Next week, security practitioners from across the globe will make their summer pilgrimage to Las Vegas for Black Hat, DEF CON, and other security gatherings. As in years past, there will be no shortage of surprises:
- Attendees, press, vendors, and analysts will clamor for insight on a tactic or technique that will break what was once thought unbreakable.
- A geopolitical event will cast a shadow over the week like the Edward Snowden and DIRNSA keynote did in 2014.
- A vendor will have the most over-the-top party (my bet, Rapid7).
- The funniest T-shirt will capture the spirit of this year's get-together.
- Attendees will be mesmerized by the latest hacking demo or "drop the mic" vulnerability announcement.
What's more — and most important — attendees for one week can forget the less exciting, mundane, and more challenging tasks that await them back at home. Tasks such as patch management, identity management, and other basics that most affect the security health of an organization and about which security leaders have the most influence.
Why is focusing on the external and sensational far more compelling than the internal and controllable? The answer is what I describe as "breach fixation." Here are four examples:
In Search of the EZ Button
The EZ button is what I call a popular trend in the corporate world in which executives attempt to solve a business problem in one fell swoop by implementing a technology solution or outsourcing the entire problem to a third-party provider. Instead of trying to make substantial progress on your own, you chuck the whole thing over to someone else and make it their problem. On the corporate side, think of business process outsourcing as where you take a huge problem (IT and billing) and expect … "voilà!" — problem solved. Perhaps this reflects a relentless pursuit of the instant gratification derived from US fast food. Perhaps …
Security might be your job, but it's just one more additional thing for laypeople in your organization to worry about. Aside from clear mandates on the topic, compliance-driven requirements, or a recent "near-death" experience, most organizations are still balancing security needs with day-to-day pressing needs in order to win more customers and increase revenue. This is a good thing. Security is asking other people to improve the organization above and beyond what individual workers are held accountable for on a daily basis. It's important to understanding that this is the natural order and that security leaders are likely to encounter pushback on additional security controls.
Bias for Products over Processes
I get it. Product equals scalability. To make substantial progress on a security problem in a large 20,000-seat corporate environment you need technology. However, when the underlying risk decisions, business processes, and operations have not been addressed in a meaningful way, products only solve part of the problem and give security leaders a false sense of security. One example I come across in the application security world involves web application firewalls (WAFs). When the PCI DSS first mandated the implementation of WAFs to protect web applications, organizations went out and bought WAFs, implemented them, and in large numbers did not implement any semblance of blocking. WAFs without blocking are really glorified Layer 7 logging devices. Worse, they provide a false sense of security.
Fixing Processes Is Hard
Let's face it: Reengineering existing business processes to improve security is hard. Doing so requires a deep understanding of existing security processes, an understanding that most organizations don't have outside of the security team itself. The expanding consulting ecosystem focused on providing clients feedback on NIST security processes reflects that. The different levels of the Capability Maturity Model Integration (CMMI) Scale show just how challenging process improvement can be:
- Level 1, Initial: Processes are unpredictable, poorly controlled and reactive.
- Level 2, Managed: Processes are characterized for projects and is often reactive.
- Level 3, Defined: Processes are characterized for the organizations and is proactive.
- Level 4, Quantitatively Managed: Processes are managed and controlled.
As security practitioners privately know, most organizations are fortunate to achieve Level 2 and rarely are their security processes quantitatively managed and controlled. That's because improving security processes is an uphill battle, though well worth the effort, especially after a welcome respite at Black Hat.