Cатсн²² (in)sесuяitу / ChrisJohnRiley

* This is a blog post response to the Getting Information Security Back to Basics – Change Management & Process Improvement blogpost by @wh1t3rabbit

Background

A week or so back Raf asked for some softball questions on Twitter for him to answer at the HPdiscover conference taking place in Vienna.

Just to keep him on his toes I threw him a curveball and asked .:

Why should companies spend money on vendor products when what they need is better processes and basic hardening?

Sure, I could have phrased it better, and I could have spiced it up a little, but for an off the cuff answer I think it made the point… Why do companies put so much stock in the next big thing, the big device with the flashy lights and the readout that tells you if your companies security is green, orange or red!

Raf took the time to form a full answer over on his Following the White Rabbit blog

Response

First let me say that I respect Raf for answering the question. There are too many people in this industry that would have just ignored the question and stuck to the easy home runs. Below I’ll try to answer a few of the key points he made as best I can. As usual, take everything I say with a pinch of salt (and a shot of vodka if you’ve got it!)

…your question seems to imply that you feel there is a mutual exclusivity between the very fundamental problems you see organizations facing and purchasing products/services from vendors

Yes and no. I try not to think in black and white, and there will always be companies that are in a situation where they need $vendor to help them. However, with that said, the penchant for buying a blackbox with the goal of becoming secure is worrisome and something that I feel is holding companies back from achieving the goals that they have both in business and security. I’ve seen instances where products and services from vendors have improved a company’s security posture, but those are dwarfed by the number that have simply wasted time and money on things that were unneeded, dysfunctional and downright pointless.

IMPO (In My Personal Opinion) a CISO/CSO that budgets more for shiny black boxes than for manpower, training and back to basics style projects, is misinformed and destined to fail. remember the age-old saying…

Nobody ever got fired for buying XYZ

The XYZ has changed over the years from IBM, through to Microsoft and who knows where it is now! Still, the comment irks me regardless. Too many CISO/CSOs believe that the best way to keep the status quo is to buy the latest and greatest thing. Whether that’s DLP, deep packet inspection devices, or a box that blinks red when it detects Anonymous activity. Nobody ever got fired for buying the latest and greatest! … but maybe they should have! Companies don’t need a CISO/CSO to tell them “buy this device”… the need somebody to help make the company more secure. To guide the hand of the company’s security posture.  Somebody to set a goal, whether that’s “reduce our patch time from 30 days to 14” or “react to virus infections within 2 hours”. Leave the how to the people who are on the ground doing this every day. If they can achieve this through training, better processes for response teams, or additional head count, then great. These things are going to improve the security of the company more than a device that goes *bing* when your web server sees a malformed packet from China!

With that said… there are places where $vendor can assist companies. Taking the examples I gave a moment ago. It’s hard for a medium to large company to improve patch times if they don’t have a central way to test, roll out and monitor systems. Even harder when they (like far too many companies) don’t even know where or what their systems are! It’s also hard to respond quickly when you don’t have a central AV solution and the tools needed to respond correctly. These are all things that are required to some degree or another. However, there’s a downside, as with everything. The more budget that gets pumped into these devices, the less people and training for those people you seem to encounter. These devices don’t work themselves, and a machine sitting in a corner saying “RED ALERT” is only as good as the people watching it, and the process behind what to do next!

Like @wh1t3rabbit said conveniently in an out of context tweet

It’s all about balance

$vendor != security… but then again, without them it’s hard for us to have the information we as security professionals need to get our jobs done.

I don’t hate vendors… but I don’t want them controlling my security.