Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Good Security is a Marathon, Not a Sprint

Although French mathematician Blaise Pascal was known for many things, I have always admired his quotes.

Although French mathematician Blaise Pascal was known for many things, I have always admired his quotes.  One of his most famous quotes, and one of my personal favorites states, “I would have written a shorter letter, but I did not have the time.” This quote is poignant for many reasons, including its commentary on the elegance of simplicity.

Simplicity is a bit paradoxical in the sense that it is often perceived as the byproduct of incomplete thinking or the partial grasp of an idea or a concept.  In reality, the truth of the matter is quite the opposite.  There is a certain elegance in simplicity.  A simple solution, categorization, classification, or presentation of an idea or a concept requires a complete grasp of and fluency with the idea or concept that most of us rarely achieve.

Or, to put it another way, it is quite easy to over-complicate something.  Any of us who have ever participated in certain types of committees or sat through certain types of meetings know this phenomena all too well.  Simplicity is difficult to achieve in life, and it often eludes us.

While I have always been a fan of simplicity, I have never been a fan of oversimplification. There is a delicate balance between over-complication and over-simplification in which elegant solutions to many problems lie.  Unfortunately, landing right in this target zone is not something that comes easily to most of us.  Security is no exception to this rule.

The amount of over-simplification on the one hand and over-complication on the other hand that I see in the security field never ceases to amaze me.

On the one hand, I sometimes get questions like “Is the network secure?”, “What is the minimum amount of money I need to spend in order to be secure?”, or “I have a SIEM, IDS, firewall, sandbox, and i am processing 100,000 alerts per day — Why would I need anything beyond that?”  Needless to say, for those of us who have spent the better part of our careers approaching security as a strategic risk minimization, management, and mitigation effort, these questions can be quite frustrating.

On the other hand, I often encounter situations where literally dozens and dozens of technologies have been acquired, yet there is no overarching risk-based strategy to addressing operational security needs.  To put it another way, loads of technology has been acquired, but operational security problems remain unsolved.  Or, as another example, perhaps incident responders and analysts are chasing one alert after another without any prioritization of alerts or processes and procedures to follow.  There is data streaming in from all different directions without any way to make any sense or order of it.  A sort of operational chaos, if you will.  Over-complication isn’t great either.

Fortunately for us, security is a marathon and not a sprint.  This allows us to plan, course correct, and adjust over time to get to where we need to be.  To illustrate what I mean by this, let’s begin with an analogy we are all likely familiar with.  Most of us visit the dentist periodically for a check-up.  How many of us brush our teeth right before you go to the dentist?  I know I do.  Though, if you think about it, this is a bit of an odd behavior.  The dentist knows whether or not we have been keeping up on our hygiene in the interim between checkups.  Whether or not we brushed our teeth right before going to the dentist won’t cover up the lack of day to day attention to hygiene over a period of time.  In other words, like security, dental hygiene is also a marathon and not a sprint.

Advertisement. Scroll to continue reading.

It may be tempting to run after the latest craze, but there is a simply no substitute for a methodical, strategic, intelligence-informed, risk-based approach to security.  While certainly not a complete list, the steps involved in attaining this type of capability include:

Understanding the risks and threats faced by the organization:  Informed and guided by intelligence, executives, the board, customers, and other key stakeholders.

Prioritizing those risks and threats:  Which risks and threats would cause severe damage to the business and thus need to be mitigated soonest?

Allocating the optimal mix of people, process, and technology to address prioritized risks and threats given the allowable budget:  How can we address the maximum number of issues with the minimal amount of spend?

Developing the right content:  This is low noise, high fidelity, reliable, precise alerting designed to identify activity indicative of the risks and threats enumerated in the earlier step.  It is the quality, rather than the quantity that is most important here.  This step is highly correlated to the day to day productivity and the overall efficiency of the security program as a whole.

Workflow:  Running day to day security operations.  Documenting processes and procedures.  Handling incidents consistently and performing incident response when necessary.  Proper case management and incident ticketing.

Communication to stakeholders:  This includes metrics and reporting.  Making sure that the value you are providing the organization on a daily basis is well understood.

Giving back to the community:  Information sharing.  Presenting case studies and techniques at industry events and local user groups.  Participating in various different peer groups where ideas can be exchanged freely.

Continuously improving:  Alerting will need attention.  Processes will need to be tweaked.  New use cases will arise.  Ensuring that the security program remains world class as the threat landscape evolves.

As you can see, this undertaking is most certainly a marathon and not a sprint.  World class security organizations are strategic, methodical, and calculated.  Sometimes they progress less quickly in the short term to get where they need to be in the long term.  But one thing they won’t do is run after fads and trends.  Buzz and hype do not a good security program make.

The savvy customer knows which organizations brush their teeth before going to the dentist versus practicing good security hygiene on a consistent basis.  In other words, while sprinting from distraction to distraction may fool some people, it won’t fool nearly enough to justify the risk it introduces into your organization.  Slow and steady wins the race.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...