Threat Intelligence

10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

Pragmatic Security: 20 Signs You Are 'Boiling the Ocean'

Ocean-boiling is responsible for most of the draconian, nonproductive security policies I've witnessed over the course of my career. Here's why they don't work.

I've always been a fan of the rather descriptive expression "boil the ocean." According to Investopedia, boiling the ocean is to undertake an impossible task or project, or to make a task or project unnecessarily difficult. More concisely, boiling the ocean generally means "to go overboard."

In security, we can learn a valuable lesson from this expression. Security is all about balance and pragmatism. Enumerating risks and threats to the organization while simultaneously prioritizing them. Seeking to mitigate risk while in parallel understanding the need to accept a certain amount of it. Building a security program even though some of the people, process, and technology involved may be missing or imperfect. Running security operations with an understanding that the conditions are never ideal. Balancing between business or operational needs and security principles. And so on…

In my experience, boiling the ocean does not allow an organization to improve its security posture. In fact, quite the opposite is true. So how can organizations turn away from ocean-boiling and toward a more pragmatic approach to security?  I present "20 signs you are trying to boil the ocean."

Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.
Image Credit: DuMont Television/Rosen Studios. Public domain, via Wikimedia Commons.

1. Perfect is the enemy of good. I'm a big fan of the Pareto principle. Sometimes it is possible to roll out a solution that addresses most of what we need fairly quickly, even if it doesn't address everything. If we wait for that perfect solution, we might be waiting a long time.
2. Finding the problem in every solution. I've worked with some pretty impressive people over the course of my career who seem able to find a solution to nearly every problem they face. I've also worked with people who seem to find the problem in every solution they discover. The former helps organizations mature. The latter makes them spin their wheels endlessly.
3. Working in series rather than in parallel. Ever feel like you can't move forward on tasks B, C, and D until task A is completed? That may be the case in some instances. But in many cases, there isn't as much interdependence between tasks as you think. It is very often quite possible to work in parallel to move things forward.
4. Inability to find the path forward. If trying to move any effort forward seems like an endless series of dead ends, it could be a sign that a less complicated path may bring better results.
5. Paralysis. Organizational paralysis can be, well, paralyzing. If employees don't try and effect change because they feel that it is doomed to failure, it could be another sign of rampant ocean boiling.
6. Playing hot potato. When the answer is unknown, it's easy to just say no and pass the hot potato on to the next person. Putting aside ocean boiling allows organizations to identify what can be done, instead of what cannot be done.
7. Always looking for more data points. It's easy to put off a decision because you are waiting for more data points. At some point, you need to realize that you have just about all of the relevant data points you will ever have and make a decision.
8. Always waiting for something else to happen. In a similar manner, it's easy to put off a decision because you are waiting for something else to be completed.  Sometimes there is a genuine need for this time of dependence, but often, it's another symptom of ocean boiling.
9. Looking for every out. Ever come across people who seem like they are just looking for every possible out or opportunity to dismiss an idea? No idea is perfect, but many ideas can develop into real-life solutions.
10. Waiting for more money. There will never be enough budget to do everything that needs doing. Prioritize and get moving.
11. Waiting for more time. See number 10.
12. Looking for the perfect hire. Everyone wants to hire a 20-year-old analyst with 10 years of experience. I'd also like to have a pet unicorn, but we can't always have what we want. Consider hiring bright, energetic, motivated, and analytical people and training them.
13. Drowning in false positives. Well, if I turn off my noisiest alerts, then I might miss something, so I'll just do nothing instead. Sound familiar? News flash: if you are drowning in false positives, you are missing something already. Figure out how to be alerted to more of the stuff you care about and less of the stuff you don't.
14. Stagnant on content development. Attacker techniques continually evolve. You will never arrive at the perfect signature, logic, or algorithm. Know when you have something good enough that gives you a good shot at identifying attacker activity without drowning you in false positives.
15. Processes and procedures are forever a work in progress. There will always be more that can be documented or documented better. But at some point, your team needs guidance and a path forward for a variety of different situations.
16. Inability to start a dialogue with executives. You will never be prepared enough for all the potential questions and points that executives might raise. But you need to be able to get enough of a story together to be able to discuss risk prioritization with executives and move your team's agenda forward.
17. Inability to make progress with the business. Security shouldn't be the team of no, nor should it inhibit the business. On the other hand, risk to the business needs to managed properly and minimized wherever possible. These may sound like contradictory points, but a pragmatic, collaborative approach to the business can make all parties converge to a workable solution.
18. Operations permanently stuck in ramp-up. I've seen lots of situations where security teams seem to ramp up for years on end. At some point, security operations must start, even if imperfect. A security program can always be improved iteratively once it is running day-to-day. That's much better than never getting anything off of the ground.
19. Inability to prioritize risk. Every risk seems like a top priority. But if we have limited resources, we have to make calculated choices. Otherwise, we spin our wheels forever.
20. Draconian policies. Ocean boiling is responsible for most of the draconian security policies I've seen over the course of my career. It helps to understand which policies and practices actually contribute to improving security, and which ones just make ocean boilers feel better.

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
[email protected],
User Rank: Apprentice
3/14/2018 | 3:21:44 PM
Re: Content stagnation
Thank you Daniel - glad the piece resonated with you.
User Rank: Black Belt
3/14/2018 | 2:58:53 PM
Resolving the impasse might be less fun
I would be glad to help you collect solutions to the impasse, but documenting the problem might be more fun.
User Rank: Black Belt
3/14/2018 | 2:57:11 PM
Solving the impasse
I would be very glad to help you collect solutions to the impasse.  True, feeling hopeless and complaining is more fun that solving it.


User Rank: Apprentice
3/12/2018 | 7:27:46 AM
Is This Beginning of War in Cyber Space ?

Indian Cyber Army In Talk With News Line on Cyber Space War One click of a hacker can easily undo years of handwork of any organisation, without the need to cross the border. Stealing confidential information, intellectual property and financial data is extremely harmful and paralyses the country's economy. The point to ponder upon is: What if the Indian government supports these patriotic cyber security personnel to provide Information security awareness to contribute to protect the national cyber infrastructure without any monetary benefit?

[email protected],
User Rank: Apprentice
3/11/2018 | 6:47:07 AM
Re: Great Article
Thank you Menny.
[email protected],
User Rank: Apprentice
3/11/2018 | 6:46:22 AM
Re: Great article
Best of luck with the situation.
[email protected],
User Rank: Apprentice
3/11/2018 | 6:44:36 AM
Re: Clear and consise
Thank you - very much appreciate your comment.
User Rank: Author
3/9/2018 | 5:14:31 PM
Content stagnation
Great article, many of these 'signs' resonated with me.  In paticular: Stagnant on content development

In my prior SOC roles I like to think of creating 'Security Context' type content.  This would be content that didn't report to be an alert, but instead help support an investigation.  (Low severity events)

Great stuff!  Thanks Josh!
User Rank: Author
3/8/2018 | 10:44:42 PM
Clear and consise
What a great summary.  The facts are clear and consise and hopefully many will take note and action!
User Rank: Strategist
3/8/2018 | 1:47:19 PM
Great article
Thatnks for describing perfectly the situation I am stepping in to.
Page 1 / 2   >   >>
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-19
CloudBees Jenkins Operations Center, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page.
PUBLISHED: 2019-04-19
TeamSpeak 3 Client before 3.2.5 allows remote code execution in the Qt framework.
PUBLISHED: 2019-04-19
In rw_i93_sm_detect_ndef of, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1...
PUBLISHED: 2019-04-19
In rw_i93_process_ext_sys_info of, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Androi...
PUBLISHED: 2019-04-19
In the configuration of NFC modules on certain devices, there is a possible failure to distinguish individual devices due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Produc...