Have you ever been in a situation where your security tools and features simply got in the way? It happened to me recently, when an airline called me in to fix a problem.
The email account of the airline’s chief engineer had been compromised. This was critical, because the engineer was authorized to direct planes to anywhere at any time. The management team wanted to know whether the attack was internal or external.
The firm had a complex array of different point solutions designed to address specific threats. Instead of helping, the threat response technologies spewed out an ocean of data that was almost impossible to correlate. To make matters worse, the person who set up the whole information security infrastructure had left the company, leaving the team entangled in unfathomable security spaghetti. The investigation proved inconclusive and cost a lot of money.
How do security teams get to this sorry point? Both customers and vendors have a part to play.
On the customer side, many of the people in charge of cybersecurity budgets are IT practitioners, for whom cybersecurity is one of many challenges they deal with every day. Their primary objective is to identify and quickly neutralise threats, which they may not have the time to entirely understand.
A vendor’s primary objective is to sell things. To do that, they must make it easy to market. That requires a clearly identifiable problem with fixed, clear boundaries.
This leads them both to the same problem. I call it magpie syndrome – an unhealthy fixation on bright, shiny security product features that each promise to deliver but fail to solve security problems on their own.
Security takes more than product features
Buying an appliance or a new piece of software can provide short-term, empty satisfaction. In reality, there’s no silver bullet, and the complete solution to your security problem rarely has a three-pin plug at the end of it. In many cases, customers may not even understand how to use those features properly, making them detrimental rather than useful.
Shiny product features can sometimes blind people to the need for process. Another firm – a publishing house – contacted me after their FTP server became compromised. This should have been a two-hour fix: unplug the box, rebuild the server, and reload the data from backup.
In reality, it took days. The firm’s security team became mired in politics that stopped it from doing its job. The server contained data from a number of different departments, and each of them had its own idea about how to handle the problem. They spent most of that time fighting over when to take the box offline.
The publishing company should have had an incident response playbook that was tested and used, neutering the politics up front. Like the airline, it should also have focused on basic operations that would have prevented the problems in the first place.
Vendors and customers pursue this feature fetish during every product refresh because it’s easy. Vendors can identify a new threat category – ideally with a sexy acronym – put ‘anti’ on the front of it, stick it into the next product version, and score a quick sale. Harried customers looking for an easy fix can buy it, tick a box, and then blame someone else if their systems are compromised. No one ever has to really think about the problem in depth, but eventually, everyone loses.
A more mature approach
How can we make everyone a winner? There is an opportunity to strengthen security from the ground up, getting the basics right through education and deep, tactical and strategic thinking.
Let’s start with the customers themselves. Instead of blindly ponying up more security budget, they can take a step back and ask whether the latest attack identified by the vendor is a serious threat to their organization or not. If it is, then they could ask whether their existing tools – in conjunction with some smart procedures and awareness training – could achieve the same goal as the latest security gizmo.
Vendors have an opportunity to look beyond the short-term sales opportunity and truly partner with customers and help them understand what’s needed. They can build longer-term relationships including service-based revenue models. Strong partner ecosystems will help drive the systematic change that will help us thwart attackers.
The alternative continues to put vendors and customers alike at a disadvantage in a game of rising stakes. With the frequency and cost of breaches and data losses on the rise, it doesn’t seem to be working well for the industry so far.
Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), which takes place October 20 and 21. For more information and to sign up for educational sessions about techniques spanning the management and technology aspects of cybersecurity, visit http://www.sector.ca.