Silicon Shecky

Infosec Practitioner

Connect

Are you sure it is the execs?

By Leave a Comment

Security is all the rage today. Supply Chain attacks, Ransomware, Data Exfiltration, it is all in the news pretty consistently. We as security practitioners have a tough job. We know there is no such thing as being 100% secure so we make our best effort at securing and detecting. We also realize that detection and reducing dwell time is huge, so we ask for more people, more tools, more money, and it seems that execs are listening. Reports show that security is high on execs minds. So if you are a small to medium business why can’t you detect better? We all know that there is a bottleneck somewhere, and I am becoming more and more convinced it is not at the higher levels. It is more a division of duties and departmental struggle.

If your company from a security and IT perspective is designed well, accounts have only as much privilege as they need. A person in security should not have Domain Admin rights as an example. A person in the security department also should not be in charge of configuring endpoints, but should be working with the other IT departments to deploy such technology. So if you want to configure and deploy say Sysmon, the security people should get everything set for deployment and then pass it to the proper department to deploy. Here is where a bottleneck can come in that we do not think of initially.

Using Sysmon and collection of the data from it as an example, since Sysmon is a quality, free and popular product, how are other IT departments possibly the bottleneck in deployment? We, as security engineers, should be able to pass a set of install packages and configurations to the IT team for them to deploy. They just need to deploy it, but wait. How swamped and understaffed is that IT department? Have they bought into the need to deploy this? Do they have time to test on their standard configurations? Then you need to think about what SIEM is the data going into? Who owns that product? Does it actually fall under Security’s budget, or is it under ITs and where under ITs? Is there going to be an increase in cost because of more data coming through (This is one spot where SIEMs fail us is in the pricing of ingestion)? Will this kill their budget? Is there going to be a fight over this that will leave IT less likely to work with us in the future? Who is going to support this new addition to the systems? Do they need training? What is the cost of training and how long will that last? Will it cut into time for their day to day job requirements? Is there a different, more business critical project going on that will cause this to be put on the back burner?

It is easy to point fingers and lay blame, but are security departments doing their due diligence on the whole situation, or are we creating yet another problem. Yes it gets frustrating to us when we know something we see as a simple, no-brainer can’t be implemented. Yes it does blind us when the tools that we got buy in from the execs on are stuck in limbo and not as effective as they could be. Are we though bringing the other teams to the table, just like we want to be brought to the table when they are bringing in/developing/deploying new technology, or is it do as I say not as I do?

Security is something we need buy in from all aspects of our organizations, not just the Executives. Are we sure that the bottleneck is not IT, or even us and how we treat others?

Over Complicated?

By Leave a Comment

“Any sufficiently advanced technology is indistinguishable from magic.” – Arthur C. Clarke

“Any sufficiently advanced magic is indistinguishable from technology.” – 7th Doctor (Sylvester McCoy) in Battlefield

So which do we have? Talk to people and computers is magic, is technology is both. Those of us that understand computers are wizards, magicians, technological experts. To put in terms that someone on Facebook might understand, “It’s Complicated,” and it gets more complicated every day.

I am not going to get into the usability question the way that Wendy Nather did. She does it so much better that I could. Instead lets look a bit more at how the complication has come about and why it keeps increasing.

We have a ton of “solutions” for security. As we get more granular and more “advanced” each solution is more and more targeted and creates sub verticals inside the world of making things more secure. This is the wallpaper that Wendy talks about. Each layer actually makes things less secure overall. Now, I am not saying we do not need controls and software in place. I wish I could find this clip on YouTube, but in Doctor Who back in the Tom Baker era, he opened a really electronically complex door with a bobby in. When asked why he did not use his sonic screwdriver he explained, “The more complex a thing becomes the more susceptible it is to the overlooked simple way around it.” We are headed in this direction. Think about the extra code, the more ways there are way to look at the problem. Just look at the living off the land that teams are using now to avoid detection. This doesn’t though explain how all this complication came about, just where it is all heading. So how did we get to this point?

The way I see it there are two base reasons for the increase in the complexity. The first and foremost one I think is ego. Ego drives us, and it is no inherently a bad thing, actually it can be a very good thing. It also can easily get in the way. Ego drives us at least partially to find bugs, to find new solutions, because we want that recognition, even if it is only on a subconscious level. It also drives us to start up derivative companies in an area of cybersecurity. Why? Because company A won’t listen to our solution so we strike out on our own. this can lead to the second reason, money.

Plenty of solutions start out without money in mind. Small project of love. Then we realize we might be able to recoup costs or even make a living off our labor of love, but to do that we need to bring others in that want to be a part of such a labor of love. Wait, to be able to pay them, we need money, so we either take out loans or get investors. The investors though want to see a profit, so we start making things more complex or entering into side projects that might be related to the original, because we have a name people trust. This creates the other subset that money creates. Lack of collaboration.

The lack of collaboration is easy to see in the anti-virus industry, but it exists across all the verticals. It comes from each company having its own secret sauce to their solution. That secret sauce is what makes each solution different, but also can leave blind spots in said solution. If all these vendors really had security first and foremost in mind, the would be working together in the development of the solutions. Yes this would make the solutions similar across the vertical, but considering each vendor has areas of strength that the others don’t, it creates a solution that is going to be more secure overall, that actually should not have the integration problems that we currently run into. How many times have you run into using multiple vendors items and found an incompatibility between them? I see it quite often. That incompatibility is now a security hole. There is an area that gets opened up. This creates a spot for a third vendor to come in with a solution. More cost, more complexity, more advanced technology, more wizardry.

So how do we fight back on this? Honestly the only thing I can think of is opening collaboration between each other and companies. Work together to bring the simplest, most comprehensive solutions forward. This happens occasionally when alliances and partnerships or buyouts happen. At least they try to happen until the ego gets in the way again. Still collaboration is going to be the key going forward. Many of us talk about the great community we have. We need to work together to simplify the complexity, to remove the wizards and magic, because if we can get out of being looked at in that fashion, those outside of our field will have an easier time helping keep things secure, it gives a way out of the conundrum that Wendy mentions. It is not an easy road, but then again, nothing worth doing is easy. We are the problem solvers, so let us solve this problem.