Connect with us

Hi, what are you looking for?


Management & Strategy

Is Your Security Team Treating Symptoms Rather Than Problems?

Unlike the Common Cold, Security Professionals Have the Ability to Treat the Root Case of Problems

Unlike the Common Cold, Security Professionals Have the Ability to Treat the Root Case of Problems

Catching a virus is something that most of us are quite familiar with, as it is likely something that we deal with a few times per year. What might be less familiar to us is the lesson that a stomach virus or the common cold can teach us about security. Curious what I might be referring to here? Let’s get to it.

As we all know, there is no cure for the common cold. Rather, when we find ourselves battling a virus, we treat the symptoms of the illness rather than the illness itself. We do this largely because we don’t have a lot of other options. For example, if our throat is a bit sore, we might drink hot tea with honey. Or, if we have a headache, we might take some medicine to relieve the pain. What we’re not able to do, however, is cure the actual virus. In the case of the common cold, we have to wait for our body’s immune system to fight it off.

What could this possibly have to do with security you ask? That is certainly a fair question. I believe that the common cold can teach us a valuable lesson relating to our job duties as information security professionals. In security, we have grown accustomed to treating the symptoms of our problems, rather than treating the problems themselves. We’re so comfortable in the current symptom-treating security mantra, that most often, we don’t even realize what we’re actually doing. Most security professionals, in my experience, don’t even think about whether they are treating the symptoms of the issue, or the issue itself.

In the security realm, unlike the common cold, we have the ability to treat the root case of our problems. So you can imagine my surprise when I almost always see organizations go after the symptoms of those problems, rather than the problems themselves. Of course, I understand the need to respond to issues as they arise on a daily basis. But more often than not, that’s where an organization’s security efforts cease. Where is the effort to understand what led to the issues in the first place and how it can be treated and cured?

Let’s take the malware whack-a-mole game that most organizations play on a daily basis as an example. Day in and day out, I see organizations chasing malware around the enterprise like a giant game of whack-a-mole. What exactly do I expect organizations to do, you ask? To leverage, exploit, and build upon the knowledge gained during the malware chase to identify areas in which the problem themselves can be treated, rather than their symptoms. I don’t expect organizations to cease the malware chase of course, though I would hope that over time, organizations would work towards addressing the core of the issues.

Although not an exhaustive list, here are a few thoughts on that topic:

Advertisement. Scroll to continue reading.

Examine Vectors: What are the ways in which attackers are compromising endpoints? Are there vulnerable versions of particular pieces of software that are routinely the root cause of infection? Are there particular vectors into the organization that attackers are repeatedly taking advantage of? Are there specific users that routinely get compromised due to certain patterns of behavior?

Implement Controls: Could certain controls be tightened to help reduce the number of compromises or the damage from those compromises? Do certain network segments really need to communicate with each other? Should a user really be allowed to log onto any system in the enterprise with his or her credentials? Do we need remote desktop/remote access across a wide array of systems? Where are the most critical assets with the most sensitive data within the organization, and have we adequately protected them? Do we need to allow everything outbound, or can we limit the ways in which data can leave the organization? Do users really need to access all of the sites they regularly access? Are there certain parts of the Internet that should be considered a no-go as they don’t serve any legitimate business purpose and can only open the organization up to risk?

Close Holes: Are there any holes that can be closed to improve the situation? Are there places within the enterprise that the organization has limited visibility into or control over? Are there particular attack vectors being used that can be protected, modified or eliminated? Are there particular controls that can be improved? Are there procedural or relationship issues that can be remedied to allow for more strategic moves to be made in seeking out the source of problems?

As you can see, there is no shortage of work to be done in seeking to identify root cause, rather than chasing malware without pausing to identify what might be causing the compromises. As security professionals, it’s our duty to do so, as it makes a huge impact on the overall security posture of our organization. Of course, I am aware that there will always be new root causes, vectors into the organization, and controls shortcomings that will leave us vulnerable to compromise. But that doesn’t mean that we shouldn’t try to cure the “illnesses” that we are getting beat by on a regular basis.

Unless science and medicine make some major advances in the near future, I know that next time I come down with a cold, there will be no way to cure it. But in security, we should never be satisfied with treating the symptoms. Whenever possible, we should strive to cure the actual disease itself.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...