“Rethinking Security Architecture” or Not

Over at Dark Reading they have a story just in time for the end of the year titled, “Rethinking IT Security Architecture: Experts Question Wisdom Of Current ‘Layered’ Cyberdefense Strategies.”  I didn’t link to it so you will know that it has nothing to say.  Instead I will just quote from the article to give you an idea of the level of thinking going on.

I really think the security industry is completely saturated at this point.  I am not saying there is no talent in the industry, it’s just that people need to differentiate themselves from everyone else’s offerings and that leads to false observations from small sample sets, coining of new phrases for old concepts and of course, fads.  It leads to people saying things like the following and pretending it’s profound or original.

 “The need to develop a robust security architecture framework has never been greater.”

However, 63 percent of organizations have no such framework in place, the study says. “For years, companies have been approaching security as a technical problem, usually by buying products to solve specific problems,” says Jose Granado, principal and practice leader for IT security services at Ernst & Young and one of the authors of the new report. “There hasn’t been much thought put to how those technologies will work together, or to the people and process sides of the equation.”

I have worked in information security for more than twenty years both inside and consulting to large organizations.  I can’t remember a single place whose security team approached “security as technical problem” and this goes back to before companies ever plugged into the internet.  More pearls of wisdom follow:

Vinnie Liu, partner and co-founder of Stach & Liu, a consulting firm that works with large enterprises on security architecture and tests companies’ defense strategies, agrees that enterprises’ historical focus on point solutions has prevented many organizations from developing a broader security strategy.

“The industry has been approaching the cybersecurity problem like the TSA has been approaching the air-security problem,” Liu says. “First the bad guys brought guns on board, so they put in metal detectors. Then somebody put a bomb in his shoe, and now we all have to take our shoes off. Then they found liquid explosives, so now we can’t bring on any liquids. It’s one problem, one solution, with no real thought to the big picture.”

The need for a broad security strategy has been well understood since Sun Tzu, right through von Clausewitz.  The reason TSA is so inept is because it is a government bureaucracy run by arrogant technocrats who are just as interested in increasing their power as they are in your safety.  They respond to political pressures and newspaper headlines.  The TSA, FEMA, EPA, FCC, FDC etc.  a murders row of bad decisions and pathetic responses.  When they screw up they ask for a bigger budget.  Everyone else loses their jobs.

Continuing with more pearls of wisdom:

“The problem is that most of these tools are still signature-based, which means you’re taking a known threat and blacklisting it. So what you’re doing is essentially layering one technology with another layer of the same type of technology,” Liu says. “It’s sort of like putting on a coat, and then putting on another coat that covers the exact same parts of your body, and then wondering why you’re still cold.”

Defense in depth means exactly that “in depth” covering all areas so if you have exposure you either have no management support or you’re incompetent.

Stach & Liu recommends that rather than buying more point technology, organizations should perform a risk assessment that identifies the most sensitive areas of the business, the most likely threats, and a holistic defense strategy — an architecture of technology and processes — designed specifically to protect the business. The risk assessment, along with the definition of the business’ specific security requirements, helps identify top priorities and most likely threats, as well as key goals — such as compliance — in order to develop a comprehensive, practical defense strategy.

At this point I am wondering who this article’s intended audience is, perhaps a someone who knows little about security or someone who thinks they do but doesn’t.

“In the old days, you didn’t change your applications all that often, so you could build a positive defense,” Pao says. “You could put email on one [router] port, Internet traffic on one router port, and have a strategy for defending them through the firewall. Today, we have mobile users, changing applications, and we can’t lock down the desktop anymore. The old ‘M&M candy’ architecture with the hard outside and the soft, chewy center no longer works. It has to be a jawbreaker now — hard all the way through.”

The reason for the hard outside and soft center had more to do with limited budgets than it did with design.  I can’t imagine that has changed.  Making decisions under scarcity is what we must do in every field.  In security you decide what you can protect with the money you have.

The most important piece of developing a security architecture is mapping (or, often, remapping) the organization’s business needs to its security requirements, experts say. Building a security architecture requires not only the buy-in of upper management, but their direct participation.

Guess what, they are too busy to talk to you.  They have lots of other problems getting their focus.  And when you have it, it’s because something went wrong and it’s rarely their fault.  It doesn’t matter if it is their fault because they are not taking the blame.  There are exceptions, of course, when they directly interfere with security but unless the press gets wind someone else will perish.

I could select other quotes from the article but what would be the point? The entire article is just standing up and knocking down straw men with no true insight or anything approaching a rethinking of security architecture.



Central Control System Risk

Whenever we have a system whose function is to provide better risk management or security, that system itself will have a control element.  These systems can be attacked and service they provide disabled.

Take, for example, a network intrusion detection system;  is the control console system protected?  Is the back end database on it’s own server or is it part of a shared environment?  Are the updated signatures delivered over a private physical network or at least a separate VLAN?  Are the administrators themselves audited periodically?

What I have seen many times is that the worst security in a company is on the security group’s control systems.  Not because the security group is lazy or incompetent but because they simply do not have the resources to adequately safeguard their own systems.  They are assigned additional duties without additional personnel or it was left out of the budget.  It can happen to the best.  There have been numerous luminaries in the information security field who have been hacked.    Sometimes earning a living takes all your time and there is nothing left for securing your own systems.

If you cannot afford to add the correct number of internal personnel for your Identity Management Solution, Intrusion Detection System, Content Filtering Software etc.  you should contract someone who can and then audit them, regularly.

How Much Security is Enough?

How secure is your company?  Are you spending too much or not enough on security?  How would you know? We don’t have a 1,000 years of statistical data to build orderly models with nice normal distributions (if in fact this is the underlying distribution, most likely not.)

Much of what is spent is to fix an irritation or meet a regulation.  I know a company that first introduced anti-virus into the enterprise because the CEO was angry at all the emails that filled his inbox due to an email virus. In this case it was purely reactive.  When I was a senior security analyst inside a large multinational, we are able to go three straight years without a worm or email virus getting into our network.  This was at a time when Microsoft vulnerabilities were a constant cascade and Microsoft responded to everything released on bugtraq like it was a malicious lie.  We managed this on a relatively small budget and a user base with admin access over their local machines.  It is possible to have tight security without spending a fortune.  Despite this, I knew we were not spending enough on security because we had little to no defense against the insider threat.  The best defense against the insider threat is an ethical corporate culture and good hiring practices, an area often overlooked.  Of the triad in security, prevention, detection and clean up, prevention is frequently the most expensive when using technology.  Prevention is a lot cheaper if you don’t hire losers in the first place or you don’t build up resentment by stealing from your employees with understaffed teams, overworked associates and no bonuses except for the C suite.

At this point lacking a wealth of statistical data, most companies can’t say if they are spending too little or too much unless they ask an outside expert.  If they ask the question inside the company, they will most likely get the answer weighted for self preservation, if they are asking at all.