An Open Letter, A Call To Action Cyber security has reached a complete state of…
AKA: Are you building a house of cards?
The gear myth is the mythical view that investing in more technology will inevitably make an enterprise network more secure. While there is a tremendous amount of new gear available to help make networks more secure, our perspective is that more gear, in fact, may not only fail to achieve your security goals, but it may even add risk.
First let me visually explain the gear myth, then I’ll discuss why layering additional technology into a network can be counterproductive.
Initial state: we have some security risk, lets address it by deploying some new technology.
The image at left is a graph that shows how someone, say an IT manager, might view their level of security for a specific component of their IT environment. The scale shows that the level of security is very low. Based on this assessment the IT department deploys some new technology.
The new gear is installed: everything is fine, no risk…. right?
After deploying some new gear, which in many cases is limited to buying expensive technology and lobbing it into the data center, the perceived level of security is much higher.
This is illustrated below. Notice how the red bar, which represents the security value provided by the gear, gets you most of the way to the top of the bar – secure. The gray people icon shows that a little bit of people effort is required get the bar all the way to the top – to take the gear out of the box, install it into the rack, make some quick configuration changes, etc.
But the reality is different!
Of course, the reality is inverted. Gear gets you only a fraction of the way to the top of the security gauge. The real challenge is taking the time to get the real value out of technology. Countless times in our audits, we identify risk that management is not aware of because they are assuming there is some technology in place to address. IDS/IPS (intrusion detection/prevention system) is a good example. Many of the implementations we see are not only ineffective, but they increase risk because management does not question that the technology might not be working. To understand why an IDS/IPS is only as good as the configuration one needs to understand how they work. At the most basic level an IDS/IPS is a device that sits on the network, say next to a firewall, and watches the traffic that passes by. If it sees some traffic that looks suspicious, it creates and alert or automatically blocks the traffic. The problem with these devices is that they require a lot of tuning to make the alerts just sensitive enough. Too sensitive and the IT department gets too many alerts and ignores them; too desensitized and dangerous network traffic may escape notice. We’ve seen, perhaps, more ineffective IDS/IPS implementations than good ones. Other common cases include: web content filtering that is often trivial to bypass, expensive log aggregation solutions not fully configured, fancy encryption software not set up to encrypt all sensitive data and VPNs configured with little thought to limiting access control.
The gear reality has been added to the third graphic, below. Notice how gear gets you some of the way there and a lot of other effort, call it people effort, is required to get to the goal line. The risk of failing to understand the gear myth is to exist at the lower end of this scale and think you are somewhere higher.
Why is it that gear fails to achieve the goals? New technology is often complex and the effectiveness of any new deployment is only as good as the thought put into the initial configuration, testing, the operational process involved maintenance, and the monitoring to consistently ensures that things are working the way you think they are.
There is no glamor in security. It is not about the whiz-bang latest gadgets and protocols. Its about slowing down and double checking what you do. Its about having a process of peer review for new deployments. Its about documenting how things are done. Its about giving the IT department enough time and resources to do things right. It’s about management caring about the process. It’s about training. It’s about people. We collectively call all of the non-gear aspects of an IT function as operational integrity. So security is 20% gear and 80% operational integrity.
So investing in technology, without considering the rest of the picture, may not achieve the intended results. Worse, deploying new gear can actually make the problem worse. In our view complexity is commensurate with risk. The more complex the IT environment you run, the more risk you have. Its a house of cards when an at-capacity IT staff of fixed size becomes responsible for the management of an ever-growing IT footprint. We audit some really small networks with very limited IT resources that are really bomb proof. We also see mega corporations with huge dedicated security teams and vast resources that are full hack-fests – complexity is risk.
Incidentally, one view of a security assessment is that it is a process to evaluate technology and identify the gap between the gear-as-deployed and the configuration needed to make it effective. This is shown in final image. If you ask our security engineers about the latest recommendations that they have provided to clients, you’ll find that it is not “buy more gear” but overwhelmingly, “slow down and dial in what you already have.” In fact, in many cases, you’ll hear our team say “don’t just slow down, take some gear out, simplify, reduce complexity wherever you can and build it back up later in a manageable way.