Unreasonable Security Practices That Will Soon Be Even More Irrelevant

Email Print Digg This Add to del.icio.us

Last month I listed things security practitioners are doing that are unreasonable. Then I went through some things that are reasonable. In reading the many comments I received, I realized the message still isn't getting through to some. In the spirit of understanding and moving ahead in the new era of security, let's talk about some additional things that are not reasonable, as well as where we are headed as security practitioners.

Layered defense is not reasonable.

Go to any security site and you will read paper after paper about layered defense and how it's a great approach. I agree with the theory in the academic sense. It's harder to break into a vault that has four locks rather than one. But in reality, what if those four locks are made out of paper?

This is exactly how classic layed defense works unreasonable thing were doing in the enterprise using classic layered defense. How? First of all, we're telling leadership that we have "layered defense" in place. Well that sounds really nice until we look at exactly what we're doing. Let's start with patch management, a process proven over the years to be next to impossible. Go into *any* large organization, and I assure you not all hosts are current on OS and application patches, such as those from Adobe. Most likely, more than 40 percent are behind even with the most expensive tools and the most diligent of patching practices. How can you patch effectively if your vulnerability scanners can't even come up with accurate information on the patch levels on your hosts?

I can tell you with certainty that one very well known VA tool does not produce accurate results, and the vendor is very much aware of it. So there is our first defense line made of paper. Then, we deploy antivirus clients to these same hosts. We already know from last month that antivirus is next to useless these days because at best we're seeing 18 percent detection rates. There is your second layer of paper. And then we say we're letting the user log in with only limited rights; however, the more common attacks (e.g., browser and spam) have nothing to do with user privileges. There is your third layer of paper. And it goes on and on.

Now many will argue that they are going to lock down hosts to do only what the user needs to do. This is a noble endeavor that in 20 years in this field I have yet to see effectively deployed and managed over time while still allowing the business to operate. The bottom line is, we're kidding ourselves if we believe we can use traditional techniques against modern attacks on modern computing platforms. Worse, we're selling this garbage to senior management who ultimately is responsible when there is an incident. Although it's their job to accept risk and understand what's happening, it's your job to effectively secure the enterprise.

Now I would certainly get flack if I didn't address the network-level layered defense failures present today. I've already deemed things like IDS and firewalls as useless technologies in today's connected world. Why? There is no such thing as a perimeter anymore. If you feel there is, it's time to switch fields. Data flows in and out of your environments in ways never before seen and never before addressed. You can have 100 firewalls, 30 IDS boxes and 200 DLP solutions. But I can trump all of them and steal your data with a humble iPod, and none of your layered defense point solutions will ever know. This is the new reality for security practitioners, and the sooner you understand it, the better off you and your enterprise will be.

Security professionals are not reasonable.

Let's face it, once you catch up and understand what I'm saying to you, it will be clear that our historic role as security professionals is no longer reasonable. We can’t keep selling 10-year-old enterprise security models that are both very expensive and busted. We must become not only security pros who understand the fundamental shift that is happening to our sector but also shrewd business professionals capable of surviving mass reductions in IT. What do I mean? Well let's start with something now commonplace with senior management. With economic times so tough, the CIO is coming to you and saying you are the highest expense on the balance sheet. What are you going to do to show RIO and cost savings, in hard numbers, right now?

The answer is very clear to me because I was in this exact position only two months ago. Management knows our classic models have failed. Sr. managers need something new, something now and something that shows instant dollar savings to the enterprise. In my case, I removed all the junk point solutions. I abandoned the classic notion of the perimeter, and I moved all that I can to the cloud. In addition, the technologies I must keep in place for unreasonable regulations (like HIPAA and PCI) I repriced via bidding wars among security vendors. In one case, I have the same features for more than $100,000 less than the previous vendor charged.

There are a great many unreasonable holdovers from the past two decades — everything from in-house data centers all the way to pen testing. The cloud is here, and soon all of us will be harnessing the power, cost savings and new computing models, and accessing it via non-enterprise devices. Which leads us to the final word on what will be reasonable very soon.

Your own equipment on the job.

It's no secret that keeping a PC at a desk is a HUGE expense. But what if we suddenly stop looking at data as files? Once we do that, electronic information as we know it becomes a different animal. All of us have been trained to see data as a file in a folder in a drive. In reality it's not that at all. It is something that flows, can be stored anywhere and should be available to you even if a bomb levels your entire town.

This is the future of electronic information, and because that is the future and the enterprise will (eventually) protect only valuable data, there will not be a need for a PC on your desktop. As things stand today, I can do 80 percent of my job from my handheld. If I had a droid phone, maybe I could do even more of it. The enterprise will not need to dole out the expense of outfitting you with a PC if all you need is a web browser to hit enterprise data that resides in the cloud. This will instantly make antivirus as we know it, antispyware, patch management, vulnerability assessment, IDS, IPS, DLP and every other half-baked thing we're doing today an absolute pile of useless junk. This is what's coming.

If you think I'm wrong, tuck this article away and read it again in three years.

Email Print Digg This Add to del.icio.us