Security technology cargo cult: buy more boxes

Fear of reprisal is one of the most potent stimulants for action. It is also one that information security generally ignores. To that end the need to “improve security by buying more technology” is the prevalent course of action for most IT shops in large and small organisations. That this is just perpetuating the losing race is not a message most IT security staff are willing to concede.

There is a better way to improve information security posture of large and small organisations, and it starts by mimicking physical security, where psychology has played a significant role. I generally liken modern enterprise IT environment to a large city, but that analogy is too complex for the purposes of this post, so we’ll use a more appropriate analogy: a standalone warehouse in an industrial park, with chain fence on the perimeter.

This is a topic I’ve written a bit about already over the years. This post is first in a series where I’ll go over different aspects of each of the three security controls and their lesser known and understood attributes.

My past posts on the subject, such as security dogmas and typical organisation’s approach to security can provide some further background (or at least levity).

##A warehouse## Consider a large warehouse that contains a number of valuables. Now consider the security controls that warehouse will have.

A 3m tall chainlink fence. That’s all. Nothing more, nothing less.

Deterrent level: Keep honest people honest.

A set of CCTV cameras installed around the perimeter. Another set of CCTV cameras installed in the warehouse. Thermal (IR) motion detectors. Seismic detectors to alert if anyone decided to dig a tunnel underneath the warehouse, or drove a large truck towards the warehouse. Security guards on premises that periodically check the perimeter and inside the warehouse.

Deterrent level: Keep honest people honest. Keep majority of criminal minded people out, since they cannot automatically rule out delayed response.

Security operations that monitor the camera screens. Alert security guards on any activity that needs to be checked and confirmed. Alert relevant law enforcement if the response to activity requires it (activity threatens to breach the perimeter, or has already done so; activity requires pursuit outside the perimeter; delayed response; etc).

Deterrent level: Keep honest people honest. Keep majority of criminal minded people out, since they cannot automatically rule out delayed response. Keep all but very organised criminally minded people out, since they will need to evade detection and response for foreseeable future.

##Corporate environment## Now imagine that the warehouse is your corporate environment. Your information security staff can choose from three pools of security controls. First one is prevention and the pool is largely drained. Second one is detection and whilst the pool is pretty empty the controls are typically not put to good use. The third one is by far the hardest for typical information security staff because it requires good knowledge of psychology, organisational dynamics and calm, rational approach to incidents.

Typical firewall-antivirus-patching combo. It’s a low obstacle and is business as usual work. Keeps honest people honest.

Deterrent level: Will not deter intelligent adversary. Or alert on honest mistakes by employees.

Standard intrusion detection/prevention system, security incident and event management system, and log management system. Good organisations will also keep a track of what applications are started on which computer and who accessed what information (in the database or unstructured) and when.

Deterrent level: Poses a good deterrent level to intelligent adversaries that will likely prefer to go elsewhere, especially since they cannot rule out delayed response. Will deter employees from making mistakes that arise from negligence or from cutting corners for the sake of expediency.

Staff reviewing the alerts produced by detection technologies. Virtual security incident response teams assembled when and as necessary. A clearly defined set of metrics that help decide the initial response: will it be dealt with locally and report given to senior management, or does it need crisis management team engagement? Containment of the breach or monitoring? Stop information leaking, or is it OK because it’s false data? Heads up to appropriate national CSIRT and law enforcement?

Deterrent level: Organisations that make it known that they practice security incident response and have established good ties with law enforcement agencies send a strong deterrence signal to all intelligent adversaries that are reachable by law enforcement (yes, extradition rules and global politics plays a role in this).

Prevention controls are often seen by intelligent adversaries as a challenge, an obstacle to clear. Good detection and response controls serve as deterrents to all but those that can gain significant financial benefits without risking their own freedom. Next time your security architect proposes more technology to close a perceived gap in your security posture ask them if they’ve really considered all the options. Most information security personnel love technology because it’s easy to deploy and easy to understand. Understanding adversarial mind is not something that lends itself to the typical technology security mindset.

NB: The “cargo cult” comes from Vitaly Osipov’s tweet this morning: