Having spent the better part of last year being overwhelmed with new security products and initiatives, I wanted to spend a little time discussing my standpoint on security and to provide others with some insight as to how I have come to this conclusion.
Long story short – Most (nearly all) of my clients have been looking to improve their overall security posture. This is undoubtedly sparked by the surge of media attention surrounding the ever growing number of data breaches throughout 2012 and 2013. For any consultant, it is a wonderful phenomena that occurs when a client actually wants to embrace security and take it seriously, but it’s not as simple as it sounds.
Where am I going with this?
There is a clear misconception as to what the meaning of defense and protection actually are. Many vendors that you will encounter are in the business of selling tools. Many of them good, and many of them not so good, but at the end of the day they are just that… tools, and a sales pitch is just that… a sales pitch. I find that more and more organizations are buying into the protection ploy that they can bolt a technical solution on top of their existing business model, set it, and forget it.
Well… it doesn’t work like that.
Infosec is often perceived as this highly technical component of the business that is to coexist with the business rather than be a part of the business. Security needs to be an amino acid in the business DNA. The idea that is being bought into (and oversold) is protection. This simply does not exist, and any vendor that tells you they have something that will protect your business should be sent packing.
Let’s take a look at the definitions of protection and defense
the action of protecting someone or something, or the state of being protected.
the action of defending from or resisting attack.
To break it down… protection is the act of being safeguarded from a threat, whereas defense is a strategy for handling a threat. It is extremely important to understand that security is not fool proof. Threats are very real, and it is not a matter of IF it is a matter of WHEN your organization will be hit if it hasn’t already. They come in many different forms, which again… depend on the nature of your business. No one statistic could possibly fit every organization.
If you are thinking to yourself that you have NOT been compromised, then you may want to rethink what security controls you have in place, because they should have captured something by now.
To truly have an effective security posture, you must understand defense in depth. Defense in depth means that you have implemented layers of security throughout the business. Think of the human body. The skin is our first layer of defense. If something penetrates our skin our body reacts with chemical mediators that are sent to the site. If the wound develops an infection, the body fights the infection with a combination of white blood cells and additional chemical mediators, and so forth. You get the point. Your defense in depth approach is readiness at every level to react.
This is my take… Technical solutions are great, but they only aid in less than 20% of threats. This is a fact. Ask any CISO the percentage of attacks that their technical security controls have thwarted and the numbers will shock you. Most organizations fall short, because they have not adopted the proper security controls into the weakest parts of the business; the people and the processes. Some aspects are easier to fix than others, but if they are overlooked, these seemingly simple fixes could become your biggest vulnerability. When I say that people are the weak link to the security of the business, I am not just talking about highly successful social engineering and phishing attacks used against your non-technical employees; I am also talking about the highly technical IT team that you have employed that misconfigures those very expensive security appliances that you were sold on. Human error. We all make mistakes. It just comes down to being prepared.
This post was a little bit of a rant (it happens), so I leave you with this…
1. If you are serious about making improvements to your security posture, you need to address every aspect of your organization, and that begins by integrating security into your business model.
2. Do not look at a third-party solution or even an array of solutions as your solution. That is what us security professionals like to call, “a false sense of security”. You need to have the proper tools for your business, that are properly configured, and that meet other business requirements as well (legal, regulatory, etc.). Do NOT discount technical solutions, but rather have a thorough understanding of them and thoroughly test them before including them into your defense strategy.
3. Intelligence and analytics are extremely important. This should be part of your defense-in-depth model. Like I mentioned earlier, it is not a matter of IF it is a matter of WHEN. The best way to detect and respond is to capture the right data, correlate that data, and utilize security data visualization, because it is much quicker to respond to a threat when you can see what a threat looks like rather than sifting through log files. There are great resources out there for this.
4. Understand that security is always evolving as is the threat landscape. “Set it and forget it” may work on a glorified conventional oven infomercial, but when it comes to protecting the integrity of your data, it requires dedication, understanding, and readiness.