Defense in depth: Security Strategy or Security Blanket

Defense in depth: Security Strategy or Security Blanket

There is an interesting phenomenon in the sports world surrounding fans and trades. It goes something like this…

Giants Fan 1, “Man, that Albert Pujols is really something else. I sure would like to have him on our team.”

Giants Fan 2, “We should offer the Cardinals three of our mediocre players for him.”

Giants Fan 1, “That’ll never work, they won’t give him up for three mediocre players.”

Giants Fan 2, “Okay, we’ll give them 5 of them… heck give them 7 mediocre players!”

Giants Fan 1, “Yeah… this is starting to sound real good.” *

The fallacy says that if you add up enough average players they are worth a superstar. Or as I’ve heard it explained before, make a tall enough stack of trash and it just might work. The problem is that there is no amount of mediocre talent that adds up to Albert Pujols’ value. He is simply worth too much to be replaced by a commodity.  The same is true of any exceptional talent.

So, what does this have to do with information security? This seems to be the same strategy many organizations use when it comes to implementing defense in depth. They focus on making the tallest pile of security measures. But when it comes down to it, a mile’s worth of depth isn’t worth one truly effective measure.

We have all heard that a defense in depth is required for an effective security program. But in many ways defense in depth has become a security blanket for companies, rather than a security strategy. The number of different technologies may give a nice sense of security, but provides negligible added value.

This means that organizations that are racing around trying to purchase and implement the latest and greatest should stop. Take a hard look at those systems you already have in place, and figure out what you’re getting from them. Real risk mitigation is not about having all the greatest countermeasures, it’s making sure that the countermeasures you have in place can do the job.

This is good news for just about everyone involved (though, not so much for the VARs and technology manufacturers who will be losing the sales). The company can save money by not buying every solution out there. By focusing on the highest impact defenses first, and thoroughly, they can spend less on new technologies while getting more results.

The technical employees win because they are able to invest more time getting to better understand and master the technologies they have in place. There is a ton of value in being the master of a few technologies, rather than familiar with many.

For those companies who see themselves stuck in this situation, think of this as a money saving opportunity. Look at your security stack, and do some real analysis on the technologies you have deployed. Are they really providing the security they promised? Are there significant features and functions you haven’t even turned on yet because you haven’t had the time or staff? Take the time to answer these questions truthfully and candidly. Your answers should lead you to optimize or drop those which aren’t currently supplying significant value.

After you have maximized the impact of each of your technologies, it very well may make sense to add more depth. That new web application scanning tool, or DLP technology absolutely can make your organization safer. But by putting off their implementation until rest of your tools are properly configured you not only save money, you make your organization more secure.

* The 2010 Giants won the World Series.

Connect with


2011 Information Security Resolutions

2011 Information Security Resolutions

Think it’s too late for a New Year’s post? You must not have heard that January 12th is the new January 1st.

I’ve never been one for making New Year’s Resolutions. However, a quick search of the web finds that a lot of folks are. An awful lot of people are looking to lose weight, quit smoking, or get a new job this year. This got me to thinking; what are my InfoSec resolutions for 2011? It sounds like the perfect topic for a Five Things article.

  1. Don’t be satisfied with doing things ‘the way we’ve always done them.’ This is a problem not just for security folks, but in all areas of business. Change is how great things happen. As we continually seek to do more with fewer resources, finding inefficiencies in our processes and systems will become more important. In 2011, I don’t ever want to shoot down an idea simply because it’s not the way we’ve done things before.
  2. Strive for security, not settling for checking boxes. I’ve written about this many times in the past, but the tension between security and compliance is as real as ever. Compliance is required, of course, but it’s not enough. I will continue to strive to use my compliance initiatives to drive in real change, and real security, rather than settling for meeting my regulatory or audit requirement.
  3. Expand my knowledge into new technologies. The information security field is blessed with a great group of vendors and developers who continue to create better tools and systems. These companies continually push security technology forward, giving us new tools for protecting and detecting in our environments. In 2011 I will continue to learn more about these technologies and how I can better take advantage of them in my organization.
  4. Better align the security initiatives I work on with the business objectives of the company. Security does not exist in a vacuum. We are employed for the express purpose of helping our organization meet its objectives. If we accept that as true, shouldn’t we also accept that in order to do our jobs properly we need to understand the company’s objective? In 2011 I want to work harder to figure out where the business is going, and how I help it get there.
  5. Learn from (and network with) the InfoSec practitioners around me. Both in person at ISSA and ISACA meetings and security conferences, and online through twitter, linkedin, blogosphere and Infosec Island. There are so many brilliant people out there doing original thinking or perfecting the practice of information security. In 2011 I’m going to work hard to learn from these people.

Happy New Year!

Connect with

False Positives: The Best Way to Kill a Good Initiative

False Positives: The Best Way to Kill a Good Initiative

Or; When Security Departments Cry Wolf

Remember Aesop’s fable “The Boy Who Cried Wolf”? Not only is it a pretty good story, filled with conflict, danger, lying and comeuppance, it has served as a precautionary tale to several generations. Little kids around the world have learned that if you lie, people are going to stop believing you.

This fable speaks directly into our jobs as security practitioners. The more we raise alerts about issues that either don’t exist, or aren’t worth the attention we give them, the less interested people are in hearing what we have to say. If we do it too much, eventually when we scream that the wolf is at the door, we will be ignored, and see our data get eaten up.

This reality can be experienced in a number of ways.

1.       The way we present security assessment findings. The most important thing we can do to ensure our words are taken seriously, is be realistic about the threats we report. Not every threat is a severity 1, and they don’t all need to be remediated immediately. Consider the likelihood and impact of a threat in your environment, and suggest remediation accordingly. When you do find that big bad issue, your warning will be taken much more seriously if they’ve seen you downplay the significance of other vulnerabilities in the past.

2.       How we react to the news of new zero day attacks we learn about from the media. Reports of breaches, zero day viruses and cyber war make for compelling news. And your CEO may see one of these stories and start thinking about information security for the first time in months. This can lead to urgent conversations and directives to immediately make sure that “we are safe from this kind of thing.” In effect, the news media is doing the “crying wolf” but InfoSec professionals are the ones to deal with the fallout.

In these cases, we must make a careful measured response to these questions. We cannot let the current paranoia around Wikileaks and Stuxnet force our hand to make security decisions that don’t make sense as an organization. Use these opportunities as a chance to explain how we determined what defenses we would put in place, and how these news-worthy events tie into our security strategies. If we handle these situations wisely, these sensational security events can be good advertising for us, as a chance to showcase our methodologies and systems.

3.       The noise coming from our security systems. IDS/IPS, DLP and SIEM systems are all known for their high rates of false positives if they are not properly tuned for the environment. Those false positives can sap away the power those systems have. If our technical staff continuously receives email alerts from the IPS, and upon researching them, finds that they are every day traffic and requires no action, those emails are going to start being ignored. So when the hacker really is attempting to infiltrate the network, their actions will be ignored.

Every security system we implement should go through thorough false positive tuning before it’s placed into a production environment. IDS/IPS, DLP and SIEM are all known for producing a lot of noise that is likely to turn off their users if the noise isn’t turned off itself. By doing the tuning work on the front end, we ensure a smoother experience for the end users, and increase our odds of having a highly successful implementation.

While these situations are distinct and disparate they can be addressed by the same solution. Figure out what matters to you, AND what does not matter to you. Successful information security programs don’t try to mitigate every risk, they investigate their risks and then sort them into groups based on which they will deal with now, later or never. It’s just as important to know which items we will never deal with as to know which we are dealing with, so when those unimportant issues pop up we can quickly squelch them, and reduce unnecessary noise, be that an audit finding, IDS alert, or a virus scare reported by the media. By keeping quiet about the things that are not an issue we can expect that when we do need to scream wolf, our voice will be fresh and loud, and the business will come running to help.

Connect with