Organizations Need to Ensure That They Don’t Just Buy Security Products, but Actually Empower the Security Organization...
Security is in the midst of a renaissance in most organizations. High profile breaches and lost intellectual property have made cybersecurity top of mind from the boardroom to the practitioner, and everywhere in between. However there is a very big difference between talking about security and actually becoming more secure. In fact, there is an unsettling tendency for organizations to invest considerable time and money in security solutions that don’t take action at the critical moment of an attack. For instance, a recent post-mortem of the Target breach showed that the security team had advanced tools that identified the malware used to steal credit card data, but the information and alerts were not acted upon.
This is not something unique to Target. The yearly Verizon Data Breach Investigations Report has consistently shown that while 92% of breaches were discovered by outside 3rd parties, 85% of the victim networks had evidence of the breach in their logs. In all of these cases, the victims obviously had some level of security in place, yet ultimately failed to protect the organization. As enterprises become increasingly focused on security, it’s important to take an honest look not just at what security measures are in place, but how they are really used. How deterministic is a particular security solution? Can it take proactive action, or does it require further analysis from staff? Do security teams have the manpower and expertise needed to respond in a timely manner? Is the team empowered to take action and block potential threats? Without a firm answer to questions like these, organizations can easily waste money acquiring products that don’t get used in the way management expected. Let’s take a closer look at some of the more common pitfalls.
I’ll Take One Pound of Security Please
The simple truth is that security is not a commodity. Buying and deploying a security product does not instantly translate to security in most cases. In fact, the vast majority of security solutions require a commensurate level of human attention and expertise in order to derive real value. Staff must be trained, logs analyzed, signatures updated, policies rebalanced, and anomalies investigated - often on a daily basis. If organizations go on a spending spree, buying security products when their security staff is already overwhelmed, they are highly unlikely to get the results they expected.
This is particularly true as attacks become more advanced and subtle. Were the anomalies seen in the network an APT that needs immediate response or an just overly aggressive piece of adware? The answer often requires a security admin who both understands modern malware and has experience with the system that generated the alert. After a decade of belt-tightening and “doing more with less”, many security teams are understaffed to begin with. As a result, it’s important to remember that investment in talent in just as important as investment in technology.
The Fear of False-Positives
False positives are one of the most debilitating issues in enterprise security, yet one that gets virtually no coverage. A “false positive” refers to a case where a security product inspects a benign piece of content and incorrectly classifies it as malicious. Even low false positive rates can have an unexpectedly large impact to real-world operations as illustrated in this analysis. A security product that cries wolf is obviously a bad thing, but a security product that incorrectly blocks good content can be disastrous. Automatically blocking good content can break applications, lock out end-users, and generally wreak havoc on company operations.
The dirty little secret is that security admins are just as likely to get fired for blocking something they shouldn’t as they are for letting an attack succeed. Making matters worse, industry testing houses almost exclusively judge security vendors based on their catch rate and ignore false positives. This is a major disconnect between how security products are publicly judged and how organizations actually use them. If you can’t trust what a security product tells you, then odds are you are very unlikely to let that product block threats automatically.
When evaluating security products, management needs to understand (as much as possible) how deterministic a particular technology can be. How much human interaction is realistically required before action is taken? What are the rates of false positives? How are false positives addressed by the vendor? Without solid answers to questions like these, the security admin is forced to take all the risk associated with pulling the trigger, and that in itself is a recipe for paralysis or inaction.
Ultimately, organizations need to ensure that they don’t just buy security products, but actually empower the security organization. This includes delivering the right technology, appropriate staffing, ongoing training, and the political support needed to take action. Needless to say that is often easier said than done, but it is almost assuredly better than living with a false sense of security.
Related Reading: Making Systems More Independent from the Human Factor