“Rethinking Security Architecture” or Not

Over at Dark Reading they have a story just in time for the end of the year titled, “Rethinking IT Security Architecture: Experts Question Wisdom Of Current ‘Layered’ Cyberdefense Strategies.”  I didn’t link to it so you will know that it has nothing to say.  Instead I will just quote from the article to give you an idea of the level of thinking going on.

I really think the security industry is completely saturated at this point.  I am not saying there is no talent in the industry, it’s just that people need to differentiate themselves from everyone else’s offerings and that leads to false observations from small sample sets, coining of new phrases for old concepts and of course, fads.  It leads to people saying things like the following and pretending it’s profound or original.

 “The need to develop a robust security architecture framework has never been greater.”

However, 63 percent of organizations have no such framework in place, the study says. “For years, companies have been approaching security as a technical problem, usually by buying products to solve specific problems,” says Jose Granado, principal and practice leader for IT security services at Ernst & Young and one of the authors of the new report. “There hasn’t been much thought put to how those technologies will work together, or to the people and process sides of the equation.”

I have worked in information security for more than twenty years both inside and consulting to large organizations.  I can’t remember a single place whose security team approached “security as technical problem” and this goes back to before companies ever plugged into the internet.  More pearls of wisdom follow:

Vinnie Liu, partner and co-founder of Stach & Liu, a consulting firm that works with large enterprises on security architecture and tests companies’ defense strategies, agrees that enterprises’ historical focus on point solutions has prevented many organizations from developing a broader security strategy.

“The industry has been approaching the cybersecurity problem like the TSA has been approaching the air-security problem,” Liu says. “First the bad guys brought guns on board, so they put in metal detectors. Then somebody put a bomb in his shoe, and now we all have to take our shoes off. Then they found liquid explosives, so now we can’t bring on any liquids. It’s one problem, one solution, with no real thought to the big picture.”

The need for a broad security strategy has been well understood since Sun Tzu, right through von Clausewitz.  The reason TSA is so inept is because it is a government bureaucracy run by arrogant technocrats who are just as interested in increasing their power as they are in your safety.  They respond to political pressures and newspaper headlines.  The TSA, FEMA, EPA, FCC, FDC etc.  a murders row of bad decisions and pathetic responses.  When they screw up they ask for a bigger budget.  Everyone else loses their jobs.

Continuing with more pearls of wisdom:

“The problem is that most of these tools are still signature-based, which means you’re taking a known threat and blacklisting it. So what you’re doing is essentially layering one technology with another layer of the same type of technology,” Liu says. “It’s sort of like putting on a coat, and then putting on another coat that covers the exact same parts of your body, and then wondering why you’re still cold.”

Defense in depth means exactly that “in depth” covering all areas so if you have exposure you either have no management support or you’re incompetent.

Stach & Liu recommends that rather than buying more point technology, organizations should perform a risk assessment that identifies the most sensitive areas of the business, the most likely threats, and a holistic defense strategy — an architecture of technology and processes — designed specifically to protect the business. The risk assessment, along with the definition of the business’ specific security requirements, helps identify top priorities and most likely threats, as well as key goals — such as compliance — in order to develop a comprehensive, practical defense strategy.

At this point I am wondering who this article’s intended audience is, perhaps a someone who knows little about security or someone who thinks they do but doesn’t.

“In the old days, you didn’t change your applications all that often, so you could build a positive defense,” Pao says. “You could put email on one [router] port, Internet traffic on one router port, and have a strategy for defending them through the firewall. Today, we have mobile users, changing applications, and we can’t lock down the desktop anymore. The old ‘M&M candy’ architecture with the hard outside and the soft, chewy center no longer works. It has to be a jawbreaker now — hard all the way through.”

The reason for the hard outside and soft center had more to do with limited budgets than it did with design.  I can’t imagine that has changed.  Making decisions under scarcity is what we must do in every field.  In security you decide what you can protect with the money you have.

The most important piece of developing a security architecture is mapping (or, often, remapping) the organization’s business needs to its security requirements, experts say. Building a security architecture requires not only the buy-in of upper management, but their direct participation.

Guess what, they are too busy to talk to you.  They have lots of other problems getting their focus.  And when you have it, it’s because something went wrong and it’s rarely their fault.  It doesn’t matter if it is their fault because they are not taking the blame.  There are exceptions, of course, when they directly interfere with security but unless the press gets wind someone else will perish.

I could select other quotes from the article but what would be the point? The entire article is just standing up and knocking down straw men with no true insight or anything approaching a rethinking of security architecture.