This year at the RSA Security Conference some 40,000 people packed the halls of the Moscone center in search of solutions (and light up swords) to solve their problems. Whatever the issue, they were looking for a salve to sooth their wounds in a manner of speaking.
For all of the vendors hawking their wares there was one things that no one seemed interested in talking about, process. Specifically defined repeatable processes. A friend once said to me, “Dave, the 90’s called and they want their phrase back.” But, they can’t have it. We need that now more than ever. Security professionals seem to be endlessly fixated on tools and blinky things.
As the philosopher George Santayana famously said, “Those who do not remember the past are condemned to repeat it.” So why then do we continue to seek out technological answers and leave processes to fall by the wayside? Why do people buy solutions that aren’t going to fix things? A great example of this is why do people try to buy appliances to fight distributed denial of service attacks? Applicances just don't scale. It causes me no end of confusion.
In the course of my conversations with people this week, a lot of the issues that came up were ones that could be mapped back to process related discussions. I talked about privileged access control in my article yesterday as one instance. This person that I was talking to wanted to buy a solution to fix their management problem. I asked them what kind of process they had defined for dealing with adding and removing staff. I was met with a blank stare.
I have no doubt that there are solutions for issue such as this. Some of them may well be excellent but, that is a moot point if there is no process defined. If you go out to dinner at a restaurant the process breaks down if you don’t know what you have to have for dinner. If you look at the wait staff and say “surprise me” you may not be happy with the end result.
People generally don’t care too much for building processes. Much like log review, people like to talk about it but, few ever actually do it. But, these are fundamental security components that need to be practiced at length and updated regularly.
One of my favorite stories that I like to rehash is one about a policy document that I encountered at a previous employer. The document was 10 years since a review and when read was borderline incomprehensible. Upon further digging it was discovered that this was a copy and paste from a swimming certification. Yes, you read that correctly. Until I came along no one had either read it, or took the time to dig into it. Some nitwit had created that as a document to satisfy a compliance requirement.
This is a problem that I’ve run into several times over the last couple decades. If you don’t have solid processes, guidelines, standards and policies you find that you are building on a foundation of tapioca and sand. It might look good to some but, has no value.
Once you can define your requirements and have your processes built then go talk to your vendors to find solutions.