If you’re a security professional and there’s a new phrase or product going around with which you are unfamiliar, there’s a better than even chance you won’t need that thing. Ever.
The reasons are myriad, but the major offenders are:
- It’s something that product vendors invented to scare you into thinking you’ve missed something; [e.g. Advanced Persistent Threats]
- It’s something Gartner was paid to promote into a magic quadrant of some sort, [e.g. most of Gartner’s output]
- It sells column inches, or;
- It’s something you already have but now it has a sexier name. [e.g. Logging and Monitoring is now Security Incident and Event Management (SIEM)]
For me, this pet peeve started with ‘The Cloud’. Suddenly everything had to be “In The Cloud”, that adoption of Cloud-based services was the only way to stay up with your competition …blah blah blah. Basically The Cloud was the only way you were going to stay in business in the digital age.
“But wait David!” I hear you gasp; “Isn’t The Cloud just an application on the Internet? Haven’t we had this capability for, I don’t know, DECADES!?!” Why yes Dear Reader, we HAVE had this capability for decades, but clearly you didn’t know you needed it until it had a fancy name and had vendors shoving the concept down your throat!
I know of organisations who quite literally renamed their ‘Managed Security Services’ to ‘Cloud Security Services’ without changing a SINGLE piece of infrastructure or a single process. And yes, this hid all manner of sins, but for some reason the new name stopped clients asking difficult questions like; “Can you tell me how it works?”
By sheer coincidence, I gave a webinar last week titled “Ignore Future Attacks, Fix Your Broken Security Program First”, it could just as easily be called “Ignore Buzzwords, Fix Your Broken Security Program First” and the content would be almost identical. We need to stop focusing on the new when we usually don’t even know what assets we’re trying to protect, who has access to what, or what any given system should look like from a normalised perspective.
Business needs information in context in order to compete, and the data that makes up that information is stored somewhere on a physical system. I don’t care if it’s virtualised, containerised or whatever-ised, it’s still a piece of hardware running an operating system sitting in a room somewhere (yes, I know it can be distributed). Nevertheless, there is NOTHING you need outside of an established good security practice to protect this data from what’s out there now, and what will be out there in the future. REGARDLESS of its name!
Segmentation, configuration standards, access control, logging and monitoring and a host of other old fashioned and boring names all boil down to one thing; baseline. What should a system look like all day every day, and how do I report anything different. No innovation in security capability (i.e buzzword) will be of any use whatsoever if you don’t have the basics right, because you’ll have no idea what you have, let alone how it should normally behave.
Ignore the hype, ignore the press, ignore Gartner and their ilk, focus on the stuff that you’ve likely relegated to a ‘previous generation’s problems’. They are still your problems too.