Security Experts:

Good Security is a Marathon, Not a Sprint

Although French mathematician Blaise Pascal was known for many things, I have always admired his quotes.  One of his most famous quotes, and one of my personal favorites states, “I would have written a shorter letter, but I did not have the time.” This quote is poignant for many reasons, including its commentary on the elegance of simplicity.

Simplicity is a bit paradoxical in the sense that it is often perceived as the byproduct of incomplete thinking or the partial grasp of an idea or a concept.  In reality, the truth of the matter is quite the opposite.  There is a certain elegance in simplicity.  A simple solution, categorization, classification, or presentation of an idea or a concept requires a complete grasp of and fluency with the idea or concept that most of us rarely achieve.

Or, to put it another way, it is quite easy to over-complicate something.  Any of us who have ever participated in certain types of committees or sat through certain types of meetings know this phenomena all too well.  Simplicity is difficult to achieve in life, and it often eludes us.

While I have always been a fan of simplicity, I have never been a fan of oversimplification. There is a delicate balance between over-complication and over-simplification in which elegant solutions to many problems lie.  Unfortunately, landing right in this target zone is not something that comes easily to most of us.  Security is no exception to this rule.

The amount of over-simplification on the one hand and over-complication on the other hand that I see in the security field never ceases to amaze me.

On the one hand, I sometimes get questions like “Is the network secure?”, “What is the minimum amount of money I need to spend in order to be secure?”, or “I have a SIEM, IDS, firewall, sandbox, and i am processing 100,000 alerts per day -- Why would I need anything beyond that?”  Needless to say, for those of us who have spent the better part of our careers approaching security as a strategic risk minimization, management, and mitigation effort, these questions can be quite frustrating.

On the other hand, I often encounter situations where literally dozens and dozens of technologies have been acquired, yet there is no overarching risk-based strategy to addressing operational security needs.  To put it another way, loads of technology has been acquired, but operational security problems remain unsolved.  Or, as another example, perhaps incident responders and analysts are chasing one alert after another without any prioritization of alerts or processes and procedures to follow.  There is data streaming in from all different directions without any way to make any sense or order of it.  A sort of operational chaos, if you will.  Over-complication isn’t great either.

Fortunately for us, security is a marathon and not a sprint.  This allows us to plan, course correct, and adjust over time to get to where we need to be.  To illustrate what I mean by this, let’s begin with an analogy we are all likely familiar with.  Most of us visit the dentist periodically for a check-up.  How many of us brush our teeth right before you go to the dentist?  I know I do.  Though, if you think about it, this is a bit of an odd behavior.  The dentist knows whether or not we have been keeping up on our hygiene in the interim between checkups.  Whether or not we brushed our teeth right before going to the dentist won’t cover up the lack of day to day attention to hygiene over a period of time.  In other words, like security, dental hygiene is also a marathon and not a sprint.

It may be tempting to run after the latest craze, but there is a simply no substitute for a methodical, strategic, intelligence-informed, risk-based approach to security.  While certainly not a complete list, the steps involved in attaining this type of capability include:

Understanding the risks and threats faced by the organization:  Informed and guided by intelligence, executives, the board, customers, and other key stakeholders.

Prioritizing those risks and threats:  Which risks and threats would cause severe damage to the business and thus need to be mitigated soonest?

Allocating the optimal mix of people, process, and technology to address prioritized risks and threats given the allowable budget:  How can we address the maximum number of issues with the minimal amount of spend?

Developing the right content:  This is low noise, high fidelity, reliable, precise alerting designed to identify activity indicative of the risks and threats enumerated in the earlier step.  It is the quality, rather than the quantity that is most important here.  This step is highly correlated to the day to day productivity and the overall efficiency of the security program as a whole.

Workflow:  Running day to day security operations.  Documenting processes and procedures.  Handling incidents consistently and performing incident response when necessary.  Proper case management and incident ticketing.

Communication to stakeholders:  This includes metrics and reporting.  Making sure that the value you are providing the organization on a daily basis is well understood.

Giving back to the community:  Information sharing.  Presenting case studies and techniques at industry events and local user groups.  Participating in various different peer groups where ideas can be exchanged freely.

Continuously improving:  Alerting will need attention.  Processes will need to be tweaked.  New use cases will arise.  Ensuring that the security program remains world class as the threat landscape evolves.

As you can see, this undertaking is most certainly a marathon and not a sprint.  World class security organizations are strategic, methodical, and calculated.  Sometimes they progress less quickly in the short term to get where they need to be in the long term.  But one thing they won’t do is run after fads and trends.  Buzz and hype do not a good security program make.

The savvy customer knows which organizations brush their teeth before going to the dentist versus practicing good security hygiene on a consistent basis.  In other words, while sprinting from distraction to distraction may fool some people, it won’t fool nearly enough to justify the risk it introduces into your organization.  Slow and steady wins the race.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is CTO – Emerging Technologies at FireEye and has over a decade of experience building, operating, and running Security Operations Centers (SOCs). Before joining nPulse Technologies, which was acquired by FireEye, as its Chief Security Officer (CSO), he worked as an independent consultant where consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career Goldfarb served as the Chief of Analysis for US-CERT where he built from the ground up and subsequently ran the network, physical media and malware analysis/forensics capabilities. Goldfarb holds both a B.A. in Physics and a M.Eng. in Operations Research and Information Engineering from Cornell University.