How to protect security product investments

A security workforce shortage and other factors compound the problem of misconfigured security tools. There are solutions.

Simply buying additional expensive security products and configuring them no more completely or precisely than you did the last slew of protection tools you purchased is a road map to recurring breaches. Misconfigured tools fail to shield your existing attack surface and add vulnerabilities to it. The quality of the tools, the intent of the enterprise, and the discipline of the employees are not typically the issues.

The needs of the enterprise have stacked so many security products against a critical shortage of talent that your people can’t keep up. “A typical large enterprise may have deployed over 60 different security products to configure, tune, and patch. Many of these products generate hundreds if not thousands of alerts a day,” says Franklin Witter, principal industry consultant, Cybersecurity Solutions, SAS. If the same staff are fielding alerts and maintaining the tools, there may be no way to stay ahead of attacks.

CSO juxtapositions these and other complications of this security product configuration juggling act, prodding experts for their analysis of contributing factors and potential solutions.

Misconfiguration or no configuration leads to increased vulnerabilities

The larger the enterprise, the more likely it is that it has many, many security tools. Staff might not learn, use, or update any number of these, perhaps either because there is something off-putting about the technology (some kind of complexity, for example) or because it is one more task on top of an already overwhelming pile. When these tools stay connected and running on the network in a misconfigured, outdated fashion, they become vulnerabilities for attacker entry and liabilities for the enterprise.

Security products can come with native remote access capabilities. When enterprises use such products and leave remote access open with default or easily guessed credentials, this turns a security advantage the enterprise should leverage into a security vulnerability. “The industry has found numerous products that contain backdoors in their code, including products from Juniper and Fortinet,” says Dave Shackleford, lead faculty, IANS. “Many products contain open source code and libraries that have been vulnerable to Heartbleed, Shellshock, and other well-known attacks."

Availability, allocation of security personnel

The count for qualified professionals in the security space falls short of the need. “Security professional scarcity is a consistent theme voiced by the nearly 14,000 security professionals that responded to the 2015 survey. Despite satisfaction with their jobs, current data and historical perspectives on employment, salaries, and tenure point to difficulty in attracting sufficient numbers of qualified entrants into the profession,” says The 2015 (ISC)2 Global Information Security Workforce Study.

Configuration training

Individual security staff may not have sufficiently broad or deep training in the security product areas the enterprise focuses on. “There may be a lack of understanding related to patch or firmware impact on security product performance for the more complex or critical infrastructure components such as firewalls, network IDS/IPS, and proxies leading to long delays or negligence in updates,” says Shackleford.

Scans, audits

“Most security products are not included in typical vulnerability scans or patch/configuration management sweeps. This is definitely one reason why tools may not be as up-to-date as needed,” says Shackleford.

Malcolm Harkins, CISO, Cylance

“Mature internal audit teams and external compliance auditors will usually check that security tools are properly configured. They don’t do this continually,” says Shackleford. The more frequently checks occur, the more quickly you can catch something that has gone amiss or was never configured in the first place. You still need to have enough security personnel with enough hours to achieve and maintain an acceptable threshold of proper settings or frequent audits will not lead to frequent correction.

Solutions

Enterprises should consider the costs of the status quo of keeping security tools connected that stagnate and grow increasingly vulnerable. Alternative paths include updating, configuring, and maintaining a backlog of neglected security tools or potentially even disconnecting some that you feel you can sacrifice while saving ongoing license and other costs to boot. Close abandoned or unnecessary remote access to security tools to eliminate those vulnerabilities.

To counter security product backdoors as well as open source code and libraries vulnerable to threats like Heartbleed and Shellshock, enterprises should ask suppliers about their security development lifecycle and privacy-by-design efforts, says Malcolm Harkins, CISO, Cylance.

According to Harkins, enterprises should ask technology providers about

  • responsible vulnerability disclosure
  • processes for product/service security and privacy incident response
  • where development is done to determine if that location presents a high-risk profile to the product integrity (some countries’ laws require product backdoors)

“Determine whether the technology provider has the competencies as well as character to mitigate and manage the product security and privacy risks,” says Harkins.

To close the gap between security professional supply and demand, move beyond the money to find more ways to attract candidates. Ensure a second look from talent looking for flexible work schedules, a greater selection of geographical work locations, career enhancement training, and career planning and road maps, says Frank Dickson, information and network security research director, Frost & Sullivan.

By offering staggered shifts, multiple attractive work locations outside the tri-state area, skillset enhancement opportunities, and a clearly-defined road map for advancement, the enterprise can loop in larger numbers of adept security resources, says Dickson.

“Resolving security product misconfigurations despite short staff comes down to where you want to prioritize your efforts to minimize enterprise risks,” says Witter. By prioritizing the immediacies of detecting and responding to high-risk attacks today above the long-term goals of maintaining security configurations over time, the enterprise will remediate the greatest number of the most costly threats.

When individual security staff do not have sufficiently broad or deep training in the security product areas the enterprise focuses on, do a skills assessment, create an organizational development plan to get the team trained in areas where there could be skills deficiencies, and try to hire at least some additional staff to address any remaining skills shortages, says Harkin. “Consider augmenting your team with external resources through an existing IT, security services, or consulting agreement or by hiring one or two staff members under contract, who could also provide on the job training for your existing team."

Enterprises should inventory products attached to the network using scanning tools and techniques made for this purpose. Companies should maintain records of these scan results for comparison and audits. Organizations should monitor the network and attached products in real-time as a part of their governance efforts. “The enterprise should manage and monitor security products just like other assets,” says Shackleford. This should help the business to find visibility into the number, type, placement, and condition of installed security products in order to fix configuration issues.

Join the CSO newsletter!

Error: Please check your email address.

More about C2CSOFortinetIPSJuniperSAS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By David Geer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place