Reflecting on my recent pilgrimage to RSA Conference, and conversations with CISO and vendor peers and friends, two overarching conclusions are that hot themes emerge that cluster all solutions – as well as VC investments in these – together in what appears to be ‘the CISO’s new priority area’ (1) while further adding complexity, and thus cost and friction for the business, in maintaining, operating, integrating and attempting to fully benefit from the newly introduced technologies (2).
When I was a CISO, vendors would often approach me with their solutions to what they thought – and in some cases even ‘prescribed’ – was my most significant challenge du jour. Invariably in most of these cases, the assessment was far off the mark and if followed, would have required kicking off a multitude of conflicting longer running programs competing for scarce resources that once operational would go on to permanently require said scarce resources. My most pressing problems were mostly political in nature or related to budget, gaining business buy-in, reducing technical debt and so on – more relating to the why than the how. Where they pertained to how to achieve something, is where the realization of the many blind spots we suffer from in InfoSec stems from.
The Right X
When one starts looking at the types of problems we solve as an industry and especially the way in which these are solved, one quickly comes to the realization that we do not solve for the right x.
Much like the video and gaming industries, investments need to be recouped ideally in the shortest amount of time, with the least risk. This leads to a lot of movies or even games feeling or being similar to others because sequels and remakes receive the most funding readily. As I waded through the sea of noise at the RSAC, I could not help but feel I’d seen this movie all too many times. Significant challenges that would require very innovative approaches are still seemingly left unattended.
Starting from Scratch
In part because too few people in the industry have a deep understanding technically of all problem areas as well as clients being too accepting of serial construction being required. As a rhetorical question, how many organizations do you know that set up or matured a SOC? They all went through a technology selection, fine-tuning of use cases based on relevant data sources, tuning of the data sources and auditing and logging policies and so on and so forth. To me it just appears we all want or need to drive our InfoSec car, but have to assemble it based on frameworks, recommendations, available kits and parts. No one seems to complain they can’t just hop into the InfoSec car, enter their destination, and drive off. A more extreme example would be that to have our meetings, we are selecting the best areas to source wood from, hiring woodcutters, forging partnerships with logistics companies to transport our wood, building plans of our tables/chairs and what not, until we, finally and often months later, have our meeting room ready for the meetings.
Perhaps we are collectively suffering from “what we do ourselves, we do best” syndrome.
Take for instance protecting confidential or sensitive data as an example of a broken area. We all have come to adopt complex processes, staff training and tooling (such as DLP) to classify and protect our data within our own organizations. When this data gets shared for valid business reasons with third parties such as partners, vendors and contingent workers, the controls are typically lost, and until quite recently we all seemed relatively fine with this.
Another example would be change management as it pertains to software updates – the actions of applications and systems administrators would be heavily scrutinized, but when Vendor X who supports a critical business process rolls out a new application update, the resulting binaries or in some cases entire black box virtual machines, get rolled into production networks virtually unquestioned. Rare are the organizations that will perform in-depth security assessments on these, including fuzzing, concolic execution or even full-blown reverse engineering, to find unintended security risks as well as intended ones. It’s possible to push this example out to whichever boundary and for it still to be valid – who vets their firmware? Of all their types of devices? Even if you did, what assurances would you have that your partners and vendors do? That your cloud providers do?
Rethinking Our Approach
Vulnerability and patch management and related penetration testing are other areas that show the age of the approach no longer matches the scale of the problem.
There are essentially 3 outcomes to any penetration test:
- You suck at hardening / have no or poor governance;
- You suck at patching / have no or poor governance;
- You suck at writing secure code (incl business logic errors).
Then ideally this gets shared with a business/application owner to be actioned and the cycle repeats endlessly.
The organizations I have been a part of that managed to reduce the costs and have this under control the most, managed to instill strong technical standard building blocks, define and operate rigorous processes around these domains and adopted (hyper)automation – so they could move on to solving other problems. They (mostly) solved problems 1 and 2, so their efforts could be focused on problem 3.
There are plenty of organizations out there that in fact do tackle new blind spots, by creating SBoMs (which can be used as a limited proxy to reverse engineering to allow spot checks on source code as well as closed source binaries) including xIOT firmware, by mapping and bringing to attention all the relevant attack paths that can lead to risks materializing and will help organizations strengthen governance around some of these domains.
But maybe it’s time to collectively rethink our approach to some problems and to assess the efficacy and effectiveness of our solutions.
If you say a bank and 5 other banks have already solved the problem previously, is there any value left for you to go on and solve it slightly differently again – especially if none of the information regarding the approach enters the public domain?
There is a lot of scope for ‘super vendors’ to change the approach and grab a dominant market share. I can’t wait for this next phase of maturity to hit our industry.