Security Experts:

How Letting Go of the Familiar Can Improve Security Maturity

The known provides something very comforting to the human psyche.  On the contrary, the unknown causes discomfort and unsettledness.  Perhaps it is because of this that people love to stay with what is known and familiar, even if it is less optimal.

As an example of this type of behavior, consider mobile phone plans.  Even though most people do not use a tremendously large quantity of minutes, text messages, and data each month, they most often prefer unlimited plans.  Although a plan with limits may meet my needs and be cheaper, it doesn’t provide the comfort and peace of mind that an unlimited plan does.  Why is this the case?  Because with an unlimited plan, my monthly bill is a known that is far less likely to contain surprises.

In the above example, the buyer prefers the familiar, even though letting go of the familiar might allow for a more optimal solution. So what does letting go of the familiar have to do with security and what can we learn from it?  I’d argue quite a bit.

To illustrate this concept, I offer six examples of how letting go of the familiar can help us improve our security maturity.

1. Vendor Risk Management (VRM): Vendor Risk Management, sometimes referred to as Supply Chain Risk Management, is a hot topic in 2018.  What I find particularly fascinating is just how long this important security function has remained an entirely manual process.  Many organizations are moving towards automating their Vendor Risk Management function, but far too many still have no such plans.  Perhaps these organizations are unaware of the different automated VRM platforms out there.  Or, perhaps they do not have the resources to automate VRM in the near future.  Or, perhaps they have other very legitimate concerns or limitations.  However, I have encountered a number of organizations who seem to be bound by nothing more than being reluctant to let go of the familiar.  In the case of VRM, that comes at the price of decreased efficiency and increased risk.

2. Alert Cannon: Even the best, most well-trained, and largest security teams can realistically only handle a few hundred alerts on a daily basis.  Anything beyond that just adds to the noise, reduces the signal-to-noise ratio, and buries important alerts in a sea of false positives.  All of this combines to increase the risk that an intrusion or other important security event will fly under the radar.  So, I’m sure you can imagine my surprise that so many organizations continue to suffer from alert fatigue and death by false positives.  There are ways to take control of the security organization’s work queue, increase the signal-to-noise ratio, and reduce false positives.  So why don’t more organizations do so?  Because it requires breaking with what’s familiar and embracing a new way to work.

3. Silos: Silos are comfortable and familiar.  Everything has its place within the security organization and the enterprise as a whole.  Everybody knows what their job is.  Unfortunately, this approach often results in missed opportunities to improve security maturity.  For example, consider the advantage gained by intersecting the risk register, asset databases, and vulnerability scan data.  This intersection enables organizations to better understand how different vulnerabilities affect their overall risk level and security posture.  Yet how many organizations never consider implementing this and other “silo smashing” moves?  Unfortunately, far too many, and it comes with a hefty price tag.

4. Data Relevance: The number of different data sources that the typical security organization collects can be headache-inducing.  What I’ve always found interesting, however, is how few of these data sources are actually relevant to security operations and incident response.  So why do most organizations collect nearly every data source they can get their hands on?  In some cases, compliance may necessitate collecting some of them, even if they have little to no value to security.  But in many cases, it’s just because collecting all of those different data sources is the familiar thing to do.  Why not collect fewer data sources of higher relevance and with higher context in order to simplify, focus, and introduce efficiencies into the security workflow?  Letting go of the familiar when it comes to data sources can pay huge dividends.

5. Intelligence:  I’ve been around the security profession long enough to know that people seem to make a hobby out of collecting intelligence feeds.  Do all those feeds really help you detect, analyze, and respond to intrusions and other security events?  In my experience, it is highly doubtful.  As is to be expected, different intelligence feeds provide different value to different organizations, depending on their priorities and the risks and threats they’re looking to mitigate.  But how many organizations try to calculate metrics to understand the value they get from each intelligence feed?  Unfortunately, far too few.  An organization can always stay with the familiar and continue to consume intelligence feeds that may or may not bring them value.  Or, they can try to understand which feeds result in reliable true positives and aid in detection versus which feeds result in a deluge of false positives and hurt detection.

6. There is no number six. Embrace the unknown.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA and also serves as Security Advisor to ExtraHop. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.