Photo by Nick Carter
"As the stats and headlines clearly show, business as usual isn’t working."
Every year around this time I write predictions about what I think we’ll see in security during the coming year. I’m usually overly optimistic, probably because being overly realistic about the speed of progress in the security industry quickly becomes depressing.
This year I’ve decided to take a look back instead, picking five things that I’d love to see much less of in the coming year. After all, as the stats and headlines clearly show, business as usual isn’t working. Global spending on IT security is expected to be more than $75 billion this year, but the latest count from the Identity Theft Resource Center (ITRC) still reports over 700 data breaches and more than 176 million records exposed.
This list is probably as much of a pipe dream as my predictions are, but if we can start moving away from even a few of these counterproductive approaches that will be a healthy step forward in the right direction.
Without further ado, let's take a look at five stubbornly persistent things we should all stop resolving to do if we want to improve cybersecurity in 2016.
Photo by Tax Credits
"Security products are the treadmills of IT." Tweet this
As the number and impact of breaches goes up, everybody is trying to figure out a way to measure what the right amount of security is. Because we cannot agree on what people should do, vendors, writers, and analysts have started to insist that there is some baseline amount that people should spend on security, either as a percentage of their revenue or as fraction of their IT budget. Worse, human nature leads us to believe that more is better, and so improving security means buying more security. As with most simplistic proxies for complex discussions, this just isn’t true.
Productive security investment should be as tailored as a good suit. It requires considering such questions as:
Most of these questions never get asked. As a result, large portions of expanding security budgets end up delivering less security and more disappointment.
Security products are the treadmills of IT. People buy the treadmill and for a brief and shining moment see themselves becoming more fit and more active. Shortly, the treadmill is a dusty clothes rack and a sad reminder of failed aspirations. Misconfigured security products, ignored logs, and incomplete SIEM implementations are all evidence of security as the prime source of IT shelfware.
Companies figuring out the right protection strategy, and then re-evaluating their investments to get the protection they need and can consume, without the artificial pressure to spend more in order to look like they are doing more. Don’t be surprised if you spend less.
Photo by Daniel Horacio Agostini
Everybody knows that user mistakes are usually the first step in the chain of events that result in major breaches. A social engineering attack co-opts a helpdesk agent, a spear-phishing or waterhole attack deposits malware on an unsuspecting user’s machine, a weak or shared password gives up the gold.
When these things happen, organizations push their users under the bus, reminding us that security is only as strong as its weakest link, and in that chain, the user is always identified as the most fragile element. By stopping there, and hand-waving the real weaknesses (manual processes, vulnerable endpoints, poor password strength-checking), users take the hit for the vulnerabilities everyone knows they will trip over.
Shoddy workmanship, poor instructions, and fraud have bedeviled consumers and organizations for centuries, but ours is the first industry to make the unsophistication of the victims an acceptable excuse for critical failings in the engineering and implementation of our solutions.
The “user weak link” excuse lose its get-out-of-jail free card status, and instead become a driver of new investment to make that weak link stronger.
"When reports present positive progress against the wrong goals they provide a very dangerous sense of false confidence." Tweet this
The value of a security program is shown best when there is a demonstrable link between security investments and the absence of breaches. Actual protection means that real attacks have been stopped, but most security technologies (and security teams) are very uncomfortable offering this up as their value proposition. Instead, security has lately been redefined to mean things like monitoring, detection, and remediation. This is “security success theater,” where the actors include the vendors, the security team, and the organization’s management.
In this performance, security status is reported as more threats identified, more machines and networks instrumented, and new technologies adopted. That's odd, since what stakeholders actually want to know about is attacks identified and stopped, or more systems made secure.
Take a look at the government’s Cybersecurity Sprint status, a program kicked off after the OPM breach: The headline was the increased number of machines on which two-factor authentication had been enabled (“across government we’ve hit 20%”!) — although a direct relationship between the breach and single-factor authentication has never been described. More meaningful data, like number of systems assessed or number of vulnerable systems found and fixed, was not made available.
When reports present positive progress against the wrong goals they provide a very dangerous sense of false confidence, and reduce the pressure to revisit and improve strategy and practices. It also obscures the remaining risk from management teams who are making judgements based on the data that is served up to them.
Organizations become brave enough to recognize success only when there is a material reduction in critical weaknesses and decreases in successful attacks. This shift will be hard, and progress may not come quickly, but it is far better than the continuing march of investment towards a dangerous mirage of better security.
Photo by Ryan McGuire
"Talking about 'protection' can now mean talking about pretty much anything." Tweet this
As a security guy who has been a vendor, advisor, and buyer over the years, I have watched the language of security become a mush of overused and overloaded terms. Some terms just don’t make any sense (anyone out there trying to “protect” their “intrusions” or “prevent” “threats”?). Others have been folded like origami to make them apply almost anywhere (behavioral analysis, endpoint/system protection, application security, oh my).
Part of the problem is that, with the proliferation of security technologies, talking about “protection” can now mean talking about pretty much anything including traffic monitoring, incident response, and threat notification. Don’t get me wrong — monitoring and response are vital, but lumping them together under the term “protection” is like saying hospitals are a form of protection against breaking your leg or catching the flu.
Large enterprises with dedicated security organizations can and do make sense of all of this, using their expertise to sort through the gobbledygook and create the right words to communicate what they need to illustrate internally. For the rest of the market — the thousands and thousands of companies who may have just one person working on security — there is no time to become a subject matter expert, and there is little hope that they will actually know what they are buying, or buying what they actually need.
A return to simpler, if more courageous language. Security teams can move to language like, “We are investing in A, to protect B, reducing our risk of C because it will do D.” Vendors can say, “Our product or service does X, protecting our customers against Y, which is visible by looking at Z”. People may laugh at the concept of “Security through obscurity,” but “Security value proposition through obscurity” is alive and well.
Photo by Ryan McGuire
"We all live in glass houses, yet few of us can resist throwing stones." Tweet this
Breaches happen. They just do. People make mistakes and systems get corrupted. Breaches will continue to happen for the foreseeable future. And reasonable security people know it, as is evidenced by the dominant security cliche for the past 25 years: “No system is 100% secure.”
Even though this is the case, data breach commentaries usually start with an assignation of blame, before the details are known about the attack or the protections it evaded. We all live in glass houses, yet few of us can resist throwing stones.
In cases of negligence, where an organization knew it wasn’t making enough effort to reach some baseline of protection, or where they weren’t adhering to standards that they had agreed to, this is understandable. But when the organization may be underskilled or understaffed, it would be much more constructive to discuss the facts of the attack and turn our attention to surfacing and applying lessons learned. As our Chief Scientist Ryan Berg puts it, failure can be an effective teacher, but even more so if we know there is a supportive community rather than a walk of shame waiting for us on the other side.
Security become more of an empowering function than an investigation or auditing function. Our primary job should be to understand how to make the system better, without first castigating the organization for not knowing as much as we do. Every organization has differing pressures and priorities, and we can only expect to improve our impact by making the interaction more constructive.
Sadly, the security industry has been trapped by these approaches and attitudes for far too long. As we head into 2016, let’s agree to step back and reconsider so we can chart a better and more effective path forward.
Jack is a 25-year-veteran in the security industry. Prior to co-founding Barkly he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.