Part 1: The Secret to Winning IT Security Roulette
SaltStack sponsored this post.
When it comes to cybersecurity, it can oftentimes feel like you’re playing roulette. It can also take on the feel of a long night in the casino where the longer you stay, the more likely it is that you’re going to go home a loser. IT security is much the same way. Sure, your company may be okay for a while but deep down, you know it’s only a matter of time before you get hacked.
What Should We Demand from the Security Industry?
When we look at this industry today, the number of attacks and breaches are rising continually. We see them nearly every day in the news, varying in size and scope. When I asked our customers, many of them said that what they really need is a window of assurance. They want a window of time in which a Chief Information Security Officer (CISO) can feel comfortable knowing that if a vulnerability is exposed and comes out, the infrastructure is going to be secure. Then, in hushed tones, they also say that they want that window to be around 72-hours; they say it in hushed tones because they know it sounds ridiculous. So why aren’t we demanding this of the cybersecurity industry and why aren’t they delivering it?
Generally, when I look at history, politics, etc, the circumstances around events are far more complicated than any one answer can provide. Just ask a historian why the Roman Empire fell. People have been trying to explain that for thousands of years and when they do, things get very complicated, very quickly! In our industry, it’s extremely rare that we find something that’s a definitive, smoking gun. Well… how’s this for a smoking gun? 99% of infrastructure exploits occur where the security issue is already known to the organization. That’s astonishing.
Where does this problem come from? Where does the problem of a widening security gap in our infrastructure originate? Over the last 15 years, advances in our ability to deploy applications, as well as our need to deploy them, have skyrocketed. Where organizations once had a team of five deploying five applications, they now have a team of five deploying 50 applications. We can simply deploy applications a lot faster than we used to, which means the size and scope of our infrastructure gets bigger, gets more diverse and it gets spread over multiple environments; we’re well beyond traditional firewalls being sufficient and now we have a growing gap between our ability to deliver security to infrastructure and our ability to deploy applications.
Defining the Security Tech Pyramid
Let’s take a step back and walk through what the security industry looks like today and where we’re putting our money and our energy. First, we start by putting a lot of money into defining policies that we want to enforce. We start by defining that, yes, we as an organization want to have our own security policy.
Maybe it’s based on CIS or STIG, then we sprinkle a little NIST in there and next we set up scanners and auditors all throughout our infrastructure.
It costs money, it takes time and it means buying a lot of products, all of which have to be properly deployed and managed. Once the policies are defined and the scanners are set, the first thing people often discover is that their infrastructure looks really terrible. In no time at all, everybody has more security alerts than they know how to deal with by multiple orders of magnitude. When this happens, teams go out and scan, then they try to prioritize which issues actually matter but there are so many vulnerabilities that it’s downright terrifying. A lot of these alerts are coming up in different types. Compliance over here, insider threats over there, vulnerabilities that way, network issues this way and before you know it, people are buried in information.
We then take this mass of information and comb through it, we spend a lot more money to analyze and make sense of it.
Once we’ve spent that money, once we’ve built this fantastic system — this system of incredible levels of visibility — into the security of our infrastructure, we have the crowning piece, the elegant conclusion that everyone comes to as to how they’re going to solve this problem; they open an IT helpdesk ticket. However, the question still remains: How can the systems actually be fixed and made secure? There’s a lot of good reasons why the security industry is being kept out of being able to remediate security issues. It’s primarily because operations is terrified that if they let them in, they’ll ruin everything and take the infrastructure down.
Which is not a completely unjustified fear. I hear cases all the time where operations says “yes, we’ll enforce these policies”, and something terrible happens. Software gets updated, applications die and the operations people come back and say “now I’m to blame because you’re trying to enforce ridiculous policies!” The irony is, operations people today are far more security-conscious than they were even a few years ago. That said, the problem still exists. A security analyst does not understand the nuances of how an application actually runs inside of an infrastructure. It’s not their job. They shouldn’t be expected to understand but that’s also a huge chunk of the problem.
But Wait, There’s More
In Part 2 of this article series, I’ll talk about how we can better understand the differences and respect the responsibilities between security and IT people. If you look through their eyes, each group plays IT Security Roulette daily. After all, nobody knows when they’re going to be breached and when the breach happens, who is going to take the blame?
I’ll also talk about the concept of SecOps and redefining Threat Intelligence to identify threats in a different way.
Feature image from Pixabay.