DISCLAIMER: I work for the organization within EMC that provides Incident Response.
Home sick today so I was catching up on some reading and came across “The Prolierfation of Cyber Janitors” by Jeff Bardin. I have to say that I had to re-read it a couple times to let it sink in. The gist of the article seems to be that security organizations are spending too much on “detect and respond” capabilities and not enough on proactive security measures. The principle is simple and correct….if you prevent it from “spilling” then you don’t need a janitor to mop it up. First off I think many information security professionals that are involved with incident handling and incident response probably do not like being called janitors. Jeff uses it for a bit of sensationalism or controversy. The title got me to read the article so mission accomplished I guess.
RSA chairman Art Coviello made a comment regarding breaches which in a nutshell said “It’s not a matter of if or when you will be breached, it’s a matter of how you will respond.” To which Jeff wrote “This statement indicates that he is beaten. He has thrown in the hat with the not if but when statement. All because they were breached. “ Thrown in the hat? Art is stating what those of us who deal with security incidents have known for sometime but were somewhat ineffective in getting senior management to see:
1. If you have human beings using software developed by human beings on systems designed by human beings and connected to the Internet you are going to have a compromise. If you think otherwise then your head is firmly in the sand…..or elsewhere. Think about this in terms of physical security. Why do Security Operation Centers for physical security exist? Because people will try to break in and someone has to be ready to monitor for and respond to that. Have organizations that built SOC’s for physical security also “thrown in the hat”?
2. Despite what the article says about the proliferation of CSIRT / CERT functions most organizations still are not equipped to deal with a compromise. Over the last 4 years I have had the opportunity to meet with many different security organizations and the majority do not have the processes in place to deal with a major compromise. I would argue that there aren’t enough CSIRT teams out there. Most organizations aren’t anywhere near the level of the Hanover Insurance security team that won awards when Jeff was the head.
To me the article seems to be implying the CSIRT’s rely on special technologies or products that come out the cottage industry mentioned. While many CSIRT’s may have some specialized tools (and usually built by them) they rely on the same tools and products that most likely already exist in the organization. A CSIRT isn’t about technology. It is about process. It is organizationally separating those who administer the security technologies from those who are looking at the logs and responding to the alerts. It is about dedicating some resources to very basic things that many organizations still don’t do, like looking at logs and doing root cause analysis. Security controls fail every day. Someone needs to have their eye on that ball.
I don’t argue that we need to be doing more to prevent. No I don’t mean buying WAFs or IPS. I mean addressing the root cause. Secure coding and change management principles are foreign to many, many organizations. User education is also lacking as a whole. I also agree with Jeff that a shakeup is necessary. However I do not think the shakeup needs to be in the security space. Security exists because something (outside of security) is failing. The root of the problem isn’t that security fails to be proactive. The root of the problem is that we need IDS, WAF, etc. in the first place. We do work in a reactive security world for the most part. In order to be proactive, security cannot be a technology. It has to be a principle that is part of all levels of the organization. We have not reached that Utopian point where incident response and cyber janitors are not needed. I doubt I will live long enough to see that point. We need to react to what is happening now and plan for where we think things are headed.
I find this statement interesting. ‘We need true innovative thought that uses cyber intelligence, counterintelligence and active defense and offensive measures in our programs. ” Is it a coincidence that Jeff’s company (Treadstone71) offers those services? I’m not saying he is wrong. He is absolutely correct in that functions like cyber intel are sorely needed and do not exist in most organizations. You have to understand who your adversaries are, their methodoloiges and what they know about you. Those organizations which I have met with that have cyber intel / counterintelligence functions all have those functions in the same place.
Ironically it’s with the “janitors”.