Recently I was in a meeting with security executives and managers of a prospective customer. After discussing their initiatives and pain points I explained how StealthWatch may help address some of them. As I described how StealthWatch reveals ongoing security breaches in networks, the CISO became visibly anxious. As I inquired about the discomfort, I was told that their organization was not yet prepared to be confronted with how bad things really were.
Understanding the Problem
I was joined in that meeting by an experienced InfoSec colleague that had joined the Lancope team just a few weeks prior. The CISO’s comment so badly perplexed my teammate that he did a visible double-take. I could see his righteous indignation was quickly formulating a sermon on the sins of this line of thinking. I knew what he was about to say because I have heard myself say it all before.
I stopped him from starting by explaining that I understood those concerns. I told the CISO that almost 1 in 4 of the organizations I meet with initially feel the same way. I began to probe where the worry was rooted. The CISO was worried they didn’t have the manpower or processes to handle fighting advanced cyber-attacks. There were worries that revealing the problems in the near term would damage the organization’s business initiatives. There was also concern that bringing in additional tools exposed the organization to new risk (in the wake of FireEye and Target.)
I regularly hear this “head in the sand” InfoSec strategy. Normally it is much less blatant but none-the-less apparent. I have lost count of how many security teams I have met with over the last couple of years that are comfortable living in “plausible deniability.” They believe they cannot get in trouble about problems they are unaware. There is an unspoken agreement that “living in ignorant bliss” is preferable to the hard work of building a safer security practice.
It’s very easy to pass judgment on organizations that have their heads deep in the sand. The only healthy and sane way to address such policy is to apply all force to fixing it quickly. While there is little doubt that laziness and incompetence plays a role in keeping heads deeply buried, it is a gross over simplification to leave it there. The changes that are necessary will often require good people to lose their jobs. People may go to jail. Companies may be left permanently damaged. It is easy to make these decisions when these people are faceless. When they are the people you see every day and your children go to school with their children, the pain of making sweeping changes seems like it can wait another month or two (or twenty.)
Fixing the Problem
Ripping heads out of the sand can cause more damage than actual security breaches. It’s important to develop a plan that can safely nurse the organization from unhealthy to healthy.
When I had the responsibility of securing a DoD network, I had the gall of creating what I titled “Monthly Failure Report.” I documented all the ways that my team failed to protect government assets. I provided my best estimate of the count of different types of attacks that I was unaware of or couldn’t respond to. I sent this report to my superior. In addition to listing how I had failed to execute my duties, I provided an explanation on why I failed and a remedy to reduce the failures. The recommendations required either additional manpower, additional knowledge/training, additional tools or change in policy.
Failure reports serve two important purposes. First, they move responsibility of fixing the failures up the chain of command. It makes superiors aware of security gaps (removing plausible deniability.) Secondly, it provides justification and explanation for correcting the problems. Often management and executives don’t understand why purchasing additional security tools are necessary. I have met with some executives that believed their teams were asking because they wanted “cool toys.” Failure reports remove that type of errant thinking.
Processes are created to make policy reality. People and tools combine to make processes occur. Effective processes are what make networks secure. If the IT organization doesn’t have a person that loves working with flowcharts, borrow one from another department or contract a business analyst. Being able to document current and future processes enables tool selection. It also makes teaching entry level team members manageable. They can be assigned sections of one or more processes. Their development in the organization can be gauged by their ability to master different processes. Flowcharts are powerful tools in transforming a security practice.
Building an effective security architecture requires some initiatives that only need to be done once. It would be an unfortunate waste of time and money for an organization to train individuals to learn how to do a task they would only do once. It would be an even bigger travesty for an organization to buy a new set of tools but never effectively deploy them. Most security product vendors like Lancope deploy a partner directory that can be used to find experts to deploy products quickly and painlessly. Additionally, it may be wise to keep a partner on a support contract to provide an escalation tier as documented in response processes require.
Information security currently has an unfortunate lack of trained professionals. As I work with security teams, I find many of them need theoretical cybersecurity training before the product training can be useful. Organizations like SANS provide courses to help transform loyal team members into sharp security analysts and responders. One of the best places to find the next security superstar is in a cubicle near you. Training a loyal employee on a new set of skills will save the organization money, make a more loyal employee and create an operator that is already familiar with the organizations systems and processes. When evaluating new security tools for InfoSec processes, be sure the vendor provides regularly scheduled training.
There are many challenges of moving from “plausible deniability” to full visibility. Spending some time doing honest evaluation and reporting is a good first step. Using internal talent and consultants, process can be built from policy. With the paperwork done, tool selection and team training become straightforward initiatives. Organizations do want to get their heads out of the sand but yanking hard is rarely wise. Some gentle coaxing can empower even the most terrified organizations.