Cloud

11/20/2018
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

8 Security Buzzwords That Are Too Good to Be True

If you can't get straight answers about popular industry catchphrases, maybe it's time to ask your vendor: How do you actually use the technology?

There is an important security lesson in this famous saying: "If it seems too good to be true, then it probably is." If we take a step back and think about it, both a great deal and a scam present extraordinarily well. Both appear to offer a must-have solution to a challenge. Yet one is very real and the other very unreal. At the same time, vendors in information security are all too quick to throw buzzwords around in an attempt to convince us that their solutions fit the bill. Given this type of environment, how can organizations understand what is good and true versus what is too good to be true?

It is in this spirit that I offer my thoughts to help organizations navigate eight specific buzzwords that I have repeatedly encountered in the security field:

  1. Artificial intelligence: The list of vendors talking about artificial intelligence (AI) is a long one — and getting longer every day. Don't let the buzzword impress you and throw you off course. Regardless of the problem you're looking to solve, ask the vendor to explain to you how, specifically, it uses AI and how that helps the company solve your problem. For example, if a vendor is praising the AI in its endpoint solution, ask some pointed questions. On what data does it operate? How does it scale and perform on an enterprise scale? At a high level, how does the AI approach identify what is interesting and should generate an alert? What is the false-positive percentage in a large enterprise production environment? How are false positives minimized?
  2. Machine learning: Machine learning is another popular catchphrase. It's easy to be impressed by the science-like sound that "machine learning" has, but at the end of the day, it's just another approach that may or may not help you improve your security posture. As with AI, it's important to understand details around how the vendor uses machine learning. Pointed questions are again your friend. For example, if you're looking at a malware detection solution, you need to understand how the vendor uses machine learning to identify malware while at the same time minimizing false positives. If you can't get straight answers to some simple questions, it's time to ask another question: Does this vendor really use machine learning effectively, or even at all?
  3. Next-generation: My parents are humans. I am a next-generation human. That doesn't tell you anything about me other than the fact that I am one generation newer than my parents. Lots of vendors proffer their next-gen solution. But that just means it's newer than the competitor's. What's more important than how new or old a solution is whether or not it meets your needs and addresses the challenges that you need to address. If salespeople from a vendor start up with the next-gen rhetoric, tell them to stop. Let them know the challenges you face and ask them to describe to you, in a buzzword-free zone, precisely how their solution will help you address your challenges. What should ensue is a straightforward discussion. If it doesn't, it's time to move on to the next vendor.
  4. Data-driven: Can you show me one security solution these days that isn't data-driven? This term isn't so much a differentiator as it is a basic requirement. Every security solution operates on data — we all know that. What is much more important to understand in detail is how exactly a solution obtains data, what type of data is obtained, how it operates on that data, how and where it stores that data, how true positives are identified, how false positives are minimized, and how the solution scales. Leave the buzzwords out of that discussion.
  5. Real-time: Nothing is real-time. Want proof? Stub your toe. It takes about one to two seconds until you feel the pain. All the more so in information security, where we have an enterprise-worth of information flying around the network, endpoints, and cloud environments. If vendor reps come in touting their "real-time solution" for this or that, call them on it. They should be able to give you a reasonable idea of how long it takes for data to be ingested, processed, and analyzed by their solution. In most modern solutions, it's probably anywhere from 30 seconds to a few minutes. And you know what? That's fine. I consider detection within a few hours to be a victory. A few minutes of latency from my tools isn't going to make or break me, particularly if it means that they are going to do a better job at identifying true positives and reducing false positives. If this sounds like a disappointment to you, wake up. And if vendor reps still insist that their solution is real-time, send them packing.
  6. Anomaly detection: Every security professional would love a way to find that stealth anomaly that flew under the radar. You know what, though? On a real enterprise network, there is a lot of strange stuff. So much so that many things look like an anomaly, even though they may be benign. Just doing anomaly detection isn't enough. A vendor needs to be able to explain what it's up to conceptually, and how that is going to help you identify malicious anomalous behavior. If the solution isn't smoke and mirrors, this should be a fairly straightforward conversation.
  7. Analytics: If you think about it, analytics is really just looking at data from a number of different perspectives, angles, and vantage points to find patterns of interest. In any solution that purports to use analytics, it's important to understand what data it operates on, how it identifies activity of interest, and how it filters and refines its findings to ensure high fidelity and low noise. Anything less is just empty marketing talk.
  8. Automation: When done properly, automation can greatly improve efficiency and reduce the load on an organization's human resources. What does "when done properly" mean? It means that automation must be done in support of and in line with the processes and procedures of the organization. Just automating things for automation's sake won't actually help introduce efficiencies. So when vendor salespeople come in boasting about their automation capability, ask them to elaborate on how exactly they can automate specific parts of your processes and procedures that are draining your valuable resources. A very targeted discussion should ensue, and if it doesn't, then something is amiss.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-15031
PUBLISHED: 2018-12-18
In all versions of ARM Trusted Firmware up to and including v1.4, not initializing or saving/restoring the PMCR_EL0 register can leak secure world timing information.
CVE-2018-19522
PUBLISHED: 2018-12-18
DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL (0x800020F4) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for partial input.
CVE-2018-1833
PUBLISHED: 2018-12-18
IBM Event Streams 2018.3.0 could allow a remote attacker to submit an API request with a fake Host request header. An attacker, who has already gained authorised access via the CLI, could exploit this vulnerability to spoof the request header. IBM X-Force ID: 150507.
CVE-2018-4015
PUBLISHED: 2018-12-18
An exploitable vulnerability exists in the HTTP client functionality of the Webroot BrightCloud SDK. The configuration of the HTTP client does not enforce a secure connection by default, resulting in a failure to validate TLS certificates. An attacker could impersonate a remote BrightCloud server to...
CVE-2018-20201
PUBLISHED: 2018-12-18
There is a stack-based buffer over-read in the jsfNameFromString function of jsflash.c in Espruino 2V00, leading to a denial of service or possibly unspecified other impact via a crafted js file.