Choosing the right bullet: targeted vs broad solutions for security concernsAnirban Banerjee
Tom Seo from Envision Ventures (investors in Onion ID) recently published a high quality enterprise security article on Techcrunch. The article provides a very logical run down of the situation for enterprise security as it stands today. In fact the material can be interpreted as a good thought leadership position paper. Tom has done a great job at grasping a lot of what goes on in the enterprise security space. Tom has been kind enough to recognize any advice or comments I provided.
I think that the article talks about the right things. Enterprise security today is built around a bunch of magic silver bullets. Let’s dive a bit deeper into this. Enterprises today try to solve a gamut of security issues by using various solutions from Endpoint protection to E-mail filtering services to Single Sign On Solutions and more. The issues that we recognize when we talk to CISOs is that often times security teams try to do too much, or that too much is piled on to their plates. Even though enterprises buy a lot of good silver bullets, putting them to good use effectively is like chasing a unicorn (http://www.infosecurity-magazine.com/news/companies-buy-good-security-but/).
My limited experience with enterprises has taught me that teams should always try to take bite sized chunks out of large problems. The focus should always be on manageability and not breadth of coverage. I know that the previous statement sounds sacrilegious to security folks but consider the fact: You will always have some sort of vulnerability (https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf). Therefore trying to close every single hole in your armor is not the most effective strategy. What is effective as has been seen by many teams is – focus on the biggest and most critical hole. In fact if a team can focus on the root cause and not the symptom, it is much more beneficial for all involved.
Focusing on the root cause sounds simple enough, but, is it so in reality. Consider the case where a security team is asked – Do we have Two Factor Authentication on our portal for employee logins, if not we should get it done. This is exactly the sort of statement most C level execs would pass a SecOps team. It’s a perfectly reasonable request – but we need to peel the onion further to understand what the actual purpose of this request is.
Enterprise security today is akin to an M&M. Hard on the outside, and as soon as you punch a hole in, you can get to the gooey chocolate bit inside. You don’t agree with this? Here’s an exercise for you: Identify 5 web apps that your employees use: Salesforce, Marketo, Google Analytics – pick any 5. Now write down the security features you have enabled in order to make sure that, when an employee’s laptop and phone are compromised, you can stop a data breach. Sounds simple enough – but not really. Why? The reason why things are not all hunky dory is because you do not control the 3rd party SaaS app or cloud server for that matter – you only have access to it, to use it for your purposes.
Let’s go back to the original (posed) question that the C level exec asked: Do we have Two Factor Authentication on our portal for employee logins, if not we should get it done. Let’s try to understand what risk this statement is associated with. The various types of risk are data loss, access to PII, financial loss, etc. The answer is a bit convoluted because all companies are a bit different. However, the point is that the root cause of this request is not cobbling together a solution with many magic bullets like SSO, password management and vaulting, User Behavior Analysis and more but in fact to drill down to the core: access privileges.
Ask yourself this – what if someone could crack your Single Sign On and Two Factor enabled Salesforce account but could not really click the button to download customer data? Would you still be in favor of putting together a seemingly strong solution comprising of multiple vendors and products? Probably not.
I am a strong believer in making sure that we use the minimum number of silver bullets and that the bullets are appropriate. Consider this – had the previous request for implementing two factor authentication been peeled back and a discussion regarding why it is necessary had commenced, nearly any security team would have identified that its user privileges are at the core of the issue here. Thus, in order to reduce the number of silver bullets and pick the appropriate one, enterprises need to focus on solutions that give you coverage as well as stay targeted on their core value proposition. Straddling completely different areas of endpoint protection and DLP and CASB says a bit about the focus of the solution.
I have used the following really simple template to select solutions for myself in the past: (1) Identify the core issue (2) identify a solution that is broad enough to cover the request and the core issue (3) make sure the solution is targeted to solve the core issue and the request. If we apply this template to the request made we can say that we would like to select a solution that does privilege management, two factor authentication, employee account management but not end point protection or malware analysis. Just look at the slew of product offerings from vendors who claim to have silver bullets for everything under the sun.
Returning back to the core of Tom’s article – I strongly believe that the multiple silver bullets strategy is flawed. We need to find a balance between addressing the concerns of sales, marketing, and corporate groups and at the same time address the underlying core problem. I believe that by using this approach SecOps teams can save a lot of time, avoid misalignment of expectations and execute well on targeted goals.
Wishing you all a safe and secure quarter!