Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

8/10/2016
01:30 PM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Theory Vs Practice: Getting The Most Out Of Infosec

Why being practical and operationally minded is the only way to build a successful security program.

One of my favorite quotes states: “In theory, theory and practice are the same. In practice, they are not.” I adore this quote for many reasons, and it is one that truly speaks to me. Perhaps I am so fond of this quote because it describes how I approach the discipline of security, and perhaps even life in general.

In my experience, there are two fundamental perspectives that drive how an individual or an organization approaches security: theorist and pragmatist. I’d like to illustrate the difference between these two perspectives through four distinct and examples.

Example 1: Program of “no” 
In many organizations, security has the unfortunate reputation of being the program of “no.”  While it is true that the security organization is ultimately responsible for mitigating and minimizing risk to the organization, it is seldom the case that this is accomplished by saying no all the time.

Let’s take the move to the cloud as an example. In some organizations, the security team will fight the business every step of the way as it moves to the cloud. In other organizations, the security team will work collaboratively with the business to understand how to mitigate additional risk that may be introduced into the organization, work to maintain visibility into business functions that move to the cloud, and ensure that the ability to respond to an incident remains intact.

Why do some organizations take the first approach, while others take the second approach? The former is the theorist’s approach, while the latter is that of the pragmatist. In theory, a move to the cloud will introduce additional risk to the business that the security team may not be able to mitigate. But in practice, the move to the cloud will happen whether we like it or not, and we can either get ahead of it, or be the program of “no”. 

I’ll leave it to you to judge which approach is more likely to help you build bridges and relationships that will allow you to improve the overall security posture of the organization in the long run.

Example 2: Passwords 
As much as we all love 20-character passwords with four capital letters and three special characters, they aren’t particularly effective as a security measure. Of course passwords should not be easily guessable. They shouldn’t be names, birthdays, words, etc. But organizations often take this best practice to a draconian extreme.

What’s the result? Employees write down their passwords or otherwise find ways to work around the system. Using a less extreme password requirement with two factor authentication is usually a much better approach, and it’s one that employees don’t feel the need to work around.

Why do some organizations take the password game to the draconian extreme? You guessed it -- it’s the theorist versus the pragmatist again. In theory, an attacker could guess a password with only 10 characters, one uppercase letter, and one special character more easily than a draconian extreme password. 

But in practice, they don’t:  they compromise systems through the use of social engineering and then steal them. If you insist on being a draconian theorist, you will drive your users to work around you. If you take a pragmatist’s approach, you will find your users much more likely to adhere to your policy.

In other words, by being practical, you are much more likely to achieve your desired results.

Example 3: Anomaly Detection 
Anomaly detection is something I hear people discuss quite often. Back in 2005, I tried implementing a few different anomaly detection solutions that were “guaranteed to work” on a live, production network. What was the result? After a two-week learning period, within the first five minutes of turning on alerting, the solutions generally produced hundreds of thousands of false positive alerts, subsequently flooding and crashing the SIEM.

In theory, anomaly detection is extremely important. I need to learn what is normal, expected, and desired in order to find what is not normal, unexpected, and undesired. In practice, a live, production network is almost never like a lab network, and the flood of false positives and its destructive effect on the workflow and efficiency of the security organization vastly outweigh any potential gain in the detection of malicious or suspicious activity.

Do I think that anomaly detection ultimately has a future in the security field? Absolutely, but only if it is approached pragmatically, with an understanding of, and appreciation for, the pain of operational personnel.

Example 4: I might miss something
I’ve written many times about the need to collect fewer data sources of higher relevance to security operations. In a nutshell, collecting every source of data we can get our hands on, irrespective of its relevance to security operations actually reduces the security posture of an organization in three ways:

  • The variety of data sources creates confusion, uncertainty, and inefficiency. This makes an analyst’s first question “Where do I go to get the data I need?” rather than “What questions do I need to ask of the data?”
  • The volume and velocity of the data deluge the collection system, thereby making data irretrievable in a timely manner
  • Storage is consumed more quickly, thus shortening retention and negatively impacting visibility

In other words, a focus on data value (specifically to security operations), rather than data volume produces better results. Choose the fewest number of data sources that provides you with the required visibility. The theorist believes that he or she might miss something. The pragmatist knows that if he or she cannot leverage the data when they need it most, they will definitely miss something.

It is extremely important to be practical and operationally minded when planning, implementing, and improving a security program. It is important to understand the real-world ramifications and effects that certain decisions will have. While many ideas sound great in theory, in practice, they often turn out to disappoint or even have the opposite of their intended effect.

Related Content:

 

 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19807
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.