Simply buying additional expensive security products and configuring them no more completely or precisely than you did the last slew of protection tools you purchased is a road map to recurring breaches. Misconfigured tools fail to shield your existing attack surface and add vulnerabilities to it. The quality of the tools, the intent of the enterprise, and the discipline of the employees are not typically the issues.
The needs of the enterprise have stacked so many security products against a critical shortage of talent that your people can’t keep up. “A typical large enterprise may have deployed over 60 different security products to configure, tune, and patch. Many of these products generate hundreds if not thousands of alerts a day,” says Franklin Witter, principal industry consultant, Cybersecurity Solutions, SAS. If the same staff are fielding alerts and maintaining the tools, there may be no way to stay ahead of attacks.
CSO juxtapositions these and other complications of this security product configuration juggling act, prodding experts for their analysis of contributing factors and potential solutions.
Misconfiguration or no configuration leads to increased vulnerabilities
The larger the enterprise, the more likely it is that it has many, many security tools. Staff might not learn, use, or update any number of these, perhaps either because there is something off-putting about the technology (some kind of complexity, for example) or because it is one more task on top of an already overwhelming pile. When these tools stay connected and running on the network in a misconfigured, outdated fashion, they become vulnerabilities for attacker entry and liabilities for the enterprise.
Security products can come with native remote access capabilities. When enterprises use such products and leave remote access open with default or easily guessed credentials, this turns a security advantage the enterprise should leverage into a security vulnerability. “The industry has found numerous products that contain backdoors in their code, including products from Juniper and Fortinet,” says Dave Shackleford, lead faculty, IANS. “Many products contain open source code and libraries that have been vulnerable to Heartbleed, Shellshock, and other well-known attacks."
Availability, allocation of security personnel
The count for qualified professionals in the security space falls short of the need. “Security professional scarcity is a consistent theme voiced by the nearly 14,000 security professionals that responded to the 2015 survey. Despite satisfaction with their jobs, current data and historical perspectives on employment, salaries, and tenure point to difficulty in attracting sufficient numbers of qualified entrants into the profession,” says The 2015 (ISC)2 Global Information Security Workforce Study.
Individual security staff may not have sufficiently broad or deep training in the security product areas the enterprise focuses on. “There may be a lack of understanding related to patch or firmware impact on security product performance for the more complex or critical infrastructure components such as firewalls, network IDS/IPS, and proxies leading to long delays or negligence in updates,” says Shackleford.
“Most security products are not included in typical vulnerability scans or patch/configuration management sweeps. This is definitely one reason why tools may not be as up-to-date as needed,” says Shackleford.
Malcolm Harkins, CISO, Cylance
“Mature internal audit teams and external compliance auditors will usually check that security tools are properly configured. They don’t do this continually,” says Shackleford. The more frequently checks occur, the more quickly you can catch something that has gone amiss or was never configured in the first place. You still need to have enough security personnel with enough hours to achieve and maintain an acceptable threshold of proper settings or frequent audits will not lead to frequent correction.
Enterprises should consider the costs of the status quo of keeping security tools connected that stagnate and grow increasingly vulnerable. Alternative paths include updating, configuring, and maintaining a backlog of neglected security tools or potentially even disconnecting some that you feel you can sacrifice while saving ongoing license and other costs to boot. Close abandoned or unnecessary remote access to security tools to eliminate those vulnerabilities.
To counter security product backdoors as well as open source code and libraries vulnerable to threats like Heartbleed and Shellshock, enterprises should ask suppliers about their security development lifecycle and privacy-by-design efforts, says Malcolm Harkins, CISO, Cylance.
According to Harkins, enterprises should ask technology providers about
- responsible vulnerability disclosure
- processes for product/service security and privacy incident response
- where development is done to determine if that location presents a high-risk profile to the product integrity (some countries’ laws require product backdoors)
“Determine whether the technology provider has the competencies as well as character to mitigate and manage the product security and privacy risks,” says Harkins.
To close the gap between security professional supply and demand, move beyond the money to find more ways to attract candidates. Ensure a second look from talent looking for flexible work schedules, a greater selection of geographical work locations, career enhancement training, and career planning and road maps, says Frank Dickson, information and network security research director, Frost & Sullivan.
By offering staggered shifts, multiple attractive work locations outside the tri-state area, skillset enhancement opportunities, and a clearly-defined road map for advancement, the enterprise can loop in larger numbers of adept security resources, says Dickson.
“Resolving security product misconfigurations despite short staff comes down to where you want to prioritize your efforts to minimize enterprise risks,” says Witter. By prioritizing the immediacies of detecting and responding to high-risk attacks today above the long-term goals of maintaining security configurations over time, the enterprise will remediate the greatest number of the most costly threats.
When individual security staff do not have sufficiently broad or deep training in the security product areas the enterprise focuses on, do a skills assessment, create an organizational development plan to get the team trained in areas where there could be skills deficiencies, and try to hire at least some additional staff to address any remaining skills shortages, says Harkin. “Consider augmenting your team with external resources through an existing IT, security services, or consulting agreement or by hiring one or two staff members under contract, who could also provide on the job training for your existing team."
Enterprises should inventory products attached to the network using scanning tools and techniques made for this purpose. Companies should maintain records of these scan results for comparison and audits. Organizations should monitor the network and attached products in real-time as a part of their governance efforts. “The enterprise should manage and monitor security products just like other assets,” says Shackleford. This should help the business to find visibility into the number, type, placement, and condition of installed security products in order to fix configuration issues.