Clouding the Solution Landscape: Mediocrity vs Strategy – Going the Easy Path….

We live in a time where 10 years ago is deemed as ancient history (from an IT view), a time that is well past, so different to today – a time that aside from reflecting on where we came from, provides little more to help improve what we have today. Information Security is hampered by this thinking.

We’re continually looking for new solutions today to fix up the inherently weak technologies we’ve….well, inherited, but we don’t always view them this way. Instead, we see new technologies with issues that can only be fixed by new thinking, new security tools, technologies and approaches. We accept mediocrity in a lot of cases because we either don’t think there’s anything else we can do or we just don’t understand nor want to understand how to attack root cause issues better. (Many reasons for the latter – expertise, resourcing, costs etc). We don’t look back for solutions. We don’t look deep for solutions. We go down the easy path to try to find solutions for today’s problems.

Have a look at what companies are doing and budgeting for from a security perspective and ask yourself; is this something that is going to make a qualifiable and quantifiable difference to the security of a company?….Don’t look at it from just a point-solution perspective, but rather from a holistic/enterprise perspective. It’s a common mistake, (if you can call it a mistake). Here’s an example:

System view security vs. Application view security

And here’s the above scenario in practice: Application Security Reviews – Pitfalls, Dangerous Mistakes and Assumptions.

These examples focused on applications but the scenarios described can translate to all aspects of Information Technology and our approaches to security.

  - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -
Driving Revenue and Increasing Value with
Application Performance Management
– - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -

Are many, (or most) approaches taken to Information Security little more than knee-jerk tactical responses and plans that fall into “workaround” and “accepted mediocrity” categories – approaches that continually divert our attention from better solutions that may more directly attack the root cause of problems? I believe they are.

Most things we (in the industry) do, does seem to fall into these categories and we’ve been using these tactics since day 1. Attacking the root cause of problems and dealing with them is generally deemed too difficult. Great in theory you’ll be told, but we need “pragmatic” solutions (while agreed to be far from perfect, by some) that work today!

It’s 2009 and I see we’re still not thinking past just trying to bog up the rust to keep something at an acceptable level/working order (relative to what individuals involved believe is workable and effective for them). It’s subjective and those “acceptable” levels/ how that determination has been made needs to be questioned. Is the complete picture there and was there sufficient data accumulated for correct/accurate decisions to made? How often is it not, but decisions are still made to the detriment of the business?…..More often than not I put it to you.

Defeatist attitudes that lead to “workarounds” and “accepted mediocrity” are detrimental to any significant change and a better future. There is no ideal world and perfect security – we know that, but all “workarounds” and “accepted mediocrity” have done is to move us backwards, and we continue to move backwards. It makes no sense that we accept this as our lot. We are losing the battle and as new technologies and business approaches evolve on the Internet, we further accept this as our lot going forward, and for reasons mentioned, revert to the “trusted” (yet dis-proven) tactic of “workarounds”.

WAFS (and IDS/IPS, Firewalls etc and most technologies we use in the Information Security industry) are workarounds to deal with our inherently insecure technologies based upon insecure software. I’ll never accept we should implement workaround technologies as the sole thing available to us, “so let’s make the most of it”. If a WAF protects an organisation from something bad to a level of 60% or so, that is failure to me. Does the decision maker that purchases these products and services fully understand this when it it sold to him? Is the picture clear to them about alternatives focused at attacking the root cause from a micro-level perspective (ie; their organisation)? Is the former solution (WAF for example) at the end of the day going to be better for them at present given they can’t at present comprehend what else can be done, or even if they can, just cannot do it due to the old; expertise, resources, funding issues? Will they even try to consider this seriously? It just doesn’t happen in our world of fantastic and magical products they’re sold – products that they are “sold” to believe, will do all they want, to allow them to sleep better at night.

How do you judge, outside of the marketing claims that really cannot be accurately confirmed [by them] vs. more difficult theoretical holistic arguments that can’t be plug and played like the former? Lets spend a few million on something that “will make our organisation secure”! The sales guy guarantees it. (12 months later, sales guy is working for a competitor and now bags that product he sold the client last year as being crap “….and far from being able to deliver what we told them [the client] it would”).

Dealing with the root cause is too hard and many critical thinkers in our industry have accepted that we’re never going to be able to effectively attack this root cause. That concerns me. We as an industry are very insular and as a result of this, many have made the determination on behalf of broader society that the cause is a lost one. How can you do that? I say, broader society awareness is going to help. When society is more aware, we make a determination on what we expect and what we don’t want to accept. Lets not give up on this and accept our hands are tied.

Drazen Drazic

About Drazen Drazic

Drazen Drazic is the CEO of Securus Global. Securus Global is one of the leading Information Security consulting organizations in the Asia Pacific region - also servicing clients from around the globe. He is directly engaged as a strategic consultant by many organizations, across most industry sectors on matters to do with Information Security policy and strategy. In earlier times, he has headed up Information Security for a large global investment bank and Big 4 professional services firm, worked as a regional IT Director, and has spent many years promoting and talking about Information Security. He is also the chief writer on the IT Security Management site, Beast or Buddha.

5 Responses to Clouding the Solution Landscape: Mediocrity vs Strategy – Going the Easy Path….

  1. Matthew Hackling November 5, 2009 at 3:24 pm #

    Draz,

    Don’t be all bashing WAFs and IPS. These technologies can be useful in remedying an application security problem identified after an incident until fixes can be developed and tested. I know a few organisations that just run these in-line in monitor mode just in case something bad happens so they have an easy to configure “choke-point”.

    For example we wouldn’t need “anti-virus” or “end-point-protection” if we had secure operating systems that only allowed trusted code to run and encrypted disks by default. However we don’t have these and AV provides a useful back-stop against run of the mill “me-too” worms and exploit code. Unfortunately AV doesn’t protect against custom written “crimeware”.

  2. Drazen Drazic November 5, 2009 at 3:40 pm #

    Matt,

    I agree that certain technologies have their place and I have documented that position in the past. I argue against the position that these technologies be seen as *the* solution and the root cause issues forgotten about and left unaddressed.

    At a minimum, the awareness needs to be there in understanding the limitations of the products (as you allude to also). If that awareness is not there, leading to the oft mentioned false sense of security (they provide), well you’re probably in worse trouble than when you know you have a problem. :)

    DD

  3. Wireghoul November 5, 2009 at 4:33 pm #

    To paraphrase a customer of my former employer (a web-hosting co);

    “But I use a Mac and I have SSL, my website must be safe!”

    Raising awareness with whom? The end user? I think the landscape slopes the other way in that regard. The user shouldn’t and often cannot make the decisions that the endless popup windows ask them to do. Grandmothers need to use the internet too.

    I’m afraid I don’t have a simple solution to the problem tho :3

  4. JamieT November 6, 2009 at 1:31 am #

    Nice and well worded. More mainstream people should read this.

    Wiregoul, good points but I think the story covered it from that angle and was asking the same questions you did.

    You present the problem, what is the solution?

    JW

  5. Drazen Drazic November 8, 2009 at 3:29 pm #

    Mainstream awareness is key as I mentioned in my opinion. We can’t on our own be left to make the final calls on what is acceptable to broader society. We continue to push that awareness and with that hopefully comes greater accountability over what we do. In a nutshell.

Leave a Reply


*