Silicon Shecky

Infosec Practitioner

Connect

Ducks in a Row

By Leave a Comment

It is getting to be budget time for many companies out there, and what better time to look at what we need to do our jobs. We all have our wish list, our dream list and eventually whittle that down to a practical list. Between all of that, there are the renewals to budget for plus figuring out any other spending to do. It is also a time to really take a look at our security maturity level and use that to actually work on the budget, or at least make recommendations to our bosses.

I honestly believe most blue teamers have one of two outlooks on their security maturity. First is the doom and gloom, always figuring they are not mature, always lamenting that they never will be mature. Now, this is not a completely bad outlook to take. Figuring you are less mature than your company is, allows you to focus on what you have and using it to the maximum potential. Unfortunately most of the gloom comes from the fact that you are understaffed and overstretched. Meanwhile the higher ups have bought into the latest marketing of the newest products. Oh boy, here comes more stretching on Stretch Armstrong. The thing is, even Stretch Armstrong will eventually either break or snap back, neither of which is good. Burnout is burnout no matter how you look at it, and a human can only do so much at once. If this is your situation, you need a champion in your corner, be that data or some other higher up who understands that by stretching so much, all that is happening is more hole are being put into place. What is the point of being cutting edge if you don’t know how to use it, or ignore most of it anyway? Really that doom and gloom all stem from the second outlook, which tends to permeate the higher ups more often than the rank and file.

We are more mature than we really are. We all see that, people thinking they are ready for the next step in security. We have all the latest and greatest so we have to be mature. What does it matter that our people have not had time off. We can just get another piece of automation software to replace them, or we can outsource. This comes with the other huge security hole to it. Even security software and products need updating and upgrading. who is going ot take that time? Who is going to have the time to train the software properly, and keep it tuned?

The reality of it all is once you have figured what you have to spend on current technology that you have in the company (licensing, upgrades etc…) and new personnel, the first thing that should be budgeted for is training. In fact, training should be all paid for in the first quarter, while the full budget is there, because as the year goes on that money will be the first thing chopped. You can go to the training in the third or fourth quarter, but pay for it as soon as the new budget takes effect, or as close to that as possible. That training should include training on the technology you have and/or the methods of doing what the technology you have does. From there should be training on something each person is interested in overall. That allows for growth of the staff in the areas they enjoy. Finally should be at least one security conference such as a BSides, Derbycon, Circle City Con or other lower cost options. This allows for networking and exchanging of ideas. Some of the best ideas I have had come from talking to people in the community, and some solutions to problems (scripts, stuck on how to do something with product X, etc…) have been found this way. Google is fine, but being able to know someone who has worked with X is better.

Once training is done, then you can look at what is available to potentially get. This should not be done without taking a look at what you already have and if you are using that to its maximum benefit. Taking that hard look must include results of any pen test/red team events that you have had done during the year. What were they able to do, and could that have been stopped or alerted on by the current technology you have. If it could have been taken care of without new technology, then why wasn’t it, and how can you get that tech to that point? Why waste money on a new technology that will do the same as some of what you already have? This also goes into the security idea of complexity breeds more holes. It doesn’t matter that it is security technology, the more complex something is, the more likely some hole is going to be missed.

Good luck to everyone on their new budgets. May you all get what you want and have to want for what is actually needed.

Quiet week

By Leave a Comment

No real topic this week, just some random musings.

Is anyone else out there tired of companies using Information Security/Cyber Security as a leader to get your information for sales calls? Especially white lists or videos from talks. You want to promote yourselves and companies fine, but you want ot be taken seriously in our field, then share information. If that information is worthwhile, people will respect your company more and be more likely to contact you about your products.

Is it just me or is it weird that people in our industry will call someone toxic, but then still talk with them through social media? If they are that toxic and you have serious moral issues with them, then cut them off, it is your right. Remember, don’t encourage through side behavior.

Finally, why do so many try to jump into the deep end without learning to swim first? I am no saint, mind you. Knowledge wise I am still on a massive learning curve, and ask stupid questions all the time.

Next week, there may or may not be a blog post. I’ll be at Derbycon, so feel free to come up and say hi if you see me there.

A role for every tool

By Leave a Comment

Recently, I heard some discussion about how our field comes up with new tools to help augment the workforce. They attempt to make life easier for us by automating menial tasks, or bringing things under one easy shell (pun intended). I also have come to understand that part of the reason for this is that more and more information security professionals are not coming from a solid IT background. What I mean is that they do not understand the basics, how networking works, how firewalls work, etc… Now to be fair there are plenty of people in our field that did not work in that IT field who are fantastic, and know the basics, but they took the time to learn them at least.

The problem I (and hopefully many of you) are seeing is the plethora of solutions out there. Multiple solutions for everything. More specialized solutions for different areas. The higher ups expect us to each be more and more proficient in multiple tools, multiple disciplines. Each of these tools is supposed to not only make a difference, but make our lives easier. EDR solutions, Web Proxies, WAF, SIEM, and many more tools out there. The thing is that each is not doing one aspect, making our lives easier.

I am not going to say that each tool does not have its merits, because they do. Thing is that each tool requires a lot of time and effort to get it tuned, and many of them are never completely tuned and require frequent, if not constant, hand holding to keep them up to date. Imagine that your vehicle required you to change filters, change fluids, and do other maintenance on a daily basis. One day it is one thing, the next day it is something else. How would we ever stop spending money on it all, let alone be able to get anywhere on time? Now think of how much time defenders spend looking at SIEM or EDR, maybe having to maintain the Content Filter due to new sites that are needed to be accessed? How much time does that take? Now add on that you have a small team, and how much time are you taking away from noticing something is actually wrong?

A lot of what tools do can be done manually, for sure, but the idea of having a tool to do it is to cut down on the effort. So we spend thousands of dollars on a tool, only to realize we either need to hire a new person to own that tool, or hire a third party to take care of the tool for us. Now how attentive will that third party be, when they are doing the same thing for multiple companies? How easily can something fall through the cracks? How many more cracks are being added?

Some of the solution comes from taking care of the basics, some from staffing, and some from understanding ones environment and where to focus the resources one has. It is not the sexy stuff of our field, but without it, we risk losing everything. Security is not achieved by throwing so many things at it that we are overwhelmed. It is achieved by doing the basics well and then augmenting for the vertical we are dealing with to cover the largest risk factors. We have to realize there is no perfect security no perfect solution. Our strive for perfection is getting out of hand. We need to come to terms with accepting what is best and better before we all burn out, because the speed of change will do that to us. Just when you think you have all the answers, someone changes the questions.