Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Security is Not a Commodity – Breaking Out of Security Paralysis

IT Security

Organizations Need to Ensure That They Don’t Just Buy Security Products, but Actually Empower the Security Organization…

IT Security

Organizations Need to Ensure That They Don’t Just Buy Security Products, but Actually Empower the Security Organization…

Security is in the midst of a renaissance in most organizations. High profile breaches and lost intellectual property have made cybersecurity top of mind from the boardroom to the practitioner, and everywhere in between. However there is a very big difference between talking about security and actually becoming more secure. In fact, there is an unsettling tendency for organizations to invest considerable time and money in security solutions that don’t take action at the critical moment of an attack. For instance, a recent post-mortem of the Target breach showed that the security team had advanced tools that identified the malware used to steal credit card data, but the information and alerts were not acted upon.

This is not something unique to Target. The yearly Verizon Data Breach Investigations Report has consistently shown that while 92% of breaches were discovered by outside 3rd parties, 85% of the victim networks had evidence of the breach in their logs. In all of these cases, the victims obviously had some level of security in place, yet ultimately failed to protect the organization. As enterprises become increasingly focused on security, it’s important to take an honest look not just at what security measures are in place, but how they are really used. How deterministic is a particular security solution? Can it take proactive action, or does it require further analysis from staff? Do security teams have the manpower and expertise needed to respond in a timely manner? Is the team empowered to take action and block potential threats? Without a firm answer to questions like these, organizations can easily waste money acquiring products that don’t get used in the way management expected. Let’s take a closer look at some of the more common pitfalls.

I’ll Take One Pound of Security Please

The simple truth is that security is not a commodity. Buying and deploying a security product does not instantly translate to security in most cases. In fact, the vast majority of security solutions require a commensurate level of human attention and expertise in order to derive real value. Staff must be trained, logs analyzed, signatures updated, policies rebalanced, and anomalies investigated – often on a daily basis. If organizations go on a spending spree, buying security products when their security staff is already overwhelmed, they are highly unlikely to get the results they expected.

This is particularly true as attacks become more advanced and subtle. Were the anomalies seen in the network an APT that needs immediate response or an just overly aggressive piece of adware? The answer often requires a security admin who both understands modern malware and has experience with the system that generated the alert. After a decade of belt-tightening and “doing more with less”, many security teams are understaffed to begin with. As a result, it’s important to remember that investment in talent in just as important as investment in technology.

The Fear of False-Positives

False positives are one of the most debilitating issues in enterprise security, yet one that gets virtually no coverage. A “false positive” refers to a case where a security product inspects a benign piece of content and incorrectly classifies it as malicious. Even low false positive rates can have an unexpectedly large impact to real-world operations as illustrated in this analysis. A security product that cries wolf is obviously a bad thing, but a security product that incorrectly blocks good content can be disastrous. Automatically blocking good content can break applications, lock out end-users, and generally wreak havoc on company operations.

Advertisement. Scroll to continue reading.

The dirty little secret is that security admins are just as likely to get fired for blocking something they shouldn’t as they are for letting an attack succeed. Making matters worse, industry testing houses almost exclusively judge security vendors based on their catch rate and ignore false positives. This is a major disconnect between how security products are publicly judged and how organizations actually use them. If you can’t trust what a security product tells you, then odds are you are very unlikely to let that product block threats automatically.

When evaluating security products, management needs to understand (as much as possible) how deterministic a particular technology can be. How much human interaction is realistically required before action is taken? What are the rates of false positives? How are false positives addressed by the vendor? Without solid answers to questions like these, the security admin is forced to take all the risk associated with pulling the trigger, and that in itself is a recipe for paralysis or inaction.

Ultimately, organizations need to ensure that they don’t just buy security products, but actually empower the security organization. This includes delivering the right technology, appropriate staffing, ongoing training, and the political support needed to take action. Needless to say that is often easier said than done, but it is almost assuredly better than living with a false sense of security.

Related Reading: When Technology Isn’t Enough – Elevating the Human Element in Preventing Data Breaches

Related ReadingThe Next Big Thing for Network Security: Automation and Orchestration

Related ReadingMaking Systems More Independent from the Human Factor

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...