Operations

9/8/2015
11:00 AM
Bruce Cowper
Bruce Cowper
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Avoiding Magpie Syndrome In Cybersecurity

A quick fix usually isn't. Here's why those bright shiny new point solutions and security features can cause more harm than good.

Have you ever been in a situation where your security tools and features simply got in the way? It happened to me recently, when an airline called me in to fix a problem.

The email account of the airline’s chief engineer had been compromised. This was critical, because the engineer was authorized to direct planes to anywhere at any time. The management team wanted to know whether the attack was internal or external.

The firm had a complex array of different point solutions designed to address specific threats. Instead of helping, the threat response technologies spewed out an ocean of data that was almost impossible to correlate. To make matters worse, the person who set up the whole information security infrastructure had left the company, leaving the team entangled in unfathomable security spaghetti. The investigation proved inconclusive and cost a lot of money.

How do security teams get to this sorry point? Both customers and vendors have a part to play.

On the customer side, many of the people in charge of cybersecurity budgets are IT practitioners, for whom cybersecurity is one of many challenges they deal with every day. Their primary objective is to identify and quickly neutralise threats, which they may not have the time to entirely understand.

A vendor’s primary objective is to sell things. To do that, they must make it easy to market. That requires a clearly identifiable problem with fixed, clear boundaries.

This leads them both to the same problem. I call it magpie syndrome – an unhealthy fixation on bright, shiny security product features that each promise to deliver but fail to solve security problems on their own.

Security takes more than product features
Buying an appliance or a new piece of software can provide short-term, empty satisfaction. In reality, there’s no silver bullet, and the complete solution to your security problem rarely has a three-pin plug at the end of it. In many cases, customers may not even understand how to use those features properly, making them detrimental rather than useful.

Shiny product features can sometimes blind people to the need for process. Another firm ­– a publishing house – contacted me after their FTP server became compromised. This should have been a two-hour fix: unplug the box, rebuild the server, and reload the data from backup.

In reality, it took days. The firm’s security team became mired in politics that stopped it from doing its job. The server contained data from a number of different departments, and each of them had its own idea about how to handle the problem. They spent most of that time fighting over when to take the box offline.

The publishing company should have had an incident response playbook that was tested and used, neutering the politics up front. Like the airline, it should also have focused on basic operations that would have prevented the problems in the first place.

Vendors and customers pursue this feature fetish during every product refresh because it’s easy. Vendors can identify a new threat category – ideally with a sexy acronym – put ‘anti’ on the front of it, stick it into the next product version, and score a quick sale. Harried customers looking for an easy fix can buy it, tick a box, and then blame someone else if their systems are compromised. No one ever has to really think about the problem in depth, but eventually, everyone loses.

A more mature approach
How can we make everyone a winner? There is an opportunity to strengthen security from the ground up, getting the basics right through education and deep, tactical and strategic thinking.

Let’s start with the customers themselves. Instead of blindly ponying up more security budget, they can take a step back and ask whether the latest attack identified by the vendor is a serious threat to their organization or not. If it is, then they could ask whether their existing tools – in conjunction with some smart procedures and awareness training – could achieve the same goal as the latest security gizmo.

Vendors have an opportunity to look beyond the short-term sales opportunity and truly partner with customers and help them understand what’s needed. They can build longer-term relationships including service-based revenue models. Strong partner ecosystems will help drive the systematic change that will help us thwart attackers.

The alternative continues to put vendors and customers alike at a disadvantage in a game of rising stakes. With the frequency and cost of breaches and data losses on the rise, it doesn’t seem to be working well for the industry so far.

Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), which takes place October 20 and 21. For more information and to sign up for educational sessions about techniques spanning the management and technology aspects of cybersecurity, visit http://www.sector.ca.

Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), the Toronto Area Security Klatch (TASK), the Ottawa Area Security Klatch (OASK) and an active member of numerous organizations across North America. In his day job, Bruce works for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
paulholland
50%
50%
paulholland,
User Rank: Apprentice
9/9/2015 | 4:59:20 AM
RE: Avoiding 'Magpie Syndrome' In Cybersecurity
I agree with this, the technologies are great up to a point, but you need to have your processes in place to support them properly and also the staff knowledgable enough to be able to deal with the process and the technology.
mattwilliamsfromseattle
50%
50%
mattwilliamsfromseattle,
User Rank: Apprentice
9/8/2015 | 8:23:06 PM
Importance of Context Awareness
The issue I see with many of the anti"fill-in-the-blank" and the shiny new vendor tools is that they are siloed. Vendors make many promises about their tool, but context awareness around their tool is important as well as being able to integrate each tool into an overarching strategy. I agree with the point that vendors need to act as trusted advisors instead of going for the easy sale. Unfortunately, like the bad actors out there, vendors and security teams both follow the path of least resistance. Meaning, until either vendors, or the more likely, security teams work together to discover how a tool can fit into a seurity strategy, we will continue to see this 'Magpie Syndrome.' On top of that, we have yet to see a tool that manages vendor risk, how difficult is it to know that the best tools and a top notch strategy can be undone by a 3rd party vendor with poor security.
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Threat Intel: Finding Balance in an Overcrowded Market
Kelly Sheridan, Staff Editor, Dark Reading,  4/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.