Security Experts:

Is Your Security Team Treating Symptoms Rather Than Problems?

Unlike the Common Cold, Security Professionals Have the Ability to Treat the Root Case of Problems

Catching a virus is something that most of us are quite familiar with, as it is likely something that we deal with a few times per year. What might be less familiar to us is the lesson that a stomach virus or the common cold can teach us about security. Curious what I might be referring to here? Let’s get to it.

As we all know, there is no cure for the common cold. Rather, when we find ourselves battling a virus, we treat the symptoms of the illness rather than the illness itself. We do this largely because we don’t have a lot of other options. For example, if our throat is a bit sore, we might drink hot tea with honey. Or, if we have a headache, we might take some medicine to relieve the pain. What we’re not able to do, however, is cure the actual virus. In the case of the common cold, we have to wait for our body’s immune system to fight it off.

What could this possibly have to do with security you ask? That is certainly a fair question. I believe that the common cold can teach us a valuable lesson relating to our job duties as information security professionals. In security, we have grown accustomed to treating the symptoms of our problems, rather than treating the problems themselves. We’re so comfortable in the current symptom-treating security mantra, that most often, we don’t even realize what we’re actually doing. Most security professionals, in my experience, don’t even think about whether they are treating the symptoms of the issue, or the issue itself.

In the security realm, unlike the common cold, we have the ability to treat the root case of our problems. So you can imagine my surprise when I almost always see organizations go after the symptoms of those problems, rather than the problems themselves. Of course, I understand the need to respond to issues as they arise on a daily basis. But more often than not, that’s where an organization’s security efforts cease. Where is the effort to understand what led to the issues in the first place and how it can be treated and cured?

Let’s take the malware whack-a-mole game that most organizations play on a daily basis as an example. Day in and day out, I see organizations chasing malware around the enterprise like a giant game of whack-a-mole. What exactly do I expect organizations to do, you ask? To leverage, exploit, and build upon the knowledge gained during the malware chase to identify areas in which the problem themselves can be treated, rather than their symptoms. I don’t expect organizations to cease the malware chase of course, though I would hope that over time, organizations would work towards addressing the core of the issues.

Although not an exhaustive list, here are a few thoughts on that topic:

Examine Vectors: What are the ways in which attackers are compromising endpoints? Are there vulnerable versions of particular pieces of software that are routinely the root cause of infection? Are there particular vectors into the organization that attackers are repeatedly taking advantage of? Are there specific users that routinely get compromised due to certain patterns of behavior?

Implement Controls: Could certain controls be tightened to help reduce the number of compromises or the damage from those compromises? Do certain network segments really need to communicate with each other? Should a user really be allowed to log onto any system in the enterprise with his or her credentials? Do we need remote desktop/remote access across a wide array of systems? Where are the most critical assets with the most sensitive data within the organization, and have we adequately protected them? Do we need to allow everything outbound, or can we limit the ways in which data can leave the organization? Do users really need to access all of the sites they regularly access? Are there certain parts of the Internet that should be considered a no-go as they don’t serve any legitimate business purpose and can only open the organization up to risk?

Close Holes: Are there any holes that can be closed to improve the situation? Are there places within the enterprise that the organization has limited visibility into or control over? Are there particular attack vectors being used that can be protected, modified or eliminated? Are there particular controls that can be improved? Are there procedural or relationship issues that can be remedied to allow for more strategic moves to be made in seeking out the source of problems?

As you can see, there is no shortage of work to be done in seeking to identify root cause, rather than chasing malware without pausing to identify what might be causing the compromises. As security professionals, it’s our duty to do so, as it makes a huge impact on the overall security posture of our organization. Of course, I am aware that there will always be new root causes, vectors into the organization, and controls shortcomings that will leave us vulnerable to compromise. But that doesn’t mean that we shouldn’t try to cure the “illnesses” that we are getting beat by on a regular basis.

Unless science and medicine make some major advances in the near future, I know that next time I come down with a cold, there will be no way to cure it. But in security, we should never be satisfied with treating the symptoms. Whenever possible, we should strive to cure the actual disease itself.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is CTO – Emerging Technologies at FireEye and has over a decade of experience building, operating, and running Security Operations Centers (SOCs). Before joining nPulse Technologies, which was acquired by FireEye, as its Chief Security Officer (CSO), he worked as an independent consultant where consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career Goldfarb served as the Chief of Analysis for US-CERT where he built from the ground up and subsequently ran the network, physical media and malware analysis/forensics capabilities. Goldfarb holds both a B.A. in Physics and a M.Eng. in Operations Research and Information Engineering from Cornell University.