Vendor-based security will be the death of us all. One of the most common errors in information security today are security models that are centered on tools rather than the people who use them. This is fed by vendors and security experts who, whether by accident or design, misdefine threats such as nation-state cyber espionage as a malware threat that can be solved buy purchasing expensive enterprise information security tools. The APT issue has accelerated this phenomenon because of the large number of vendors selling legions of products designed to “detect APTs” lurking in your network. The erroneous and self-serving premise behind these claims is that the APT is malware rather than a “who” such as a nation-state’s intelligence service. We see this same premise advanced in the aftermath of the all too common high profile data breach. Shortly after some poor company has its security failings plastered all over the news, we get waves of self-appointed security experts (many of whom are affiliated with vendors selling APT killing wonder tools) authoritatively telling us what the company did wrong and how to protect yourself from being the next victim. These experts go on to state the obvious which is that organizations should have robust security programs made up of elements such as proper controls, robust detection technology, user awareness programs, and the like. This is all fine. Yes, of course, you need to have proper controls, tools, processes, and educational efforts in place to protect your organization. What I find almost universally lacking from these vendor sales pitches and post-breach expert assessments is an understanding that these are all secondary to having the right people on your team.
You will live and die by the people you hire and the leadership that you give them. The most critical element of your security program is having the right people on your team and providing them with the leadership and resources that they need. You absolutely need proper tools to secure your enterprise, but the tools are secondary to the people who use them. The purpose of the tools is to help your people do their jobs. Too many organizations treat their people as glorified tool drivers rather than security professionals. If you are spending more money each year on your tools than you are on your people, you’re probably in a very bad place with your security posture.
Information security is very hard. It takes tremendous time, effort, and expense to even come close to mastery of critical information security skills such as incident response, malware analysis, and digital forensics. There is no tool that can ever substitute for a highly skilled and well led information security professional.
Too many organizations have bought into the model that security is ultimately about building an impenetrable fortress made up of various security tools and controls. This control-based vision of security looks something like this:
Organizations orient their security thinking towards answering questions like how tall their walls should be, how thick they should be, the design of their draw bridge, how deep the moat should be, and whether to fill the moat with alligators, lawyers, or sea monsters. Vendors feed this model by happily selling organizations all of the highly expensive alligators and draw bridges they can afford and telling them that achieving the right sea monster density in their moats will keep them secure.
Controls are critical. You aren’t going to have a secure organization if you can’t get your basic information technology controls right. However, control-based security is a failed model in an area where advanced actors like nation-states and organized crime have shown that if they are determined to breach your network, they will do so regardless of the controls you have in place. It’s no longer a world where we can realistically tell our business leaders that we can keep their critical information safe solely through a control-based model.
So what is the solution?
This is:
Meet Jet the Border Collie. You will find no creature on Earth more in the moment than a Border Collie like Jet chasing sheep. This is what they live to do. They are fantastic at it and they enjoy it immensely. Incident response people are the modern day information security Border Collies. We live in a time where we have an information security community made up of incident responders who absolutely live to get up in the morning and chase people out of our networks.
Couple that fact with the modern day threat environment where controls slow advanced actors rather than stop them and your vision of security should be this:
You are going to get breached. Your best defense against this is having a team of Border Collies who live to detect and respond to those who make it into your network. Remember this picture* the next time some vendor tries to sell you some breathtakingly expensive tool that they promise will solve your security problems. Simply put Border Collies plus good controls are the key to securing the modern enterprise.
The rub is that Border Collies are prone to destructive behavior when they get bored. “No sheep, no Collie” is a saying used by some Border Collie breeders because a breeder that cares about their dogs won’t put them in a situation where they will be unhappy. A bored Border Collie can develop neurotic behavior and engage in destructive things like eating the furniture and digging holes. Anyone who has tried to manage a bored incident responder will understand the parallels between the two. A poorly led incident responder will result in plenty of ruined carpets and partially eaten office furniture. They will make you wonder if Old Yeller actually had a happy ending after all. Chances are excellent that this behavior is due to poor leadership and an unchallenged incident responder. This is why it is absolutely critical that you not only have a team of highly skilled Border Collies, but that you keep them happy and directed by giving them top notch leadership. If you love your Border Collies enough to give them a great job with great leadership, they will love you back and will provide you with more value than any wonder tool the vendors want to sell you.
Photo Credits
Thanks to Nancy Thornton for her wonderful Border Collie pictures and permission to use them. Thanks to Getty Images for the Photographer’s Choice RF collection picture of the Bodium castle by Brian Lawrence.
*I wish I could find some sort of picture that I could legally use that shows Border Collies chasing sheep out of a castle or something similar. That would be the ultimate visual representation that acknowledges the role of controls, but also places the emphasis on the incident response people in the organization chasing the bad guys. If anyone has something like that, please let me know.
Beautifully said Eric... and absolutely correct.
ReplyDeleteExcellent post, Eric.
ReplyDeleteKP
Well said. I love the border collie analogy. Echoes something that Lt. David Grossman has written about military psychology. He compared the human predators & adversaries to wolves, the regular folk to sheep, and the protectors to the herding dogs. To protect, you need a little of the wolf but you do not prey upon the flock.
ReplyDeleteThansk for the post.
Eric,
ReplyDeleteGreat post, I completely agree with the sentiment. You've identified the issue...the current state of the corporate security culture...as well as where it needs to be, but not any way to get there. That's the big question...how does one change corporate culture in such a way as to move in this direction?
We've seen the cycle over and over again...something bad happens to cause pain, vendors swoop in and sell a bunch of stuff that doesn't get employed properly (or, at all) or with the right people, everyone laments or ignores the purchase, etc.
Also, consider this...you're not talking about a one-time purchase that can be written off. What you're referring to here is a continual, and possibly increasing cost. Continuing with your metaphor, if you don't know how much land you have or how many sheep you have, how do you know how many collies you need? Once you start to gain visibility, you begin to determine that you need more controls...because the problem is much larger than you originally scoped, and costs go up.
Again, I agree with the sentiment of your post. In many ways, what you've said in the post is a much-needed revisiting of important concepts...in part, because they haven't been followed. Many organizations are still building castles and looking for a bigger, deeper moat, because that's the culture. Even if a minimal team is developed organically, how do they grow to meet the need? The small teams can quickly become overwhelmed because their collies are focused on the immediate issues, and there's no one to do long-term planning...and we begin the cycle of purchased assets going unused or not use properly, because the collies are busy, etc. And often the collies find the sheep, only to realize that the herd is much bigger than they're capable of handling, particularly when the collies don't have the right or sufficient training.
I would suggest that the solution to this is for organizations wanting to move away from the castle-and-moat style defenses to develop a relationship with a trusted adviser, particularly if they're interested in moving to a more proactive approach to security...someone who can assist with both short- and long-term planning, recommending solutions, scoping the overall issue, etc.
Again, appreciate the post...
Eric,
ReplyDeleteWell done. People, process, tools. Excellent way of presenting it.
Jon
Amen, well put!
ReplyDelete~from one of those border collies out there! :)