How to be an effective security buyer

Make sure every tool or appliance you buy can be applied to different types of risk and attack

In previous columns I have repeatedly emphasized the importance of interoperability and the danger of security fragmentation. Security is so fragmented that it is often hard to discern between hype and reality. Large security vendors try to draw you into a single-vendor closed integration package. Small vendors try to sell you the latest magic bullet, presenting what should be a feature as a whole new industry. Inevitably, you are left to cobble together disparate systems in order to get the depth of defense and layering of controls that you need.

MORE ON SECURITY: The Sony PlayStation breach notification letter that broke 77 million hearts

Here are some quick tips on how to be an effective "buyer" of security:

Never buy a single-purpose tool. Inspired by Alton Brown, who advises not to buy kitchen tools that are "uni-taskers" (e.g. a cherry pitter). Instead, make sure every tool or appliance you buy can be applied to different types of risk and attack. Widely applicable tools that are not specific to one threat will make a more effective toolbox and will provide deeper defenses and more overlapping layers of defense. Evaluate whether the tool or security solution covers:

•External and insider attacks

•Malicious and inadvertent incidents

•Know and unknown threats

•Automated and targeted attacks

• Heterogeneous OS and platforms (including mobile)

Avoid management feature overlap. You don't need another reporting engine for compliance. You need the tool to integrate with your existing reporting engine. For each of the following areas you should think about building a multi-vendor, open-standards based, shared infrastructure. You should avoid replicating these functions in every tool:

•Logging and auditing

•User, group and role directory

•Policy management

• Alerting and notification

Focus on assets, not threats. A tool that protects any asset against one specific type of threat (e.g. guns, but not box cutters) is not as useful as a tool that protects one asset against any threat (e.g. reinforced flight-deck door). If attackers can simply switch attack vectors, they will. If they have to switch targets you have disadvantaged them.

Mortar, not bricks. The part that makes a wall strong is the mortar, not the bricks. Disconnected bricks fall down with a slight nudge. Buy "glue" software and security solutions that tie together various controls, monitoring systems, notification systems, etc. A well-integrated system with fewer controls is better than lots of disparate controls with no glue.

Empower people. Security cannot be automated as much as you'd like. Human adversaries will always be smarter than automated tools and will leverage human ingenuity to skirt around your protections. You can't replace well-trained security professionals exercising judgment with computers. So empower the people by giving them tools that multiply their impact and productivity, instead of trying to replace them.

Standards, standards, standards. Interoperability and "glue" infrastructure requires open APIs, open protocols, open formats and open standards. How do you know it's really open and not just a committee endorsement of pseudo-standards? Look at how many different, potentially competing companies can interoperate using the standard. Ask the vendor: "Which of your competitors uses this?" If the answer is "none," then it's not a standard.

If all security buyers make slightly different choices, the industry will shift, dramatically and rapidly. There has never been a greater need for change in our industry.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitysony

More about LANSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Andreas M. Antonopoulos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts