A Funny Thing Happened on the Way to the Conference

While on my in San Francisco last week, I ran across on old friend from the my security past who is not a CISO.  We started discussing current events, the conference, the beauty of San Francisco and inevitably found ourselves discussing his current plight.

He indicated that the corporate leadership over the IT group was pushing to remove maintenance on their SIEM product.  He also indicated this to be standard faire for products within the infrastructure realm of IT.  The infrastructure had been gutted over the past several years in an effort to reduce expense.  Without consideration for the impacts and the continued reduction in security posture, the company under the tutelage of the CIO/COO decided that chewing gum and bailing wire were and are adequate controls for maintaing availability of mission critical systems. 

Under the weight of the ever growing, revenue generating, Internet facing, mission critical applications, the infrastructure bends and cracks in the wind like bamboo.  Only this bamboo is rotting.  The manmade decay continues on a yearly basis as new applications are developed and new application tools are purchased while the speed of posture erosion increases due to targeted rotting at the roots. The weight at the top of the trees will eventually lead to a topling.

A couple of other interesting items is that the application scans run against these revenue generating applications identify on average nearly 1000 OWASP Top Ten vulnerabilities in the code.  As a result, application layer firewalls were deployed as a risk mitigation strategy.  A smart move considering the impact to customers and the company alike.  The only problem with this is that any time there is an issue with performance or some other problem relative to the revenue generating applications, the fingers immediately point to the app layer firewall. Each finger pointed results in another rule being modified to open traffic to the defect prone code (this after voiced objections to the contrary).

New applications and application middleware is purchased without consideration for the security infrastructure.  As a result, the app layer firewall is seen as a roadblock to progress as many times the new software does not work with the app layer firewall (discovered after purchase and implementation).  More rules are removed to the point that the app layer firewall now resembles swiss cheese and smells like limburger.

You could see the despair in his eyes as he knew he had built a solid program but the leadership decided that these tools have limited value and it is a damn the torpedos, full steam ahead approach to generating revenue.  The only risk they consider is that of not increasing revenues.

I do hope they don’t get breached but then again, maybe a breach is just what the doctor ordered. 

I guess that what happened on the way to the conference was not so funny afterall.