Recycling the Same Security Advice

There is little innovation in the security industry and the same advice shows up ad nauseum.   Take this article at Dark Reading, What Every CFO Should Know About Security Breaches. is a recent example.

TYSONS CORNER, VA. — CEOs and CIOs have gotten religion about cybersecurity, but what about those who hold the purse strings? Experts say they need a hard lesson, too.

Three clichés in a row and we haven’t even cleared the first paragraph.  It is followed by the same kinds of advice directed, supposedly at CFO’s who we all know show up in force at security conferences to be lectured to by “experts.”

Let’s look at some of the advice our panelists hand out.  Quoting one of those Pokemon Ponemon Institute estimates with big scary numbers,

“What that says is that it pays to make the right [security] decisions from a financial perspective.”

Thank you genius, there is almost no CFO on the planet who endeavors to do that.  Next up this joke,

“In some ways, security is IT’s revenge on the finance department — they say, ‘You don’t understand what we do, so we’ll spend your money however we like,” joked Kevin Mandia, CEO of security forensics firm Mandiant.

Perfect, that should get a larger budget for next year.  Then this,

Michelle Schafer, vice president of the security practice at public relations firm Merritt Group, said companies should take the time to develop a breach response program — and rehearse various scenarios — before a compromise occurs.

Glad they brought you along Michelle.  No CFO has ever heard of an incident response team.    One more precious nugget unearthed from the finest minds,

“It’s so easy to go off spending money on security without knowing what you’re doing,” Moodispaw said. “We’ve seen companies look at firewalls and say, ‘Hey, if one is good, then we should buy five or six.’ You need to counsel your organizations to think twice about buying the latest, hottest things and focus on what works.”

What works has been known for a long time too.  If they are buying crap they don’t need to entertain the infosec team, fire the manager.  The odd thing about this article is the total absence of any quotes from the “CFO’s” who were the target of this panel.  I suppose that is because if you interviewed them you find an accounts payable analyst who went to get out of the office instead of a CFO.  I sat in the audience on a panel discussion that was aimed at CEO’s out of curiosity years ago.  Only two hands went up of the twenty or so people there when they asked who was a CEO.  One left before the panel was over, talking on his (then) status signaling Blackberry as he walked out of the room.

There appear to be only two kinds of security articles, the recycled advice like this one and, of course, the “they just don’t get it” story.  We have reached the point where we should be writing better software so a  casual user can click on any link or open any file without fear of surreptitious installation of malware.  We haven’t; we won’t because time to market and return on investment will always predominate.

“Rethinking Security Architecture” or Not

Over at Dark Reading they have a story just in time for the end of the year titled, “Rethinking IT Security Architecture: Experts Question Wisdom Of Current ‘Layered’ Cyberdefense Strategies.”  I didn’t link to it so you will know that it has nothing to say.  Instead I will just quote from the article to give you an idea of the level of thinking going on.

I really think the security industry is completely saturated at this point.  I am not saying there is no talent in the industry, it’s just that people need to differentiate themselves from everyone else’s offerings and that leads to false observations from small sample sets, coining of new phrases for old concepts and of course, fads.  It leads to people saying things like the following and pretending it’s profound or original.

 “The need to develop a robust security architecture framework has never been greater.”

However, 63 percent of organizations have no such framework in place, the study says. “For years, companies have been approaching security as a technical problem, usually by buying products to solve specific problems,” says Jose Granado, principal and practice leader for IT security services at Ernst & Young and one of the authors of the new report. “There hasn’t been much thought put to how those technologies will work together, or to the people and process sides of the equation.”

I have worked in information security for more than twenty years both inside and consulting to large organizations.  I can’t remember a single place whose security team approached “security as technical problem” and this goes back to before companies ever plugged into the internet.  More pearls of wisdom follow:

Vinnie Liu, partner and co-founder of Stach & Liu, a consulting firm that works with large enterprises on security architecture and tests companies’ defense strategies, agrees that enterprises’ historical focus on point solutions has prevented many organizations from developing a broader security strategy.

“The industry has been approaching the cybersecurity problem like the TSA has been approaching the air-security problem,” Liu says. “First the bad guys brought guns on board, so they put in metal detectors. Then somebody put a bomb in his shoe, and now we all have to take our shoes off. Then they found liquid explosives, so now we can’t bring on any liquids. It’s one problem, one solution, with no real thought to the big picture.”

The need for a broad security strategy has been well understood since Sun Tzu, right through von Clausewitz.  The reason TSA is so inept is because it is a government bureaucracy run by arrogant technocrats who are just as interested in increasing their power as they are in your safety.  They respond to political pressures and newspaper headlines.  The TSA, FEMA, EPA, FCC, FDC etc.  a murders row of bad decisions and pathetic responses.  When they screw up they ask for a bigger budget.  Everyone else loses their jobs.

Continuing with more pearls of wisdom:

“The problem is that most of these tools are still signature-based, which means you’re taking a known threat and blacklisting it. So what you’re doing is essentially layering one technology with another layer of the same type of technology,” Liu says. “It’s sort of like putting on a coat, and then putting on another coat that covers the exact same parts of your body, and then wondering why you’re still cold.”

Defense in depth means exactly that “in depth” covering all areas so if you have exposure you either have no management support or you’re incompetent.

Stach & Liu recommends that rather than buying more point technology, organizations should perform a risk assessment that identifies the most sensitive areas of the business, the most likely threats, and a holistic defense strategy — an architecture of technology and processes — designed specifically to protect the business. The risk assessment, along with the definition of the business’ specific security requirements, helps identify top priorities and most likely threats, as well as key goals — such as compliance — in order to develop a comprehensive, practical defense strategy.

At this point I am wondering who this article’s intended audience is, perhaps a someone who knows little about security or someone who thinks they do but doesn’t.

“In the old days, you didn’t change your applications all that often, so you could build a positive defense,” Pao says. “You could put email on one [router] port, Internet traffic on one router port, and have a strategy for defending them through the firewall. Today, we have mobile users, changing applications, and we can’t lock down the desktop anymore. The old ‘M&M candy’ architecture with the hard outside and the soft, chewy center no longer works. It has to be a jawbreaker now — hard all the way through.”

The reason for the hard outside and soft center had more to do with limited budgets than it did with design.  I can’t imagine that has changed.  Making decisions under scarcity is what we must do in every field.  In security you decide what you can protect with the money you have.

The most important piece of developing a security architecture is mapping (or, often, remapping) the organization’s business needs to its security requirements, experts say. Building a security architecture requires not only the buy-in of upper management, but their direct participation.

Guess what, they are too busy to talk to you.  They have lots of other problems getting their focus.  And when you have it, it’s because something went wrong and it’s rarely their fault.  It doesn’t matter if it is their fault because they are not taking the blame.  There are exceptions, of course, when they directly interfere with security but unless the press gets wind someone else will perish.

I could select other quotes from the article but what would be the point? The entire article is just standing up and knocking down straw men with no true insight or anything approaching a rethinking of security architecture.