Qualys Blog

www.qualys.com
Juan C. Perez

Gartner: The Pursuit of Perfection Weakens InfoSec Effectiveness

While malicious hackers are the obvious enemies of InfoSec pros, there’s something else that puts IT environments in danger: Perfectionism.

When applied to security, perfectionism becomes detrimental, creating a false certainty that all bases are covered and yielding a fundamentally flawed approach to protecting enterprises from attacks, according to Neil MacDonald, a Gartner Distinguished Analyst and Vice President.

“Perfect security is impossible,” MacDonald said during a keynote speech at the Qualys Security Conference 2017 on Thursday.

Adaptive Security that Moves at the Speed of Digital BusinessRegardless of how hard organizations try to prevent breaches, hackers will eventually get in, so organizations must have tools and processes in place for those scenarios, he said.

Unfortunately, most organizations have focused too little on breach detection and response, so that when a hacker gets into their network, they’re grossly unprepared to deal with that situation.

“Once a bad guy gets past the gate, there’s very little in place currently that stops him,” MacDonald told QSC17 attendees at Las Vegas’ Bellagio Hotel.

Downplaying Breach Response Can Be Costly

For example, an organization may not detect a breach until weeks or months have gone by, because they don’t have the ability to monitor network traffic for abnormal patterns, nor identify suspicious user behavior or others indicators of compromise.

Once the breach is identified, the organization may be ill prepared to contain it, and afterwards, it may struggle to analyze how and why it happened, and what was the extent of the damage.

Thus, organizations need to place as much importance on detection and response, as they do on prediction and prevention. “We need both sets of capabilities working together as an integrated system,” MacDonald said.

Currently, it takes organizations an average of almost 100 days to detect a breach, at a cost of about $4 million per incident, numbers that are “off the charts” and indicate there is a lot enterprises must do to improve in this respect, he said.

Continuous Risk Assessment is Critical

When an organization has a balanced set of security processes and technologies, it’s able to do what Gartner refers to as “continuous adaptive risk and trust assessment” or CARTA.

“We need to make security a continuous decisioning process that weighs risks against trust all the time whenever possible,” MacDonald said.

This means having continuous visibility and assessment of end users, systems, system activity and other relevant elements, so that the organization’s security and compliance posture can be continually adjusted as necessary, and the right actions taken at any given point.

It’s implicit that InfoSec teams will be collecting, analyzing and correlating very large amounts of security and compliance data in order to inform their decisions. “InfoSec is becoming a Big Data analytics problem,” he said.

In this, security vendors, especially those claiming expertise in data analytics, must help their customers instead of putting the onus on them to make sense of all of this information.

Don’t Forget About Your DevOps Environment

CARTA applies not only to the “runtime” IT production environment but also to the apps that are in development, in particular in iterative, agile DevOps teams, where developers and IT ops staff work collaboratively to deliver code quickly and continuously.

It’s key for InfoSec teams to unobtrusively embed their automated security tools within the development environment via APIs, so that security scans, testing and monitoring happen transparently, without disrupting the flow of the DevOps pipeline. If that’s achieved, the organization will have successfully turned their DevOps teams into DevSecOps teams.

Within DevOps environments, InfoSec must pay particular attention to the third-party components, modules, frameworks, libraries and toolkits that developers use broadly today to assemble modern applications.

Those external elements often make up 90 percent of a custom application’s code, and they can contain all sorts of vulnerabilities and other security problems, so InfoSec must have clear visibility into all of the components in the apps their developers are putting together, especially within containers, he said.

MacDonald recommends that organizations demand their InfoSec vendors do these five things:

  • Expose access to their products’ functionality via APIs, so that customers don’t have to use the vendors product consoles to do anything
  • “Understand the world you live in” by supporting modern IT infrastructures, such as clouds, containers, DevOps, APIs and the like.
  • Support adaptive security policies
  • Provide full access to the security data they collect from your environment without penalties or extra fees
  • Use multiple protection techniques

He also summed up a series of best practices and tips for InfoSec teams to implement and adopt, including:

  • Start with visibility: What’s there? What’s new? What’s changed?
  • Get the basics right, such as vulnerability management, configuration hardening and device isolation
  • Access: Beef up authentication, but also invest in monitoring, intelligence and UEBA (user and entity behavior analytics) capabilities
  • Shift left and start getting involved now with DevSecOps initiatives
  • Shift your mindset from “incident response” to “continuous response”

He closed by reminding the audience that security is “a journey” of constant improvement. “It doesn’t have to be perfect,” he said. “We can continue to improve over time.”

One response to “Gartner: The Pursuit of Perfection Weakens InfoSec Effectiveness”

  1. Someone needs to call out this defeatist self-fulfilling worn out cliche meme: “Regardless of how hard organizations try to prevent breaches, hackers will eventually get in” – this is absolutely untrue, and the premise is deeply misleading.

    The problem is that organizations are not trying to prevent break-ins [I know, I sell a highly effective prevention solution, and most companies don’t buy it, and none of them even test our efficacy]. Companies have fallen prey to that false idea already, so instead of defending, they’re expending time and resources on detection and threat intelligence and so forth. Sure, those are something worth having, but NOT before you invest in protection FIRST.

    It is world war III online right now. We should not be building more hospitals, we should be stopping the carnage.

Leave a Reply