Monday, June 20, 2011

Get with times, decentralized security is so 2000 and late

You would think we would have matured enough as a security industry that there would be a consensus on this topic. However we are not even close, mainly due to bureaucracy and politics. So lets survey the land of failed justifications.

"Were so big we have to be decentralized"

There is nothing that states centralized security means physical separation. You can have people local to your sites all over the world and still report into a single organization.

"Our business unit is so different we need our own team"

This argument often can be valid for IT services which require customization and agility. This is rarely the case for security. Just because a particular business may require a different policy or higher standards doesn't mean they should be rogue. The overall marching orders need to be coordinated otherwise you end up having gaps in visibility, protection, compliance, etc.

"This is the way we have always done it here"

This is by far the weakest thing I've ever heard. I almost think its purely a justification to hand out C-level titles. News flash, if your organization has more then 1 CISO your probably not that good at IT or Security. You have to ask yourself are they even qualified for that position or do you have a bunch of climbers looking for a security bullet point in their resume.

Now I'm not completely blind to the fact the separation is often done for real reasons, unlike the horrible ones given above. Legal restrictions sometimes may prevent data from leaving a particular country or mandating particular requirements. However I'm not aware of any law anywhere stating that your IT security goals and objectives can't come from a centralized structure. If there is one, please provide me with the source. Another valid reason that often arises is due to mergers and acquisitions. Its quite common due to being a new acquisition, that an organization may not be fully integrated yet. Or even the case that strategically you want to keep it separate so you can divest it much quicker.

For me though, its important to understand that your entire organization is fighting the adversary together. You fail and succeed as an entire company, not as a business unit. While an enclave or silo may have world class security practices, they are only as strong as the weakest link. At some point there is a trusted process or network connection for another unit that may not have such good security. This doesn't mean that all security personnel need to be located at the corporate mothership. It simply means you need a common understanding of how to handle security incidents, architect your network and implement better security controls. If you look around and you see a lot of dotted lines and CISOs on your org chart, that's a pretty good sign that your security efforts are disjointed, taking on too much, and doing nothing really well.

Wednesday, June 1, 2011

Shooting Blanks FTL

How many times in your career have your heard there are no silver bullets? I'm sure its been quite a few times and then some. It definitely needs to be apart of your infosec mantra to ensure people don't have a false sense of security. It should be well ingrained that [AV, FIREWALLS, IPS, PROXIES, *] don't stop sophisticated attackers. They are at best a speed bump in the road.

So what is the point of this post? I've noticed a disturbing trend in the industry of knowledgedable individuals going to the opposite of the spectrum. Instead of taking a practical approach they shoot down any security control based on its flaws. One of my favorite quotes illustrates this perfectly.

Narrator: Tyler, you are by far the most interesting single-serving friend I've ever met... see I have this thing: everything on a plane is single-serving...
Tyler Durden: Oh I get it, it's very clever.
Narrator: Thank you.
Tyler Durden: How's that working out for you?
Narrator: What?
Tyler Durden: Being clever.
Narrator: Great.
Tyler Durden: Keep it up then... Right up.

Some people are just a little too clever for their own good. They routinely dismiss proposed security solutions as having flaws and not worth pursuing. News flash, short of unpluging the power or pulling the network cable, all solutions have vulnerabilities to a certain degree. Doing nothing isn't an option. Accepting the status quo is a defeatist attitude in this little thing we call "cyber conflict". Yes thats right I used the word cyber, deal with it. APT in your house stealing your stuff. Ask yourself this, do you go to a gun fight with a knife? No, you want a gun preferably with some ammunition. In this case, the ammunition is your defense in depth. Yes it most notably depends on people and process, but security tools play a big factor. While in this allegorical gunfight the adversary has an AK-47 with a banana clip, you should at least show up with a Glock-22 loaded with a few rounds of .40 S&W. Yes more times then not we will lose, but making the adversary duck, dodge, displace, and slow down is worth the effort. Who knows you might even win some of those battles and eject them from your network like spent cartridge.