Threat Intelligence

10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

Pragmatic Security: 20 Signs You Are 'Boiling the Ocean'

Ocean-boiling is responsible for most of the draconian, nonproductive security policies I've witnessed over the course of my career. Here's why they don't work.

I've always been a fan of the rather descriptive expression "boil the ocean." According to Investopedia, boiling the ocean is to undertake an impossible task or project, or to make a task or project unnecessarily difficult. More concisely, boiling the ocean generally means "to go overboard."

In security, we can learn a valuable lesson from this expression. Security is all about balance and pragmatism. Enumerating risks and threats to the organization while simultaneously prioritizing them. Seeking to mitigate risk while in parallel understanding the need to accept a certain amount of it. Building a security program even though some of the people, process, and technology involved may be missing or imperfect. Running security operations with an understanding that the conditions are never ideal. Balancing between business or operational needs and security principles. And so on…

In my experience, boiling the ocean does not allow an organization to improve its security posture. In fact, quite the opposite is true. So how can organizations turn away from ocean-boiling and toward a more pragmatic approach to security?  I present "20 signs you are trying to boil the ocean."

Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.
Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.

1. Perfect is the enemy of good. I'm a big fan of the Pareto principle. Sometimes it is possible to roll out a solution that addresses most of what we need fairly quickly, even if it doesn't address everything. If we wait for that perfect solution, we might be waiting a long time.
2. Finding the problem in every solution. I've worked with some pretty impressive people over the course of my career who seem able to find a solution to nearly every problem they face. I've also worked with people who seem to find the problem in every solution they discover. The former helps organizations mature. The latter makes them spin their wheels endlessly.
3. Working in series rather than in parallel. Ever feel like you can't move forward on tasks B, C, and D until task A is completed? That may be the case in some instances. But in many cases, there isn't as much interdependence between tasks as you think. It is very often quite possible to work in parallel to move things forward.
4. Inability to find the path forward. If trying to move any effort forward seems like an endless series of dead ends, it could be a sign that a less complicated path may bring better results.
5. Paralysis. Organizational paralysis can be, well, paralyzing. If employees don't try and effect change because they feel that it is doomed to failure, it could be another sign of rampant ocean boiling.
6. Playing hot potato. When the answer is unknown, it's easy to just say no and pass the hot potato on to the next person. Putting aside ocean boiling allows organizations to identify what can be done, instead of what cannot be done.
7. Always looking for more data points. It's easy to put off a decision because you are waiting for more data points. At some point, you need to realize that you have just about all of the relevant data points you will ever have and make a decision.
8. Always waiting for something else to happen. In a similar manner, it's easy to put off a decision because you are waiting for something else to be completed.  Sometimes there is a genuine need for this time of dependence, but often, it's another symptom of ocean boiling.
9. Looking for every out. Ever come across people who seem like they are just looking for every possible out or opportunity to dismiss an idea? No idea is perfect, but many ideas can develop into real-life solutions.
10. Waiting for more money. There will never be enough budget to do everything that needs doing. Prioritize and get moving.
11. Waiting for more time. See number 10.
12. Looking for the perfect hire. Everyone wants to hire a 20-year-old analyst with 10 years of experience. I'd also like to have a pet unicorn, but we can't always have what we want. Consider hiring bright, energetic, motivated, and analytical people and training them.
13. Drowning in false positives. Well, if I turn off my noisiest alerts, then I might miss something, so I'll just do nothing instead. Sound familiar? News flash: if you are drowning in false positives, you are missing something already. Figure out how to be alerted to more of the stuff you care about and less of the stuff you don't.
14. Stagnant on content development. Attacker techniques continually evolve. You will never arrive at the perfect signature, logic, or algorithm. Know when you have something good enough that gives you a good shot at identifying attacker activity without drowning you in false positives.
15. Processes and procedures are forever a work in progress. There will always be more that can be documented or documented better. But at some point, your team needs guidance and a path forward for a variety of different situations.
16. Inability to start a dialogue with executives. You will never be prepared enough for all the potential questions and points that executives might raise. But you need to be able to get enough of a story together to be able to discuss risk prioritization with executives and move your team's agenda forward.
17. Inability to make progress with the business. Security shouldn't be the team of no, nor should it inhibit the business. On the other hand, risk to the business needs to managed properly and minimized wherever possible. These may sound like contradictory points, but a pragmatic, collaborative approach to the business can make all parties converge to a workable solution.
18. Operations permanently stuck in ramp-up. I've seen lots of situations where security teams seem to ramp up for years on end. At some point, security operations must start, even if imperfect. A security program can always be improved iteratively once it is running day-to-day. That's much better than never getting anything off of the ground.
19. Inability to prioritize risk. Every risk seems like a top priority. But if we have limited resources, we have to make calculated choices. Otherwise, we spin our wheels forever.
20. Draconian policies. Ocean boiling is responsible for most of the draconian security policies I've seen over the course of my career. It helps to understand which policies and practices actually contribute to improving security, and which ones just make ocean boilers feel better.

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Author
3/6/2018 | 3:06:31 PM
Great Article
Thanks Josh. As always, clear and precise. 
<<   <   Page 2 / 2
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/15/2018
Voice-Operated Devices, Enterprise Security & the 'Big Truck' Attack
Menny Barzilay, Co-founder & CEO, FortyTwo Global,  3/15/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.