Prevention Products versus Processes & People

Do today’s threats succeed because we don’t have the right technology or are they succeeding because we are really bad at fundamentals?  There are four basic things that a security operation center must do. These are detect, review (scope), respond and track.  Of these, the majority of new products focus on detection with automated response.  The result is that organizations lack the skills to review, scope and track security events.  They lack these because their investments aim at prevention over security  fundamentals.  Fundamentals may not be as sexy as the latest prevention device, but where is the best investment?

Security marketing blitz sells by fear, uncertainty and doubt. We, as consumers, lose focus on basic truths. There is a media push that would like us to believe that what we have is old and therefore incapable of handling new threats. Yet systems that are patched are less likely to get compromised. Systems that run antivirus are less likely to be infected. Networks with gateways and firewalls are more secure. Reviewing and responding to alerts is required to fill the gaps.

Today’s CISO/CIO issues are scalability and resources. Trying to solve these issues has driven companies to respond by integrating and implementing prevention-oriented devices. This means instead of reviewing alerts, they invest in systems that do not require it. This logic appears sound, as devices that prevent do not need to be analyzed and therefore can scale. By implementing a prevention infrastructure, the collection of alerts becomes one of compliance. This simplifies log collection making it unnecessary for day-to-day operations. The focus of the SOC becomes one of health management, making sure all the devices are running with up-to-date versions.

This approach on prevention products has failed us. Yes, prevention is needed, and it is a very effective means to handle the majority of problems especially when scaling. But prevention alone is the formula for failure.

Consider the articles around the J.P. Morgan hack. Articles that talk about J.P. Morgan, refer to them as a company that buys everything under the sun when it comes to security. This includes the latest prevention devices. It also shows us that even the press believes that a security infrastructure is based upon its products and not its people. Yet it was a human review that detected the issue. Worse, is the fact that the human process was considered proof that their security was inadequate. It is the opposite. It shows that a better investment in the people and process may have detected this issue sooner and reduced the impact of the hack. Also note that J.P. Morgan detected it, and it was not the result of an outside organization or person seeing the effects of the hack.

The Target hack is another example. Here, this issue was detected by someone not employees by Target.  Overlooked was the fact that Target’s Symantec antivirus also detected the attack. It is a myth that antivirus always prevents and this was one of those cases.  Not reviewing alerts led to the problem. That the operation center was designed to have its infrastructure operate in a prevention mode.

This pattern of failure is becoming apparent. Organizations cannot change the fact that they and their infrastructure need to grow and change with technology. The issue is how can we scale basic security fundamentals that revolve around humans?

There are two approaches which should be taking simultaneously.

  • The first is unpopular by the user. This is to prevent them from surfing the net and installing software. To go farther, companies that handle privacy data and financial data should not allow users to use their systems for personal reasons. With the power of smart phones, there is no need for users to use business systems for personal reasons. This is one case where advances in technology can make a network more secure.
  • The second solution is to change the way operation centers work by focusing on means to analyze data in a scalable manner. This scalable manner is founded upon sound fundamentals. This foundation is to detect, scope, respond, and track. It will require organizations to focus on tools to help better understand the attack (better scoping). And if attacks are persist, which I believe they can be, an organization needs to be able to track incidences after closure to ensure no further activity. Scaling fundamentals is difficult.

So to conclude, what has J.P. Morgan and Target taught us? It has taught us that good processes and people are vital to good security.  It has taught us that integration is not successful because all our data is in one place, but it is successful when  we can leverage it.  Lastly, CIOs/CISOs need to listen more to knowledgeable people then they do to marketing and to media.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: