“A lie told often enough becomes the truth.” This quote is often attributed to Vladimir Lenin. William James said something similar: “There’s nothing so absurd that if you repeat it often enough, people will believe it.”
Over my 30+ years in the IT and security industry, I have seen and experienced great innovations, especially in the realm of the ever-changing “next best thing” that everyone has to have to ensure the security of their mission-critical business systems. If everyone is buying it, it must be worth the money and hype, right? I offer a different perspective to this “next best thing” trend.
A Few Thoughts for Context
- Every product has an underlying data store for their configurations, data, reports, etc., either in the way of flat files or databases. When Information Technology Infrastructure Library (ITIL) became popular, all of the vendors started referring to these as their configuration management database, or “CMDB.” Nothing really changed other than their descriptive group name.
- Security Information & Event Management, or “SIEM,” became very popular. In the case of PCI, it became a requirement. SIEM solutions promised many great things, even “The Next Best Thing,” that really never came to fruition. Yet SIEM solutions are still going strong and are a “good” tool that everyone should consider for their security portfolio. Achieving value from these solutions is another issue altogether and depends on the user.
- We also have NextGen Firewalls, NextGen AV, and a myriad of endpoint forensics solutions. The hits just keep on coming.
The latest “next best thing” is deep visibility into all of the traffic passing through your respective networks. If you have had the opportunity to attend any of the large security events recently and walk the exhibit floor, almost without exception each and every vendor promotes the need for deep visibility. They all state with conviction that traditional security tools and approaches are failing and that the only real way to understand and help prevent cyber-attacks and data breaches is to implement a deep visibility solution.
I spent many years in the deep visibility space, and it certainly adds tremendous value. But these technologies are expensive, complex and provide mounds of data that can overwhelm your security team if you do not have a SOC that is properly staffed with highly skilled security professionals.
What Drives “The Next Best Thing”?
Organizations fear becoming the next breach headline, and so they should. The financial impact of such an event can be devastating but buying a new product isn’t necessarily the answer. In fact, traditional security solutions are falling short; we have so many tools, so much information that, of course, we are subject to failure. Every time a new attack happens, we feel compelled to buy the “Next Best Thing.” This further exacerbates the problem by creating yet another silo of technology and information.
Bad Actors Are Always Looking for the Path of Least Resistance
In the 2016 Verizon Data Breach Investigations Report, researchers use the “Points of Focus” section to point to many infosec challenges, including vulnerabilities (i.e. Security 101).
Here are a few notable excerpts from Verizon’s 2016 DBIR:
“Half of all exploitations happen between 10 and 100 days after the vulnerability is published, with the median around 30 days.”
“Basically, we confirmed across multiple datasets that we are treading water—we aren’t sinking in new vulnerabilities, but we’re also not swimming to the land of instantaneous remediation and vuln-free assets. However, all that patching is for naught if we’re not patching the right things. If we’re going to tread, let’s tread wisely.”
“While 2015 was no chump when it came to successfully exploited CVEs, the tally of really old CVEs which still get exploited in 2015 suggests that the oldies are still goodies. Hackers use what works and what works doesn’t seem to change all that often. Secondly, attackers automate certain weaponized vulnerabilities and spray and pray them across the internet, sometimes yielding incredible success. The distribution is very similar to last year, with the top 10 vulnerabilities accounting for 85% of successful exploit traffic. While being aware of and fixing these mega-vulns is a solid first step, don’t forget that the other 15% consists of over 900 CVEs, which are also being actively exploited in the wild.”
We will never completely stop the bad actors, so here I offer a simple approach for your consideration…
Get Back to the Basics of Security 101
Organizations are short-staffed and overworked, and they lack the personnel with the skill sets required to effectively manage their respective tools and large/complex environments. It really boils down to the fact that we do not fully understand our respective security postures, the configurations associated with our tools, or the devices that make up our mission-critical business systems. Worse yet, we are so busy managing the tools and looking for the “next best thing” that we lose sight of plugging the holes – Security 101.
Organizations are more interested in adding yet more and more complexity, more and more solutions that provide an overwhelming amount of information that they cannot possibly consume, all the while driving the cost of their security programs through the roof with little impact on reducing their risk.
I suggest that if security teams would simply get back to the basics of Security 101, many of the issues and challenges we face today would be greatly reduced. Make sure that the doors and windows are locked, the fences are high and in good repair, and that we know and understand exactly what vulnerabilities are putting us at risk and what should be addressed first.
Getting back to and focusing on the basics will help organizations reduce risk, reduce the perceived need for the “next best thing,” and reduce the total cost of ownership of our respective security programs. Don’t get sucked into the “next best thing” trend. Get back to basics first, and then evaluate what “next best thing” makes sense.
To quote Dennis Miller, “That’s just my opinion, I could be wrong.”