I remember the days when network security meant firewalls, anti-virus software and strong passwords. That was the proven formula for keeping the bad guys at bay. We have since evolved to more advanced technologies in the cloud, at the network perimeter and at the endpoints. And, with the amount of data being generated and managed, there’s certainly a lot more to lose.
A lot of time, effort and money are being spent, and it looks like things are getting done in terms of security and minimizing business risks, but that’s not always the case. Executive management sees IT and security staff implementing and managing various security controls, so it’s assumed that all is well. Even technical staff themselves are convinced that security is improved simply because the latest and greatest technologies are being used. That’s simply not true.
Creating a False Sense of Security
Based on what I’m seeing in my work, the reality is that security technologies deployed to mitigate risks fall short more often than not. It’s not that these technologies are incapable of addressing the risks they’re designed to handle; the vendors have done a tremendous job getting these controls to where they are today. Instead, the problem is one of human proportions, namely people making hurried decisions to address business risk and rushing things through. They invest in a new security control, put it in place and then hope it works. It usually doesn’t — at least not at the level originally intended. For example:
- Identity and access management, single sign-on and multifactor tools are rolled out, but they don’t effectively govern authentication and access controls across the board, among all systems and accounts that are pertinent to the business. Risks still exist.
- Web application firewalls (WAFs) are put in place but don’t provide full coverage. Or, there’s an assumption that application vulnerabilities can go undetected and unresolved because the WAF will be there to protect things. Risks still exist.
- Mobile device management (MDM) or unified endpoint management (UEM) systems are deployed but deployment snags arise, or politics get involved and certain groups of employees, often executive management, are exempt from such controls. Risks still exist.
The same can be said for IPS, data backup systems, endpoint detection and response (EDR), cloud access security broker (CASB) — you name it. Just because the security product is there doesn’t mean it’s doing what it could or should. I recently tested a large internal network for a client and their managed SIEM vendor failed to detect any of my network reconnaissance, scanning and vulnerability exploitation. My client questioned why they were paying thousands of dollars a month for such a service, and I don’t blame them.
The challenge is that many security technologies are put in place to address an immediate need, often to check a compliance or audit-related box. However, the security solution is underimplemented over the long-term. In most cases I have seen, technologies are procured and implemented without ever performing an actual risk assessment to determine whether they’re actually needed or how they should be deployed in order to truly help. Once put in place, there’s often no ongoing oversight or measure of effectiveness. No metrics, just a lot of busywork that can end up being more of a distraction than anything else.
Another thing that many people overlook is that when you put a new security technology in place, additional work hours and resources are needed to manage and maintain the system. A final side effect of deploying security solutions for the sake of deploying them is that, ironically, it becomes more complex than originally thought, which can create even more security challenges.
Ask the Tough Questions
When thinking about your next security solution, ask yourself the following to ensure you’re on the right path:
- What systems or information are you trying to protect?
- What threats are you trying to protect against?
- What’s the specific business risk that’s not being mitigated?
- In what way is what you’re currently doing failing?
- What will you need to do differently in order to effectively design, implement and manage this new technology?
- Is there any other compensating control either currently in place or as an alternate solution that could help you meet your goal(s) more effectively?
- How will you know whether it’s working or not?
What used to be best practice of deploying as many security solutions as possible in order to create a layered and resilient network just doesn’t work anymore. It’s not that simple. I strongly believe that you need to leverage technical controls to provide the necessary visibility and to enforce documented policies. But you can’t do it in a vacuum. Go beyond the desire to check the box, beyond the perceived need, and think long and hard about which security solutions your business truly needs. You’ll likely find that it’s not as many as you think.