how new or old a solution is whether or not it meets your needs and addresses the challenges that you need to address. If salespeople from a vendor start up with the next-gen rhetoric, tell them to stop. Let them know the challenges you face and ask them to describe to you, in a buzzword-free zone, precisely how their solution will help you address your challenges. What should ensue is a straightforward discussion. If it doesn't, it's time to move on to the next vendor.
  4. Data-driven: Can you show me one security solution these days that isn't data-driven? This term isn't so much a differentiator as it is a basic requirement. Every security solution operates on data — we all know that. What is much more important to understand in detail is how exactly a solution obtains data, what type of data is obtained, how it operates on that data, how and where it stores that data, how true positives are identified, how false positives are minimized, and how the solution scales. Leave the buzzwords out of that discussion.
  5. Real-time: Nothing is real-time. Want proof? Stub your toe. It takes about one to two seconds until you feel the pain. All the more so in information security, where we have an enterprise-worth of information flying around the network, endpoints, and cloud environments. If vendor reps come in touting their "real-time solution" for this or that, call them on it. They should be able to give you a reasonable idea of how long it takes for data to be ingested, processed, and analyzed by their solution. In most modern solutions, it's probably anywhere from 30 seconds to a few minutes. And you know what? That's fine. I consider detection within a few hours to be a victory. A few minutes of latency from my tools isn't going to make or break me, particularly if it means that they are going to do a better job at identifying true positives and reducing false positives. If this sounds like a disappointment to you, wake up. And if vendor reps still insist that their solution is real-time, send them packing.
  6. Anomaly detection: Every security professional would love a way to find that stealth anomaly that flew under the radar. You know what, though? On a real enterprise network, there is a lot of strange stuff. So much so that many things look like an anomaly, even though they may be benign. Just doing anomaly detection isn't enough. A vendor needs to be able to explain what it's up to conceptually, and how that is going to help you identify malicious anomalous behavior. If the solution isn't smoke and mirrors, this should be a fairly straightforward conversation.
  7. Analytics: If you think about it, analytics is really just looking at data from a number of different perspectives, angles, and vantage points to find patterns of interest. In any solution that purports to use analytics, it's important to understand what data it operates on, how it identifies activity of interest, and how it filters and refines its findings to ensure high fidelity and low noise. Anything less is just empty marketing talk.
  8. Automation: When done properly, automation can greatly improve efficiency and reduce the load on an organization's human resources. What does "when done properly" mean? It means that automation must be done in support of and in line with the processes and procedures of the organization. Just automating things for automation's sake won't actually help introduce efficiencies. So when vendor salespeople come in boasting about their automation capability, ask them to elaborate on how exactly they can automate specific parts of your processes and procedures that are draining your valuable resources. A very targeted discussion should ensue, and if it doesn't, then something is amiss.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8358
PUBLISHED: 2019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.