What’s Missing from Nearly Every Security Approach

eWEEK SECURITY ANALYSIS: Some organizations go to a lot of trouble to make sure they have good security, and many don’t, but without the right mix of technology and people, it can’t be good enough.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

SpiceWorld2

AUSTIN, Texas – I walked through the exhibit space at the SpiceWorld conference here, and in booths scattered about, I saw appliance after appliance promising a solution to one security problem after another. One would trap phishing emails, according to the people there. Another would solve your authentication problems. Still another would look for malware of nearly any type, updated nearly continuously.

A consistent theme in their marketing was that while expensive, these devices were a lot less costly than hiring another employee. They would, they promised, protect your enterprise against attack. What was also interesting was that despite the promises of the appliance makers, their displays were not particularly busy, which is surprising given that this is an important show aimed specifically at IT professionals.

Go here to see a listing of eWEEK's Top SIEM Companies.

What they realized, of course, is that while technology plays a role in securing an enterprise, it’s not a solution in itself, whether it’s an appliance, endpoint protection software or something in between. That’s because technology solutions are intended to fix one problem. If the problem changes, then the technology misses, at least until someone applies an update.

Discovered One of the First Javascript Attacks

I found this out a few years ago when I encountered one of the first Javascript attacks in an email. What was purported to be an attachment containing a fax actually contained Javascript far down at the end of what appeared to be a long user agreement, buried in the legalese. The Javascript would have connected my computer to a server in Russia, and caused it to download a file. Fortunately, I was suspicious of the supposed fax, and didn’t actually open it in anything that could execute Javascript.

What’s important here is that the technology on my network, including some antivirus and antimalware software and a next-generation firewall, failed to catch it. But my annoyingly suspicious nature did catch it, and I was able to look at the file and see the malware that would have compromised the system.

This incident is just an illustration of what can happen to organizations on an ongoing basis as attacks become more prevalent. Brian Krebs, who runs the website Krebs on Security, described the complex nature of today’s security landscape in a presentation here, explaining what we can learn from data breaches. He pointed out that while technology can catch many of the security problems likely to affect most networks, it will never catch all of them.

Perhaps more important, the threats that technology doesn’t catch are frequently the most serious. They’re the attacks that become major breaches. This is because a really good attacker gets inside your network a little at a time, and spends days or weeks learning everything there is to know about your security, your network management and your security staff.

Bad Actors Strike on Their Own Terms

Only when they’re satisfied that they can launch an effective attack, do they move into actions that turn into a major breach. That breach can result in ransomware taking down your systems, and it can result in critical information being posted for sale to other cybercriminals.

Normally, Krebs said, there’s plenty of time for an organization to find and neutralize an attacker that’s found his/her way into your systems, if only the organization knows to look. So why don’t they? Two reasons: people and policy.

It takes trained staff to catch what the technology solutions miss, and “we don’t have enough people,” Krebs said. In addition, he noted that many companies make it far too hard to talk to them about security. To see how this doesn’t work, just try reporting a security problem to the company that has it. While there are a few companies that pay bug bounties, most don’t, and most don’t even have a means by which to receive such a report.

After his presentation, Krebs and I relaxed over some barbecue from Franklin’s, while he told me about an informal study he did recently on the Fortune 100. He was looking for senior executives with a title that indicated a responsibility for security. He found two.

Threat Landscape ‘Mercurial’ in Nature

The problem with a lack of leadership in security is directly related to the mercurial nature of the threat landscape. In an earlier presentation, security evangelist Nick Cavalancia explained that the only way companies can keep up with insider threats is to have people who actually know what’s happening with their employees, including when employees have problems that technology can never catch. He said that this is why it takes an alert staff to help prevent this type of security threat.

Krebs points out that that same fluid nature of the security environment is why no technology solution alone can prevent security breaches. He said it was critical to know whether the leadership of an organization sees the lack of good security as an existential issue. He added that businesses without such acumen are doing their companies and their shareholders a disservice.

Krebs added that with some of the new security threats, notably deep fakes, which can produce fake videos or voice calls that can fool even people who know the targeted individual well, can’t be easily detected by technology independently. While it can be done eventually, it provides plenty of opportunity for CEO fraud to take place, in what the FBI reports is already a rapidly growing security threat.

in many cases it takes a while to develop detection technology that can do recognize such fakes, and in the meantime, it takes people to unmask such an attack. Right now, “There’s not enough investment,” Krebs said.

Wayne Rash, a former editor of eWEEK, is a longtime contributor to our publication and a frequent speaker on business, technology issues and enterprise computing.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...