Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/8/2015
11:00 AM
Bruce Cowper
Bruce Cowper
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Avoiding ‘Magpie Syndrome’ In Cybersecurity

A quick fix usually isn't. Here's why those bright shiny new point solutions and security features can cause more harm than good.

Have you ever been in a situation where your security tools and features simply got in the way? It happened to me recently, when an airline called me in to fix a problem.

The email account of the airline’s chief engineer had been compromised. This was critical, because the engineer was authorized to direct planes to anywhere at any time. The management team wanted to know whether the attack was internal or external.

The firm had a complex array of different point solutions designed to address specific threats. Instead of helping, the threat response technologies spewed out an ocean of data that was almost impossible to correlate. To make matters worse, the person who set up the whole information security infrastructure had left the company, leaving the team entangled in unfathomable security spaghetti. The investigation proved inconclusive and cost a lot of money.

How do security teams get to this sorry point? Both customers and vendors have a part to play.

On the customer side, many of the people in charge of cybersecurity budgets are IT practitioners, for whom cybersecurity is one of many challenges they deal with every day. Their primary objective is to identify and quickly neutralise threats, which they may not have the time to entirely understand.

A vendor’s primary objective is to sell things. To do that, they must make it easy to market. That requires a clearly identifiable problem with fixed, clear boundaries.

This leads them both to the same problem. I call it magpie syndrome – an unhealthy fixation on bright, shiny security product features that each promise to deliver but fail to solve security problems on their own.

Security takes more than product features
Buying an appliance or a new piece of software can provide short-term, empty satisfaction. In reality, there’s no silver bullet, and the complete solution to your security problem rarely has a three-pin plug at the end of it. In many cases, customers may not even understand how to use those features properly, making them detrimental rather than useful.

Shiny product features can sometimes blind people to the need for process. Another firm ­– a publishing house – contacted me after their FTP server became compromised. This should have been a two-hour fix: unplug the box, rebuild the server, and reload the data from backup.

In reality, it took days. The firm’s security team became mired in politics that stopped it from doing its job. The server contained data from a number of different departments, and each of them had its own idea about how to handle the problem. They spent most of that time fighting over when to take the box offline.

The publishing company should have had an incident response playbook that was tested and used, neutering the politics up front. Like the airline, it should also have focused on basic operations that would have prevented the problems in the first place.

Vendors and customers pursue this feature fetish during every product refresh because it’s easy. Vendors can identify a new threat category – ideally with a sexy acronym – put ‘anti’ on the front of it, stick it into the next product version, and score a quick sale. Harried customers looking for an easy fix can buy it, tick a box, and then blame someone else if their systems are compromised. No one ever has to really think about the problem in depth, but eventually, everyone loses.

A more mature approach
How can we make everyone a winner? There is an opportunity to strengthen security from the ground up, getting the basics right through education and deep, tactical and strategic thinking.

Let’s start with the customers themselves. Instead of blindly ponying up more security budget, they can take a step back and ask whether the latest attack identified by the vendor is a serious threat to their organization or not. If it is, then they could ask whether their existing tools – in conjunction with some smart procedures and awareness training – could achieve the same goal as the latest security gizmo.

Vendors have an opportunity to look beyond the short-term sales opportunity and truly partner with customers and help them understand what’s needed. They can build longer-term relationships including service-based revenue models. Strong partner ecosystems will help drive the systematic change that will help us thwart attackers.

The alternative continues to put vendors and customers alike at a disadvantage in a game of rising stakes. With the frequency and cost of breaches and data losses on the rise, it doesn’t seem to be working well for the industry so far.

Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), which takes place October 20 and 21. For more information and to sign up for educational sessions about techniques spanning the management and technology aspects of cybersecurity, visit http://www.sector.ca.

Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), the Toronto Area Security Klatch (TASK), the Ottawa Area Security Klatch (OASK) and an active member of numerous organizations across North America. In his day job, Bruce works for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
paulholland
50%
50%
paulholland,
User Rank: Apprentice
9/9/2015 | 4:59:20 AM
RE: Avoiding 'Magpie Syndrome' In Cybersecurity
I agree with this, the technologies are great up to a point, but you need to have your processes in place to support them properly and also the staff knowledgable enough to be able to deal with the process and the technology.
mattwilliamsfromseattle
50%
50%
mattwilliamsfromseattle,
User Rank: Apprentice
9/8/2015 | 8:23:06 PM
Importance of Context Awareness
The issue I see with many of the anti"fill-in-the-blank" and the shiny new vendor tools is that they are siloed. Vendors make many promises about their tool, but context awareness around their tool is important as well as being able to integrate each tool into an overarching strategy. I agree with the point that vendors need to act as trusted advisors instead of going for the easy sale. Unfortunately, like the bad actors out there, vendors and security teams both follow the path of least resistance. Meaning, until either vendors, or the more likely, security teams work together to discover how a tool can fit into a seurity strategy, we will continue to see this 'Magpie Syndrome.' On top of that, we have yet to see a tool that manages vendor risk, how difficult is it to know that the best tools and a top notch strategy can be undone by a 3rd party vendor with poor security.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...