Vendor-based security will be the death of us all. One of the most common errors in information security today are security models that are centered on tools rather than the people who use them. This is fed by vendors and security experts who, whether by accident or design, misdefine threats such as nation-state cyber espionage as a malware threat that can be solved buy purchasing expensive enterprise information security tools. The APT issue has accelerated this phenomenon because of the large number of vendors selling legions of products designed to “detect APTs” lurking in your network. The erroneous and self-serving premise behind these claims is that the APT is malware rather than a “who” such as a nation-state’s intelligence service. We see this same premise advanced in the aftermath of the all too common high profile data breach. Shortly after some poor company has its security failings plastered all over the news, we get waves of self-appointed security experts (many of whom are affiliated with vendors selling APT killing wonder tools) authoritatively telling us what the company did wrong and how to protect yourself from being the next victim. These experts go on to state the obvious which is that organizations should have robust security programs made up of elements such as proper controls, robust detection technology, user awareness programs, and the like. This is all fine. Yes, of course, you need to have proper controls, tools, processes, and educational efforts in place to protect your organization. What I find almost universally lacking from these vendor sales pitches and post-breach expert assessments is an understanding that these are all secondary to having the right people on your team.
You will live and die by the people you hire and the leadership that you give them. The most critical element of your security program is having the right people on your team and providing them with the leadership and resources that they need. You absolutely need proper tools to secure your enterprise, but the tools are secondary to the people who use them. The purpose of the tools is to help your people do their jobs. Too many organizations treat their people as glorified tool drivers rather than security professionals. If you are spending more money each year on your tools than you are on your people, you’re probably in a very bad place with your security posture.
Information security is very hard. It takes tremendous time, effort, and expense to even come close to mastery of critical information security skills such as incident response, malware analysis, and digital forensics. There is no tool that can ever substitute for a highly skilled and well led information security professional.
Too many organizations have bought into the model that security is ultimately about building an impenetrable fortress made up of various security tools and controls. This control-based vision of security looks something like this:
Organizations orient their security thinking towards answering questions like how tall their walls should be, how thick they should be, the design of their draw bridge, how deep the moat should be, and whether to fill the moat with alligators, lawyers, or sea monsters. Vendors feed this model by happily selling organizations all of the highly expensive alligators and draw bridges they can afford and telling them that achieving the right sea monster density in their moats will keep them secure.
Controls are critical. You aren’t going to have a secure organization if you can’t get your basic information technology controls right. However, control-based security is a failed model in an area where advanced actors like nation-states and organized crime have shown that if they are determined to breach your network, they will do so regardless of the controls you have in place. It’s no longer a world where we can realistically tell our business leaders that we can keep their critical information safe solely through a control-based model.
So what is the solution?
Meet Jet the Border Collie. You will find no creature on Earth more in the moment than a Border Collie like Jet chasing sheep. This is what they live to do. They are fantastic at it and they enjoy it immensely. Incident response people are the modern day information security Border Collies. We live in a time where we have an information security community made up of incident responders who absolutely live to get up in the morning and chase people out of our networks.
Couple that fact with the modern day threat environment where controls slow advanced actors rather than stop them and your vision of security should be this:
You are going to get breached. Your best defense against this is having a team of Border Collies who live to detect and respond to those who make it into your network. Remember this picture* the next time some vendor tries to sell you some breathtakingly expensive tool that they promise will solve your security problems. Simply put Border Collies plus good controls are the key to securing the modern enterprise.
The rub is that Border Collies are prone to destructive behavior when they get bored. “No sheep, no Collie” is a saying used by some Border Collie breeders because a breeder that cares about their dogs won’t put them in a situation where they will be unhappy. A bored Border Collie can develop neurotic behavior and engage in destructive things like eating the furniture and digging holes. Anyone who has tried to manage a bored incident responder will understand the parallels between the two. A poorly led incident responder will result in plenty of ruined carpets and partially eaten office furniture. They will make you wonder if Old Yeller actually had a happy ending after all. Chances are excellent that this behavior is due to poor leadership and an unchallenged incident responder. This is why it is absolutely critical that you not only have a team of highly skilled Border Collies, but that you keep them happy and directed by giving them top notch leadership. If you love your Border Collies enough to give them a great job with great leadership, they will love you back and will provide you with more value than any wonder tool the vendors want to sell you.
Thanks to Nancy Thornton for her wonderful Border Collie pictures and permission to use them. Thanks to Getty Images for the Photographer’s Choice RF collection picture of the Bodium castle by Brian Lawrence.
*I wish I could find some sort of picture that I could legally use that shows Border Collies chasing sheep out of a castle or something similar. That would be the ultimate visual representation that acknowledges the role of controls, but also places the emphasis on the incident response people in the organization chasing the bad guys. If anyone has something like that, please let me know.