Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/8/2015
11:00 AM
Bruce Cowper
Bruce Cowper
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Avoiding ‘Magpie Syndrome’ In Cybersecurity

A quick fix usually isn't. Here's why those bright shiny new point solutions and security features can cause more harm than good.

Have you ever been in a situation where your security tools and features simply got in the way? It happened to me recently, when an airline called me in to fix a problem.

The email account of the airline’s chief engineer had been compromised. This was critical, because the engineer was authorized to direct planes to anywhere at any time. The management team wanted to know whether the attack was internal or external.

The firm had a complex array of different point solutions designed to address specific threats. Instead of helping, the threat response technologies spewed out an ocean of data that was almost impossible to correlate. To make matters worse, the person who set up the whole information security infrastructure had left the company, leaving the team entangled in unfathomable security spaghetti. The investigation proved inconclusive and cost a lot of money.

How do security teams get to this sorry point? Both customers and vendors have a part to play.

On the customer side, many of the people in charge of cybersecurity budgets are IT practitioners, for whom cybersecurity is one of many challenges they deal with every day. Their primary objective is to identify and quickly neutralise threats, which they may not have the time to entirely understand.

A vendor’s primary objective is to sell things. To do that, they must make it easy to market. That requires a clearly identifiable problem with fixed, clear boundaries.

This leads them both to the same problem. I call it magpie syndrome – an unhealthy fixation on bright, shiny security product features that each promise to deliver but fail to solve security problems on their own.

Security takes more than product features
Buying an appliance or a new piece of software can provide short-term, empty satisfaction. In reality, there’s no silver bullet, and the complete solution to your security problem rarely has a three-pin plug at the end of it. In many cases, customers may not even understand how to use those features properly, making them detrimental rather than useful.

Shiny product features can sometimes blind people to the need for process. Another firm ­– a publishing house – contacted me after their FTP server became compromised. This should have been a two-hour fix: unplug the box, rebuild the server, and reload the data from backup.

In reality, it took days. The firm’s security team became mired in politics that stopped it from doing its job. The server contained data from a number of different departments, and each of them had its own idea about how to handle the problem. They spent most of that time fighting over when to take the box offline.

The publishing company should have had an incident response playbook that was tested and used, neutering the politics up front. Like the airline, it should also have focused on basic operations that would have prevented the problems in the first place.

Vendors and customers pursue this feature fetish during every product refresh because it’s easy. Vendors can identify a new threat category – ideally with a sexy acronym – put ‘anti’ on the front of it, stick it into the next product version, and score a quick sale. Harried customers looking for an easy fix can buy it, tick a box, and then blame someone else if their systems are compromised. No one ever has to really think about the problem in depth, but eventually, everyone loses.

A more mature approach
How can we make everyone a winner? There is an opportunity to strengthen security from the ground up, getting the basics right through education and deep, tactical and strategic thinking.

Let’s start with the customers themselves. Instead of blindly ponying up more security budget, they can take a step back and ask whether the latest attack identified by the vendor is a serious threat to their organization or not. If it is, then they could ask whether their existing tools – in conjunction with some smart procedures and awareness training – could achieve the same goal as the latest security gizmo.

Vendors have an opportunity to look beyond the short-term sales opportunity and truly partner with customers and help them understand what’s needed. They can build longer-term relationships including service-based revenue models. Strong partner ecosystems will help drive the systematic change that will help us thwart attackers.

The alternative continues to put vendors and customers alike at a disadvantage in a game of rising stakes. With the frequency and cost of breaches and data losses on the rise, it doesn’t seem to be working well for the industry so far.

Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), which takes place October 20 and 21. For more information and to sign up for educational sessions about techniques spanning the management and technology aspects of cybersecurity, visit http://www.sector.ca.

Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), the Toronto Area Security Klatch (TASK), the Ottawa Area Security Klatch (OASK) and an active member of numerous organizations across North America. In his day job, Bruce works for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
paulholland
50%
50%
paulholland,
User Rank: Apprentice
9/9/2015 | 4:59:20 AM
RE: Avoiding 'Magpie Syndrome' In Cybersecurity
I agree with this, the technologies are great up to a point, but you need to have your processes in place to support them properly and also the staff knowledgable enough to be able to deal with the process and the technology.
mattwilliamsfromseattle
50%
50%
mattwilliamsfromseattle,
User Rank: Apprentice
9/8/2015 | 8:23:06 PM
Importance of Context Awareness
The issue I see with many of the anti"fill-in-the-blank" and the shiny new vendor tools is that they are siloed. Vendors make many promises about their tool, but context awareness around their tool is important as well as being able to integrate each tool into an overarching strategy. I agree with the point that vendors need to act as trusted advisors instead of going for the easy sale. Unfortunately, like the bad actors out there, vendors and security teams both follow the path of least resistance. Meaning, until either vendors, or the more likely, security teams work together to discover how a tool can fit into a seurity strategy, we will continue to see this 'Magpie Syndrome.' On top of that, we have yet to see a tool that manages vendor risk, how difficult is it to know that the best tools and a top notch strategy can be undone by a 3rd party vendor with poor security.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19767
PUBLISHED: 2019-12-12
The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163.
CVE-2019-19768
PUBLISHED: 2019-12-12
In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).
CVE-2019-19769
PUBLISHED: 2019-12-12
In the Linux kernel 5.3.10, there is a use-after-free (read) in the perf_trace_lock_acquire function (related to include/trace/events/lock.h).
CVE-2019-19770
PUBLISHED: 2019-12-12
In the Linux kernel 4.19.83, there is a use-after-free (read) in the debugfs_remove function in fs/debugfs/inode.c (which is used to remove a file or directory in debugfs that was previously created with a call to another debugfs function such as debugfs_create_file).
CVE-2019-19771
PUBLISHED: 2019-12-12
The lodahs package 0.0.1 for Node.js is a Trojan horse, and may have been installed by persons who mistyped the lodash package name. In particular, the Trojan horse finds and exfiltrates cryptocurrency wallets.