David Hood, CEO, ANSecurity, discusses why organisations should not consider any security product a ‘silver bullet’ against cyberthreats – and the three P’s that matter most in cybersecurity.
As the volume and complexity of cyberattacks have increased, InfoSec professionals have responded by trying to gain more insight into the infrastructure and software stack under assault. Much of this information is gleaned from logs and supported by software agents plus wire data. However, many are dealing with a resulting issue of information overload and are turning to analytics platforms to spot the proverbial needle in a haystack – while discarding a mountain of false positives.
To differentiate themselves, vendors that originally traded on Security Information Event Management (SIEM) platforms have often rebranded as security analytics and threat intelligence to further highlight the supposedly awesome power of their respective tools.
As a result, sales of these products, irrespective of definition, have sky rocketed and vendors are now in an arms race to try and differentiate their offerings with terms like Artificial Intelligence and Machine Learning bandied about at will.
The problems inherent in delivering secure environments are real and the efforts of these tools are largely noble in aim but sometimes organisations overestimate the ability of software to paper over the more significant cracks that ultimately lead to damaging security breaches.
At the very heart of any security effort are three ‘P’s’, namely people, process and platforms, with the last P really a fudge to describe software and systems. People are the most critical and based on large scale studies such as the DBIR, are often the weakest link when it comes to security. From silly things like sharing sensitive passwords amongst IT teams to end users circumventing IT policy and controls to download and install ‘a cool app’ that is a trojan or something far worse.
SIEM and adjacent tools such as next generation firewalls, IDS, IPS and others can often detect and stop badly trained staff doing silly things, but they are no real substitute for regular InfoSec awareness programmes and training. Staff changes as do the threats, so security software is never able to beat a good understanding of what is good practice. Insider threat is also a major issue and incredibly difficult to protect against, especially if the insider is within the IT department or is senior exec level. This makes the next P, process, particularly important.
Process, as in how the organisation does things feeds neatly into security policies to provide a set of rules as to what staff can and cannot do when it comes to security. Building and enforcing a viable security policy can be enhanced by collecting and analysing data – and many tools can help enforce policies but creating policies that help, not hinder, the business is still a job that requires an understanding of the organisation, how things are currently done and grounding in industry regulations, best practice and common sense.
Processes often change which means a security policy tends to be a living entity that adapts in line with the organisation. These changes are in turn dependent by the last P – platforms, or at least the software, hardware and infrastructure that is critical to the organisation’s success.
Even in an environment with well-trained staff, sensible security policies and well managed processes; a platform issue can lead to a security incident. Take for example, Heartbleed and WannaCry, two notorious security vulnerabilities; the first within a commonly used SSL library and the latter in older versions of Microsoft Windows that were exploited rapidly after the weaknesses were discovered with damaging effect.
Vulnerabilities in software will always appear and reacting quickly enough to either fix or at least mitigate an attack is like a game of whack-a-mole. SIEM and SA tools can help but only if organisations have enough resources to understand the threat and respond with the right measures in a timely manner.
In response, more organisations than ever are turning to managed security services providers to fill the resource gap and to also provide key skills to supplement internal teams. Whether that’s in an advisory role, training, regular security audits, solution implementation or more aggressive penetration testing; MSSP’s are flourishing.
However, simply abdicating responsibility of security entirely to an MSSP is not always a wise decision. Although as founder and CEO of a specialist in network and data security, it might seem like an odd position. The plain truth is that midsized organisations should always retain a modicum of internal InfoSec experience to make sure that the MSSP is doing what it claims and not just a bunch of charlatans. This is an area where SIEM / SA can really help by reducing the burden of mundane monitoring and allowing senior IT staff to focus on more strategic decisions along with a proactive project to increase security posture, train staff and assess and update policies in line with the needs of the business.
The truth is that creating and maintaining a secure IT environment is never going to be a case of deploying a piece of shiny security software and assuming – job done. The hackers, that in a bygone era might have been considered mischievous nerds, are now industrial scale criminal businesses that are actively looking at ways to breach and monetise. Whether that’s through ransomware, industrial espionage, data theft and resale or a host of other options.
In summary, remember the three P’s; don’t place all your faith in the next generation ML/AI turbocharged security software and look at how managed services can help but not necessarily replace internal expertise. With the result of failure so visible in the age of social media, security should always be more than just the SIEM.