Shiny Objects

Security leaders all too often succumb to the distraction of a new shiny object that promises to be the panacea to all their security problems. Vendors encourage this line of thinking happy to make another sale and to have a new customer. What makes things worse is that a focus on CapEx budgets at most organizations to buy and implement more tools encourages this behavior when really an annual service may be a far cheaper, better, and faster solution to meet organizational needs.



Shiny Object Syndrome' in the security realm is often associated with a myopic focus on one critical area of weakness or vulnerability


'Shiny Object Syndrome' in the security realm is often associated with a myopic focus on one critical area of weakness or vulnerability. Perhaps an audit or assessment highlighted the gap and Executive Management jumped all over it. Perhaps a barrage of vendors telling you that you must have something in a particular space wore the CISO down, but be assured that security gaps are usually many, and are usually spread across a wide range of areas even for the most well-staffed and best-funded security departments.


Understanding Risk
Before rushing to implement solutions and being distracted by shiny objects, first make sure you have a comprehensive and holistic understanding of Digital and Integrated Risk as part of the organization's overall business enterprise risk strategy. Think about new areas of digital risk such as IoT that may not have been included in your last security audit or compliance assessment. Think about new business offerings and the strategic IT plan and how that may introduce weaknesses to the cyber defenses you have already put in place. And remind yourself that compliance is just one side of the CIA triangle that CISOs are responsible for.

Attacks against the Availability of IT systems is on the rise - just look back to the recent WannaCry and Not Petya attacks. The damage was far greater monetarily and reputationally  than a fine or slap on the wrist for a confidentiality breach. With the rise in BotNet scale and sophistication and their increasing use by cyber criminals and state actors to distract or execute attacks, protecting the availability of data and systems will become far more important, if in fact it isn't already. Just ask Maersk or the British National Health Service!

First identify ALL assets. That includes IoT devices that are network attached, could be network attached but aren't currently, or contain sensitive data. This includes hospital medical devices and building management systems - even if they are on their own VLANs. Unless they are on air-gapped networks or are securely segmented using firewalls or Cisco ISE/TrustSec then they can be easily attacked and usually have little to no defenses. Just ask Cisco Talos which has been conducting extensive testing and hacking of building management systems over the past year. How embarrassing would it be to have to report to the CEO that an attack against the enterprise SAN was executed from a hacked office thermostat?

Use new discovery tools to identify IoT assets. New services from the likes of CyberMDX, CloudPost, ZingBox and others will identify medical devices, device types, software versions and VLAN location via passive observation of biomedical network traffic without threatening a device. Active and passive scanning of business networks will identify traditional assets. IRM tools like IRM|PRO from Clearwater Compliance and others can consume scan data and combine with other information to perform full Risk Analysis, as well as HIPAA security and privacy compliance or NIST framework assessment.


Risks need to have 3 components: An Asset, a Threat and a Vulnerability



Threats come in 4 categories according to NIST: Accidental, Adversarial, Structural or Environmental

Risk = Likelihood * Impact


Many if not most IRM tools use a 25 point scale to evaluate risk, such that a risk appetite can be agreed with the board of typically 15 (or lower for more mature or risk adverse organizations) and any identified risk above that threshold needs to be dealt with. Risks are typically dealt with via remediation, eradication, transfer, or by compensating controls. Once identified, risks should be prioritized and entered into a risk register and remediation plans drawn up.


Overall Risk
Impact
Disastrous (5)
Low
Medium
High
High
Critical
Major (4)
Low
Medium
Medium
High
High
Moderate (3)
Low
Low
Medium
Medium
High
Minor (2)
Low
Low
Low
Medium
Medium
Insignificant (1)
Low
Low
Low
Low
Low

Rare (1)
Unlikely (2)
Moderate (3)
Likely (4)
Almost Certain (5)

Likelihood
Clearwater uses a 25 point scale from zero to 25 as do many other leaders in the IRM space.


New Tools
Before investing in a new tool, figure out how long its going to take to put that tool into production and what level of effort it will take to get there. Till that tool goes live its nothing more than expensive shelf-ware and could become a thorn in your side if implementation proves to be longer than the board or executive team's patience.

Many security tools can require upwards of 2 years to fully implement and take their place in the defensive line up. According to CIO Magazine the average CISO tenure is now 17 months. Ponemon places it at 2.1 years. Either way, your 2 year project is unlikely to get from PO to production implementation before you move on to the next opportunity or challenge, so what does that say for the prospects of eventual completion under a different security leader? More importantly, how will your efforts been seen in hindsight - as a success or failure, especially if you aren't there to see it through?


SaaS - Would a Security Service be Better?
The nice thing about security-as-a-service is that if it begins to no longer meet your changing requirements or you fall out of love with it, then you simply part company at the end of the contract and fire-up an agreement with a competitor. It allows you to have the best protection you can afford each year and not get stuck with something out of date.

Procuring and implementing tools gets you locked into a multi-year marriage often with a spouse you have never met before. Depending on your depreciation schedules you could be stuck for 5 or 10 years. Whats-more, you will not be defended by the new tool till you have figured out how to use it and how to get it to production.

SaaS makes particular sense for smaller companies that may be resource-constrained by the number and caliber of security staff they can attract and retain in an increasingly highly competitive job market. It also makes great sense where a significant risk has been identified and where no compensating security controls can be leveraged to reduce risk exposure for the period it takes to procure, build, test and implement a new tool. When you absolutely have to have something now, a service will generally be a much more immediate fix.


More About Shiny Objects
Shiny objects may be OK when we are talking about a SaaS based service, but their shininess is very much dependent upon a thorough understanding of a solid and comprehensive risk analysis before the business can justify service procurement.

Most organizations have a hard enough time conducting a proper risk analysis let alone avoiding the distractions of shiny objects. No wonder then that so many fail.

To leave a comment, simply post it to the box below.


Subscribe to our periodic posts via email to periodic new posts so you don't miss them.

Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.