Security teams left in the dark by current technologies and practicesby Steve Ragan - Oct 17 2011, 14:00
RedSeal, a network security assessment vendor based in San Mateo, California, conducted a series of Q&As during BlackHat and Cisco Live!, which shows that InfoSec teams are in the dark, and feel out gunned by attackers. However, some of the issues are their own doing.
During July (Cisco Live!) and August (BlackHat) 2011, RedSeal spoke to 1,967 InfoSec professionals from all levels, to learn their views on threat assessment, mitigation, and risk posture on their respective networks. The information collected offers a grim, but unsurprising view, of the state of risk in todayís enterprise.
Here are some of the stats from the various areas represented by the study. Granted, this cross section excludes repeated answers separated by vertical market, and those that focus on the types of solutions offered by RedSeal.
- 75% of security professionals state that hackers have the upper hand with tools and automation
Can anyone be blamed for feeling like this? It seems like there is a new breach or incident reported in the news each week. Yet, most of the automated attacks are preventable. Technologies and policies that assess code development, user and process enforcement, and traffic analysis are all helpful when addressing these types of threats.
The question is where is the business heading? The security tools selected to deal with threats and automated attacks should always match the needs of the business, if they were not implemented as part of the business plan in the first place. It isnít easy, and takes a good deal of research and time, but the efforts are worth it.
The sad part is that in the meantime, many organizations are using patchwork solutions or just dropping appliances on the network, in the hopes that things will work out in the end. This endless cycle can be hard to break, as additional stop-gaps added to the network in order to address the failings of the previously implemented stop-gaps.
- 50% admit they donít know or have no way of knowing how many hosts can be accessed from outside their network
An asset, be it data or hardware, cannot be protected if no one knows it is there, and how it can be accessed by the organization or a criminal. The survey stressed this with many CIOs and CSOs expressing concern over the lack of visibility on their networks.
The thing that was not covered is why there was a failure in identifying important assets in the first place, which could be anything from policy issues to lack of staffing.
- 71% report that their network is at risk due to improperly configured network devices
Aside from product purchases and rapid deployments that can cause issues, why is this allowed to happen in the first place? The network devices were configured to address some sort of need to begin with, if the need is no longer valid, then why would this configuration not change? Instead of looking at appliances to solve the problems, why not look at policies and address changes there?
The answer in most cases is time and money. However, implementing the configurations in the first place were time consuming and costly, so if there are changes, this is all part of the process.
Surveys like this are a solid view into the state of things, but they are only a snapshot. Many of the problems expressed by the InfoSec professionals can likely be solved without a single purchase, by better leveraging the tools they already have and working with their vendor.
If there is a critical gap, then the needs of the business and the level of risk the gap exposes should be examined. Even then, money should not be carelessly tossed at the problem. Purchases decisions should be weighed on how they fit within the organizationís plans. Not at a single point in time, but for the entirety of the business itself. This will help prevent the cycle of purchases simply for the sake of covering problems with previous purchases.
Risk assessment and mitigation are likely the hardest things about security. They are a process, and are rarely mastered - no matter how many vendors or products flood the market, as no single solution can solve everything. However, if these solutions are applied to the business model, and changes are made only when business needs or risk justifies them; they are the two methodologies that can save the most when it comes to time and money, not to mention the pain of suffering a public security incident.
The entire RedSeal report is here.