In my last article, I discussed the trade-offs we often make between complexity and capabilities when adopting new security tools and why there is often a point of diminishing returns in terms of the value derived from these tools as we layer on incremental functionality. In this article, I delve a bit deeper into the various types of complexity that security teams encounter, the nuances that distinguish them, and how the resulting complexity often breeds little more than a false sense of security that can be weaponized against us.
The Many Flavors of Complexity
Complexity is a loaded term, so it might be helpful to clarify what we mean within the context of cybersecurity. There are two distinct aspects to consider:
1. Management complexity can be defined as the time and work effort required to properly manage and tune systems. Management complexity includes (but is not limited to) creating and administering policies, configuring and deploying devices, monitoring the health of those devices, and updating configurations and software.
Despite the automation claims made by vendors, every tool that an organization deploys must be, to some degree, actively managed by a skilled practitioner. In an ideal world, every tool will automate repetitive tasks, saving time and effort. Unfortunately, few of us live in that world.
According to one recent study, large global enterprise organizations have an average of 46 monitoring solutions in place. Each additional tool that is integrated into the network stack creates a layer of abstraction, with the aim of making management simpler. But what happens when that abstraction breaks down?
We see a similar dynamic at work with the modern automobile. Today's cars have computers and diagnostics systems. They require dedicated tools just to diagnose a problem, let alone fix it. We've traded simplicity and ease of repair for the appearance of "simple," which conceals a huge amount of complexity underneath the surface.
2. The second and perhaps more daunting dimension of the complexity calculus is analytics complexity, which has created its own system of entanglements. A new generation of analytics tools — including security information and event management (SIEM), user behavior analytics (UBA), and network traffic analysis software — has emerged. To generate insights, these tools consume and normalize data generated by management tools — a process that, in turn, produces more data and requires another layer of abstraction that further compounds this vicious cycle of complexity.
As environments grow noisier with context-free security alerts and a constant flood of log data, it becomes easier for attackers to intentionally create distractions that make it possible for them to conceal their activities inside the network.
The gap in time to breach detection from an initial compromise is just one example of how complexity can be weaponized. And the more time uninvited guests are left undisturbed inside the network, the more time they have to move laterally, establish persistence, find valuable assets, and escalate their access to do real damage.
Threats like distributed denial-of-service (DDoS) attacks are another example of how sophisticated hackers are turning the complexity of our systems against us. Large-scale DDoS attacks that slow down or even halt a company's day-to-day operations have become effective smokescreens. During such an attack, resource-constrained IT teams can become completely engaged in restoring the infrastructure functionality, leaving other areas unattended and vulnerable. Attackers live in these gaps of coverage and gaps in the attentiveness of security operators, making defenses that externalize their complexity exacerbate this problem for defenders.
Complexity is the enemy of security. This idea applies as much to the tools we use to secure a network as it does to the architecture and implementation of the network itself. As we design and deploy defensive infrastructure we need to be attentive to how much complexity it's forcing upon the operators and their ability to consume that complexity and turn it into effective management of threats that may emerge.