Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
At the time of writing it is only a few weeks until Infosec Europe 2018 – the big London cyber security show – rolls into town at Kensington Olympia on 5th-7thJune (Huntsman Security is on stand E190).
This annual event is always an interesting time in the cyber security calendar. This year it is hard to predict what the key themes will be.
The RSA show in the US was back in April; and there is often a trend, topic or theme that is on everyone’s lips at that event. Sometimes that theme is echoed in the slightly later Infosec, but not always. This year RSA didn’t have such a prominent, all consuming topic – it saw discussion of sound risk management and a continuation of interest in AI, but there was no common “silver bullet”. So it is hard to extrapolate forward from that. See our blog post here.
Also this year the “go live” date for GDPR has just passed. 25thMay was the day when, in theory at least, that little compliance initiative went live. Although in reality the flurry of “confirm you want to keep hearing from us” is the tip of the ice berg. GDPR will be a topic at Infosec, but possibly less so that the year before.
One thing is for sure, with the continuing prevalence and growth of threats (a recent study by the IISP highlighted that threats were growing at a faster rate than budgets and defences) there is more than enough Fear, Uncertainty and Doubt around to keep sales teams busy in cyber security. So this “cyber security quotes” post will highlight some of the service and product claims made and what they mean.
It is easy to characterise a particular issue and a corresponding product as the entirety of a problem and its solution. We saw this a few years back with firewalls – which prevented network attacks and hence made networks safe – which did very little to protect against application-layer vulnerabilities or systems that were connected around them.
However we still see this today with products that cover off families of attacks that are perceived (or described) as being a panacea – so they might control application execution and hence stop all malware, viruses, phishing and insider attacks; or they might provide a network gateway that filters/policies everything, or hold data in such a way that rogue actions cannot pass through, or be performed on it.
We all (hopefully now) recognise that security is like a wall of many bricks and that any one solution might guard/prevent/stop/detect one type or route for attacks – but that often just moves the attackers to an alternative route, in a different type of exploit or a different layer of the network protocol/application stack.
For the vendor who has solved problem z, it is the only problem that matters. To the CISO or security operations team all of the problems they are facing are the worst problem, because at any one time they have to defend all systems against all threats on all vectors. The worst problem is simply the one small chink in the armour they miss; which a hacker or attack then detects and exploits.
This asymmetry between the success/failure of attackers and defenders really epitomises the nature of the cyber security challenge.
So problem z may be a valid problem, but once you have solved it (with the solution offered) it is immediately replaced by the next worse problem which moves into the number one spot. So in essence thinking this way is akin to deriving security strategy by the order in which you encounter vendors on a trade show floor or in the alphabetical show catalogue.
This type of claim is often used to avoid talking about a concept that is really quite simple, or exists elsewhere, but which forms the basis of a product or feature that the supplier has to generate some excitement and hype about.
Often the “complicated thing” is mathematical or relates to the nature of the code; and to the non-mathematical or non-programmer audience; this science can be indistinguishable from magic (to quote Arthur C Clarke’s third adage).
So a solution or package with a large number of features or integrations might be partly formulated by a considerable number of Powershell, python or bash scripts that actually do the hard work (but are each individually really very simple).
Conversely is a situation where a solution provides a capability that is so hard to understand, configure and get set up right; let alone use; that it requires content support contact and professional services time – or ongoing tuning and adjustment.
Security technologies that are simple but obfuscated to sound clever often can be easily reproduced with a little ingenuity at the coal-face. And the last thing the complex challenge of cyber security needs is the technological equivalent of the Rube Goldberg machine.
Yes, some things are complex. Other things are made to sound complex to help sell them or justify a higher price.
This is really the security equivalent of wild west snake oil. A technology that is so advanced, so complex, so simple and so clever (insert superlatives as needed) that it cannot be broken, defeated, subverted or hacked into.
Those who have been in security for some time will have seen enough of these to be able to a) spot them immediately (b) bypass them and move on and (c) probably figure out a way to break them if they needed to.
Often it is not the fallibility of the code itself, but the management environment, the reality of user activity or the demands of the operational environment. But in most cases its just simply not worth delving further; and if the claim relates to cryptography just walk away – anyone who has such a fundamental misunderstanding of how crypto works as to make a claim like that (often one that has had no peer review and is “proprietary”) has no business selling you solutions that claim to protect your data.
A vendor with a suite of products may claim it is countering the issue of multiple avenues of attack by providing a set of separate technologies, services or solutions that cover off these multiple access routes, exploit vectors or avenues for ingress of malware or egress of data.
There are two problems here. The first is that even if the suite of solutions gives a comprehensive range of coverage (maybe it detects viruses at a gateway, an endpoint, a server and on removable media) the component parts might not be the best-in-breed at each point or in each characteristic of the solution. So it might be the best firewall but not the best DLP; or the best content filter but not the best VPN endpoint etc. Buying a complete suite is a trade off between a set of products that work together but might be a compromise of functionality or quality, and buying best of breed solutions that tick the quality box, but might not work together or integrate (or use the same console/management interface).
The second problem is that in many cases these suites of products have not been designed or written by the same team or even the same company. They have been acquired, rebadged and then kind of made to work together in some way. As the versions progress this can improve, but often the three integrated products will have different data stores or interfaces, or command syntaxes etc. All you are doing here is saving the effort to raise separate purchases orders, and if you are working through a reseller then even that is a slim benefit.
All the elements work together – but do they?
It is a truism in cyber security that as defenders address (or try to) a particular threat or avenue of attack, those seeking to compromise systems will investigate other means. Hence firewalls that protected against network level attacks ended up being subverted in many cases by web application exposures such as SQL injection that operated at the application layer that the firewall was allowing through.
On the face of it this arms race is an inherent feature of the cyber security landscape, although there is a risk management decision as to how far down the road you are prepared to travel. In particular, how early you invest in a new technology that might be market-leading and premium-level initially, and hence expensive; but a few months later once rival products and even existing products have implemented similar ideas, they might be more mainstream and considerably cheaper.
However the bigger challenge is not “when to invest?” in detecting a new family of attacks; it is “how to deal with the increased volume?”
Past inventions, such as IDS, were greeted with great excitement by the market, but then were often followed by huge annoyance at the level of noise and traffic they generated which had to be dealt with. “Tuning” these systems became a black art and inevitably the de-sensitising of some alerts and the ignoring of others was not the right approach. Having a process, a workflow and the necessary “management” toolsets in place to deal with the volume of alerts (whether these are true, valid attacks, false positives or background noise) is essential.
This approach is very common; particularly for products that “detect things”. It allows an easy distinction to be drawn between the “before state”, where you couldn’t see things and the “after state”, where you can.
However, bear in mind that during any such process the sensitivity of any such solution is going to be at the maximum level possible – far higher than might be either sensible or operationally practical. For the sales team, the more things they find the better – however once live (and the goal will always be that you pay them to not take the system away) the operational demands of the solution, even in a tuned and perhaps more realistically sensitive form, might be onerous.
During the POC you will have pre-sales consultants and plenty of advice and a discrete window when the most interesting cases can draw the focus and those that are less interesting (to budget holders and sales representatives) can be ignored; once purchased and “live” you are on your own with the complete set of operational reports and challenges to deal with (and quite possibly extremely busy).
Having lots of issues to deal with is only a good thing if the total number of issues is your sole metric; otherwise it is just more stressful.
So as the trade show commences, bear in mind these warnings. Watch out for the sales and marketing quotes; and take time to talk to vendors that are of interest to understand what they offer and how it could help you, rather than being sold the solution they want to sell.
The challenges and fast moving nature of the threats faced mean that innovation, research and development move very quickly in the cyber security arena.
This does lead to the release of some genuinely clever technologies and solutions. The ones to seek out are those that are designed to solve problems holistically and with an eye on business outcomes; rather than those that simply aim to sound “sexy” and be easily “saleable”.
Enjoy the show if you do attend! Huntsman Security is on stand E190 – right by the highly advanced, revolutionary, manual floor transition apparatus (stairs).
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.