RSA 2017 Takeaways
The more things change…
The more they stay the same. That is actually not the case, rather, there have been incremental developments and product releases that help shrink cyber security problems, considerably in some cases, but we still have problems.
A good example is antivirus(AV) effectiveness. Just a few years ago, AV was arguably 35% effective but now next-gen antivirus has raised the bar by pushing that number and the stalwarts of the industry to levels approaching or exceeding 90% in some cases. But if 10% of attacks still evade detection, we still have a problem.
As a vendor of cyber security solutions, I appreciate not adding to your existing security stack. But, I also encourage you to consider newer solutions that allow you to become more efficient and effective. Does this mean give up your existing solutions? Certainly not, but if you are underutilizing them ask yourself why that is. Organizations lack the talented cyber resources it takes to analyze and manage a myriad of solutions. Is the industry moving away from best of breed solutions? Doubtful, as most mature organizations have very specific use cases that lead to a product evaluation and the selection of point solutions.
Do this: Utilize your existing solutions to their limits. Do the personnel on your team have the correct skillsets to get the most from them? Do they require additional training? Have existing solutions added additional features which address gaps? Consider solutions that address multiple issues to reduce your security technology debt while maintaining pace with your transforming IT footprint such as migrations to the cloud and a mobile workforce. Ensure new solutions can be tightly integrated with existing solutions, such as network and cloud to the endpoint.
Look before you leap…many organizations are jumping into the cloud, usually without security.
Whether it’s IaaS, SaaS, or PaaS, organizations can quickly embrace these new technologies to grow their businesses. Oftentimes the execution of these technologies can be done without formal review, or the security teams involvement due to the relatively low implementation costs. I heard more than once, “they can just charge it to their credit card” which circumvents normal procurement processes and review boards. Some organizations are trying to get in front of the bus and implement security programs and policies in the cloud. They want to avoid the issues they experienced when they failed to implement these polices in their traditional networks.
Do this: Gain cloud visibility. Implement network monitoring and cyber situational awareness to identify the use of cloud solutions that you may not be aware of as well as providing visibility of allowed cloud solutions.
What is cloud security again?
As for cloud security, specifically, the general lack of awareness or education on cloud security is surprising among organizations. While there are cyber security solutions for cloud environments, the design and implementation of cloud security solutions are non-trivial in many cases and require an in-depth understanding of cloud technologies (VPCs, security groups, open switching, etc.). Security teams are starting to learn but very little has been published about best practices.
Do this: Ensure your team is educated on cloud technologies and security capabilities. They vary greatly by provider.
Companies complained about the high cost of SIEM platforms along with the added disadvantage of trying to extract value from those platforms with teams of analysts. I thought that the security analytics markets was going to help on the value extraction side, but either folks haven’t made the investment in these solutions yet or don’t want to add to their security stack.
Do this: SIEM bloat is difficult to address. Over the course of the past 10 years I have watched as SIEM solutions have morphed into log management solutions and vice versa. Each has their own limitations. If you made an investment in one, or both, you do your best trying to get the most value (reference #1 above) from them. Having said that, sometimes the incremental gain just isn’t worth the cost of extracting that last golden nugget. Consider next gen SIEM and/or analytics platforms. While I do see value in some of the security analytics products that ride on top of your existing SIEM, you just added to your technology stack and made your operations even more complex. Many of these products are just features. Features which should be incorporated into your existing SIEM. Which again adds to that bloat problem.