Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

In an effort to protect their organizations, security professionals can overdo it. The result often works against them.

Joshua Goldfarb, Global Solutions Architect — Security

May 12, 2021

4 Min Read
(Image: Pixel-Shot via Adobe Stock)

My wife and I recently became homeowners. In the weeks leading up to the move, we spent a lot of time going through our belongings to decide what to keep, what to give away, and what to throw away or recycle.

During this process, it struck me that despite the fact I'm organized and don't like to accumulate "stuff," I could probably eliminate 50% to 75% of what I have and never even notice. I bet that's true for many of us. It got me thinking about what's important in life, and for me that's health, happiness, family, friends, and freedom.

And because security is such a big part of my life, I quickly realized how the moving exercise related, too. As security professionals, we should ask ourselves: "What is truly essential?" I'd like to discuss this question as it applies to five specific areas within the security profession.

Alerting
With so many security organizations suffering from alert fatigue and drowning in false positives, it begs the question, "Why do they find themselves in this situation?"

Often, the answer is the organization has not taken the time to think about what is truly essential for alerting. Many organizations have alerts that were built organically – someone put in one set of alerts, a vendor recommended another set of alerts, management requested these alerts, there was an incident once that resulted in those alerts, etc.

The result of this tactically driven alert building is usually a lot of noise in the form of false positives. Worse yet, all those alerts may not actually mitigate a whole lot of risk, not to mention they pull the attention and time of valuable analyst resources away from more pressing and important matters.

So what can organizations do to build more essential and value-add alerting? Start with the highest priority risks and threats. Translate that into infrastructure, assets, and data that, if compromised, would cause the gravest damage to the organization. Matrix the risks and threats with infrastructure, assets, and data to understand the points at which alerts are most needed. Write precise, incisive alerts to identify the activity that is of concern without generating a large number of false positives. This will produce far more reliable and actionable alerts without drowning the organization in noise.

Compliance
I'm still amazed by how draconian organizations can be about regulatory compliance. Of course, compliance is an important subject, and I certainly don't take it lightly. However, it requires more effort to understand what a regulation, policy, or audit finding actually requires than it does to just err completely on the side of caution.

The problem with this approach is it often introduces unnecessary cost, friction, and productivity loss into the organization, none of which are good for the long-term reputation, health, and profitability of the business. It pays to invest in understanding what is truly essential for compliance versus what is simply the result of lack of an effort to understand requirements.

Policy
We've all had moments where we've been completely frustrated by overly complex password policies. While that's just an example, it illustrates a larger point: When policies are created without a fundamental understanding of what is truly essential, they often force overbearing rules on users while providing little to no additional security and risk mitigation.

To avoid this trap, organizations need to invest in understanding how effectively their policies mitigate risk and reduce exposure to threats, rather than prolonging the life of the ineffective conventional wisdom of yesterday.

Process
During my years on the operational (customer) side, I saw many processes or portions of processes that appeared redundant, ineffective, or inefficient. I'd ask, "Why does the organization follow this process?" More often than not, the answer would be something like, “I don't know, but we've always done it that way.”

Obviously, this isn't a good reason for a process to exist. Taking a step back allows us to understand which organizational challenges and issues require process around them, along with what type of process makes sense. This goes a long way toward solving real problems without creating extraneous processes that serve no real strategic purpose.

Stakeholders
In an enterprise, stakeholder buy-in and support are essential to move any effort forward. It is also important, however, to have both the correct stakeholders and the correct number of stakeholders. Too many or the wrong stakeholders can sidetrack an effort by introducing additional confusion, miscommunications, politics, and opposition. Taking the time to understand which stakeholders are truly essential to a given effort pays huge dividends down the line.

Understanding what is truly essential is easier said than done. It takes an investment of resources to analyze and understand what is required versus what is extraneous. However, this investment, when done properly, is well worth it, as it produces outcomes that are far better for the enterprise.

About the Author(s)

Joshua Goldfarb

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights