Security Experts:

WANTED: Actionable Information, Practical Advice

After High Profile Cyber Incidents, Actionable Information is Often Buried in an Avalanche of Hype, Buzz, and Misinformation

Sometimes, usually after a high profile event in the security world, I can’t help but think of the famous Bonnie Raitt song, “Something to Talk About”. The response to the recent “Meltdown” and “Spectre” bugs was not atypical in the sense that it also caused me to think about this song.  Unfortunately, whether or not you like the song, I’m not sure that is something that we as a community should take pride in.

As is typical after a high profile security event, pundits, experts, and thought leaders showed up everywhere.  Television.  Print media.  Twitter.  LinkedIn.  You name it.

I watched a few interviews and read a few articles that were making the rounds.  I saw a lot of people trying to grab attention for their particular company or agenda.  There was a lot of shouting over the next person.  There was plenty of spin as well.  At one point, I nearly spit out my coffee when I saw one person tweet that “The internet is on fire again”.  Seriously?

Actionable Advice

You know what I saw too little of?  Actionable information on the topic. Practical advice that organizations and individuals could take and implement to reduce their risk.  That’s what security is supposed to be all about, isn’t it?

There were a few bright spots of course. I did see several people on Twitter who provided new insights and added to the discussion, rather than regurgitating the same talking points over and over again.  There were a small number of media publications that summarized, consolidated, and organized a tremendous amount of valuable information into a small number of articles so that security practitioners could take action on it. There were even a few people who succeeded in explaining the issue in a manner that could be understood by those who were not technical experts themselves.

So what’s the problem you ask?  That actionable information was buried in an avalanche of hype, buzz, and in some cases, misinformation.  How is the security practitioner supposed to find the time to sort through that mess to find what he or she needs in order to safeguard his or her organization?  And beyond the security practitioner, how are IT professionals and non-technical professionals supposed to find out what they need to know?  Don’t forget - in all but the largest organizations, having a dedicated security team is a luxury.  In the rest of organizations, the burden of security is another job duty that falls upon the already weary and over-tasked.

In thinking back over the drama that became of the Meltdown/Spectre event, I think that we as a security community can learn a lot from my plumber.  Recently, I had a plumbing issue that was beyond my ability to repair myself.  So, I called in a professional.  My plumber is great, but it’s more than just his plumbing expertise that makes him wonderful.  At the end of his analysis of the situation, he was able to provide me an executive summary of the issue in language I could easily understand.  And even better than that - he told me he could fix the issue in 10 minutes, with the parts already on his truck, for a reasonable amount of money.

And therein lies the rub.  At the end of the day, as someone who had a plumbing issue, I wanted it fixed.  Sure, I want to know what caused the issue and what work needed to be done to rectify the situation.  But in the end, I was looking for a solution - not an endless stream of fear, uncertainty, and doubt.

There is a lesson here that gets lost all too often in security.  We spend so much time trying to show off how much we know about all kinds of details (whether we really understand those details or are merely regurgitating the work of others is the subject of a whole other article), that we forget an important lesson.  

The security practitioner, whether he or she are part of a security team, or security is an added duty for him or her, needs answers.  Not 10,000 retweets of the same panic-inducing meme, not condescending cynicism on how everyone is so stupid and doesn’t understand security, and not endless debate around academic principles that seldom have any practical application. Answers. Simply answers.

When a high profile event like Meltdown/Spectre comes around, business of all sizes, small, medium, and large, need actionable information that they can use to mitigate their risk and get back to worrying about their core business.  You know, that core business that brings in the money they use to pay their employees and keep their customers happy.

Think about that the next time you think it would be cool to tweet, write, or say something that serves only your agenda or to promote your company.  

As I’ve written about previously, latching on to a high profile event won’t net you any long term monetary benefit.  All it really does it add to the noise and confusion that serve as obstacles to practitioners trying desperately to do their jobs.

We have become an industry of hot air. Unfortunately, that is what people see when they look at us from the outside, and I’m pretty sure we deserve it. The news isn’t all bad, of course.  There are brights spots and exceptions nearly everywhere you look. Maybe one day, those exceptions will become the rule. Then we can really start to make sure progress.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA and also serves as Security Advisor to ExtraHop. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.