To get more secure, first figure out where you want to go

If you don't ask the right questions, you could end up with protection that doesn't take care of your real problems.

It's always a good idea to point the car in the right direction before pressing the gas pedal, right? Why is it, then, that so many people lose sight of that simple concept?

I'm thinking about information security, of course, but here's another example that's probably familiar to most of you: People who, upon hearing that you work with computers, ask a directionless question like, "What's the best operating system?""What kind of computer should I buy?""What's the best backup?""The best smartphone?"

Of course, the answer to these questions, more often than not, is "It depends," though that seems to frustrate the questioners. "Just what does it depend on?" they'll ask. "What do you want to do with it?" I'll usually respond. All too often the response to that is a blank stare or a very unhelpful "Oh, all sorts of stuff."Great, you want to step on the gas before pointing the car, I'll say.

Of course, the answer to any such question has to be "It depends." What's the best operating system? Well, what do you want to use it for? I happen to like OS X for my desktop operating system. It suits my needs pretty well. But, then, I run a small consultancy and my needs are pretty basic: email, document preparation, Web and so on. A colleague of mine is a video production professional. His operating system of choice is Windows, since he's never been able to find the video editing tools he needs on other platforms. So here we have two polar opposite answers that are equally correct for our needs.

The same sort of thing holds true with choices in security products and services. What's the best intrusion-detection system (IDS), for example, is a question I hear quite often. Well, it depends. Just what is it that you're looking for? What security threats worry you? What are your business priorities when you come under attack and have to respond to it?

I recently encountered a large company that uses a popular signature-based network IDS product for its security monitoring needs. I asked a few questions about the sorts of things they're concerned about. The answers included things like insider threats and attacks using targeted, special-purpose malware. So I had to wonder: Given those worries, how was it that signature-based network IDS became the answer?

Signature-based network IDS products are great tools for finding specific things happening on a network, but only if you're able to tell them what they should look for. But many of the things they are concerned about at this company are inherently not things you can define statically or even in advance. An employee exceeding his or her authority on a system and subsequently stealing company data probably isn't going to be running one of those attack tools that an IDS is so good at finding.

In fact, that employee is probably going to be logging into business software that he or she is explicitly authorized to use. In that case, no attack signatures are going to be seen. It's possible that the business software could notice a change in the employee's behavior, but that's not a given, and it's certainly not something that network-based IDSes are well suited to find. Perhaps some application-level event-logging data combined with plenty of Netflow data could be useful at building the big picture view of what's going on and might be more suitable to the company's needs. Perhaps they should also be looking at other indicators of insider threat activities, like human resources information such as who has recently been passed up for a raise, bonus or promotion. Bottom line, though, if your chief concern is insider threats, then you'd better not be relying on a network IDS to do the job. If you do, you'll be staring blissfully at a product console that will never tell you that your biggest fear has been realized.

I think that company should take its foot off the gas pedal and figure out where it wants to go and the best way to get there.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securitysecurity

More about MellonPara-Protect

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Kenneth van Wyk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place