This weekend I posted a tweet, a short simple statement – with a lot hidden behind it:
Security is Hard
I was trying to provoke discussion around two opposite ends of the security spectrum. The idea that security is so difficult that we might as well abandon the whole idea and the idea that security is trivially simple but there are certain blockers in the way (such as managerial denial, being understaffed, tech debt) which are preventing any real progress. The idea being that people are laughing at the statement “Security is hard” because they so wholeheartedly believe one of the above views that they cannot see the other.
I posted the tweet and people started the conversation with their 140 character views, the discussion soon outgrew the limitations of twitter it hit a couple of key points along the way that I wanted to share with a wider audience. Before we get in to that though, I posted what I initially thought the two view points were:
I was trying to raise an argument around discussion within the security industry and specifically discussion between red team and blue team. I was trying to open a conversation between the defenders of a network and the attack simulators, the penetration testers. I feel that in some cases there’s a specific disconnect where each side cannot necessarily see the view points, issues and challenges faced by the other side.
Penetration Testers work full time in security, they should be subject matter experts and really know their stuff. However one disadvantaged caused by this is the fact that they don’t necessarily see the wider challenges of the business. Sometimes someone who only does security will no doubt feel that security is everything that a company must worry about and nothing should stand in its way. Frustration comes about for this group when they perform a penetration test for a company and then twelve months down the line perform a test again and get similar results – it makes it feel like nothing has changed and no progress has been made, but they don’t necessarily see the reasons why this happens.
However on the defence side there are many challenges that we forget about. For one thing security is one aspect of a company’s work, for many companies it’s an annual challenge not a daily one. A company doesn’t exist to have perfect security, but exists to turn a profit and security should augment that not challenge it for priority. Infospectives reminds us that specific improvements in security look simple on paper. That the remediation advice in your penetration testing report initially looks simple, but potentially there’s a lot of factors that weight in to make progress challenging for the IT team trying to make real progress.
Defenders are often restricted when it comes to fixing things. Take a look at change management; this is something that exists to ensure the reliability of our critical IT Systems, yes? Now think of when heartbleed hit. Within hours of initial disclosure pubic exploitation code existed – were your IT Team able to patch the systems before the exploit became public?
Ciด้้้้้็ran McNดlly raised an interesting point too:
Blue team are challenged in the fact that not only are they potentially operating outside of their specialisation (having to be skilled in many areas, not just defensive security) but also being understaffed with huge areas of responsibility. I initially took this to be a point about the issue of hardware versus manpower, where a company has a budget to divide between appropriately skilled people and appropriately purchased security appliances. A team without equipment is outgunned and equipment without a team is just as useless, so a balance must be found.
On hindsight though I can also see a point here about automation, with networks being of such huge scale these days and logs growing and rotating at such speeds with must automate many of the tasks of the security team so that important alerts can be highlighted and acted upon. We must also gather events to act on them, but also archive them to tell a forensics story for the future. There’s a balance between information gathering, security event detection, and incident response. There are systems like SIEM (Security Information and Event Management) but these cannot operate without appropriate tuning and are useless without a skilled staff member responding to issues.
Which brings us on to:
Here I start to feel that not only must a company hire an appropriately sized team, but hiring people with the correct skill set is a difficulty. I took a look into statisticss around hiring in to security positions and “State of Cybersecurity: Implications for 2016” a survey produced by ISACA of 461 IT professionals highlighted recruitment as a specific challenge for companies, from angles of finding talent with appropriate skills, filling positioned in a timely manner and also retention of skilled employees.
Does your company offer training to staff members? There’s the concern that if you spend budget training staff members then they’ll leave, but the usual response to this is “What if you don’t train your staff – and they don’t leave?”. The 2015 State of Cybersecurity Survey indicated that nearly 65 percent of all entry-level cybersecurity applicants lacked the requisite skills to perform the tasks related to the jobs they were seeking. So with such difficulties in hiring appropriately skilled staff members, training is a critical consideration for a company.
The above survey highlights its own issues to explain the issues with hiring people, but I offered my own, I mean to argue that if red team is the more attractive position for a skilled security professional then they’re getting first pick – leaving blue team with whoever is left. Adding to the challenges they already face:
My initial feeling is that because we divide security in to attackers and defenders, we increase the problems faced by the blue team. If we consider the blue team to only win if the penetration test comes back empty and the red team to have won if any significant security issue is found we’re hammering down the moral of the blue team and rewarding the red team, every time.
Maybe I’m not the only person thinking this:
The above raises the issue that if we’re constantly praising the red team and pushing down the blue team, we’re damaging their attempts to actually make a difference. However it’s critical to remember that when it comes down to it, we’re all on the same team. Many IT managers gather metrics to take to the upper echelons to show how progress is being made – maybe share some of that data with the IT team? If your team are doing well, it’s critical that they know that.
Now, we’re all trying to improve things, but:
Communication between both teams is critically important. Here I’m trying to raise an issue that the red team are offering advice to the defenders, but the advice may not be taken. I can see both sides to an issue here, the first being that the blue team may read the advice and feel that it’s inappropriate to their environment or doesn’t work with their current set up meaning that they try something different (potentially without consulting with the red team) if their actions don’t remediate the issue then red team feels ignored. This disconnect means that we’re not working together, we’re not working efficiently, and we’re not communicating with each other.
However I think it goes further than red team and blue team, with Mitch Impey adding their own frustration:
Here I start to feel that not only are the attackers and defenders of our networks not communicating effectively but the upper level of the company, management and the strategic decision makers are not feeding back justifications and reasons for decisions and actions. Shutting down someone who’s trying to make things better without explaining why is incredibly disheartening, so consider sharing a little bit of the decision process with the guys on the ground in your IT team.
Finally, I thought about the line “inaction is more expensive”, I initially responded with this:
However in hindsight I’m left thinking more and more about the true cost of a security breach. We hear vendors, information security professionals, and media, shouting about the coming doom that is a company being breached and how it’s the end of the world because of things like brand damage. Well not only is gauging damage ahead of time, so is gauging risk, cost, effects on brand – and a host of other things. Throw in to that mix my earlier analysis of the effect on stock prices and we’re left with the mess of security is important, but we have a difficult time determining just how important it is to the wider businesses that we work for.
So thank you to everyone who responded to my question. Everyone will draw their own conclusions and they’re welcome to, I intended to bring you the discussion not the answers directly. I personally feel that some issues were raised during this discussion (which you can find here by the way). For me I think security is hard. I think we have challenges that we’re not necessarily meeting well. So maybe we should all take five and think about some of the reasons that security is so hard – maybe some considerations to take away:
How well is your IT Team communicating with your Penetration Testers?
How well is your upper management communicating with your IT team?
Is the IT Team able to make swift improvements to security when critical issues like Heartbleed appear?
Is your IT Team praised appropriately for progress or simply put down annually because the Penetration test isn’t perfect?
How strong do you think your current analysis of the real world risk to your security is?
Is the balance between security hardware and security staff appropriate?
How are you training your IT team to be more effective?
How are you retaining your most experience security staff?
Are we making progress or are we simply putting out fires?