It's always a good idea to point the car in the right direction before pressing the gas pedal, right? Why is it, then, that so many people lose sight of that simple concept?
I'm thinking about information security, of course, but here's another example that's probably familiar to most of you: People who, upon hearing that you work with computers, ask a directionless question like, "What's the best operating system?""What kind of computer should I buy?""What's the best backup?""The best smartphone?"
Of course, the answer to these questions, more often than not, is "It depends," though that seems to frustrate the questioners. "Just what does it depend on?" they'll ask. "What do you want to do with it?" I'll usually respond. All too often the response to that is a blank stare or a very unhelpful "Oh, all sorts of stuff."Great, you want to step on the gas before pointing the car, I'll say.
Of course, the answer to any such question has to be "It depends." What's the best operating system? Well, what do you want to use it for? I happen to like OS X for my desktop operating system. It suits my needs pretty well. But, then, I run a small consultancy and my needs are pretty basic: email, document preparation, Web and so on. A colleague of mine is a video production professional. His operating system of choice is Windows, since he's never been able to find the video editing tools he needs on other platforms. So here we have two polar opposite answers that are equally correct for our needs.
The same sort of thing holds true with choices in security products and services. What's the best intrusion-detection system (IDS), for example, is a question I hear quite often. Well, it depends. Just what is it that you're looking for? What security threats worry you? What are your business priorities when you come under attack and have to respond to it?
I recently encountered a large company that uses a popular signature-based network IDS product for its security monitoring needs. I asked a few questions about the sorts of things they're concerned about. The answers included things like insider threats and attacks using targeted, special-purpose malware. So I had to wonder: Given those worries, how was it that signature-based network IDS became the answer?
Signature-based network IDS products are great tools for finding specific things happening on a network, but only if you're able to tell them what they should look for. But many of the things they are concerned about at this company are inherently not things you can define statically or even in advance. An employee exceeding his or her authority on a system and subsequently stealing company data probably isn't going to be running one of those attack tools that an IDS is so good at finding.
In fact, that employee is probably going to be logging into business software that he or she is explicitly authorized to use. In that case, no attack signatures are going to be seen. It's possible that the business software could notice a change in the employee's behavior, but that's not a given, and it's certainly not something that network-based IDSes are well suited to find. Perhaps some application-level event-logging data combined with plenty of Netflow data could be useful at building the big picture view of what's going on and might be more suitable to the company's needs. Perhaps they should also be looking at other indicators of insider threat activities, like human resources information such as who has recently been passed up for a raise, bonus or promotion. Bottom line, though, if your chief concern is insider threats, then you'd better not be relying on a network IDS to do the job. If you do, you'll be staring blissfully at a product console that will never tell you that your biggest fear has been realized.
I think that company should take its foot off the gas pedal and figure out where it wants to go and the best way to get there.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.