If you haven't attended a vendor-driven security conference, I highly recommend it.
It can be a fruitful trek if you run out of pens or need a logo-tagged foam thingy to keep a drink cold.
I'll drop the sarcasm here. If you've read past blog entries from me, you probably can predict the direction of this post. If you want more professional sounding posts that are reasonable and insightful, please ignore me and witness Caroline's magic. Tell her I sent you.
This genre of conferences is meant for security professionals to explore current vendor solutions, and to hear industry players address today's security problems in conference sessions. For those reasons, there’s a compelling case to attend.
Yes, we know that threat scenarios are evolving, blah, blah, blah. The question is, how are they going to address these problems?
So what does a quick survey look like?
It's hard to find a knowledgeable engineer exhibiting at these events. There are New York coffee shops where I have a better chance to bump into someone technically savvy. Sales people and sound bites dominate. If your engineers are so 1337, maybe entice a few to play exhibitor?
But the real problem is that too many security solutions are outright intrusive.
Want to protect web browsing and email systems? The most common option is to pay a vendor to sit between the user and the web site, or between email senders and recipients. Sounds like a reasonable option? It's essentially a "Mallory-in-the-middle", more commonly known as a "man-in-the-middle" (MITM) approach, which basically removes any confidentiality in communications.
Please welcome a gatekeeper that intercepts user web or email traffic, and all the secrets that it might contain. Forget that MITM is a type of malicious attack in normal parlance.
MITM security solutions in this form have been around for decades, and for just as long, I have waited in anticipation for a privacy revolt against them to commence.
The term "zero trust" conventionally refers to systems that minimize trust and require some verification. We should recycle that phrase and turn it upside down to mean "I have zero trust in your solution."
Passwords, credit card numbers, hostile acquisition plans, partner pillow talk? You have “zero trust” that your third-party security vendor isn't reading or storing them in the clear. All you have are promises and assurances. The best response I heard to this was a vendor claiming to have no interest in reading customer data.
I would explore the topic of function creep, but that deserves its own blog post.
The more technically sophisticated security solutions may seem obscure to most people, but are worth explaining.
Operating system security dictates that any request from an application to the core system (the kernel) is addressed with extreme prejudice. Unlimited access to infinite resources is dangerous in operating systems, just like endless refills of soda are in a fast food place. All the soda will be consumed or the dispenser will break. Most modern operating systems address this to varying degrees of effectiveness. I could go into more detail, but let's keep it light.
When operating system code is open source and publicly available, it's a difficult but at least an approachable task to profile and restrict software requests. When an operating system is closed source, and the code is not available, it's a very difficult for an external firm to build an effective solution. There's too much magic under the hood. It’s best to leave it to the operating system developers, at a Microsoft or an Apple, since there are too many known unknowns.
You have an array of companies over the years attempting to provide this service for all types of closed-source operating systems. The problem isn't just the efficacy, but also the trust.
It's intrusive when strangers walk in without knocking. Then there's those who want to reside between your clothes and your skin. That is essentially what some of these companies are doing. Put us in the most intimate locations in your systems, and we'll make you safer. We’re talking MITM to the extreme.
And again, "zero trust" works here. You are owned with or without any malfeasance. If a third party's control is that low level in computer systems (which are already owned by another third party), there is nothing left to protect.
It's one of those many cases in which not using a security solution is better than using one. The best option might be to give them enough ownership in your company so they won't blow it up.
We seem to be in a tumbling snowball of security solutions that can only imagine more privileged access to user activity and low-level systems. You think SolarWinds was bad?
We once called third parties in a network or at the kernel level "intruders." Now we call them providers.
But it's not just about what the security vendors do wrong. They don't deserve the full dose of blame. One particularly useful discussion I had was around this very topic. In many cases, customers seem to want intrusive security solution to make addressing security issues someone else's problem. IT and infosec are understaffed. You can at least displace the blame when the inevitable breach arrives.
The usual security paradigms aren't particularly effective in solving today or tomorrow's problems. Yes, threat scenarios are evolving, everyone is a target and it's outright scary. If that doesn't ring true, it's because you don't know any elders who have been victimized out of their retirement funds.
Has the turn-around time for recovering from significant identity theft for civilians decreased?
Security industry tools should be effective weapons for evolving threat scenarios. But we don't need more third-party access to confidential and privileged data. We don't need to keep throwing more and more lines of bug-ridden code at problems as if quantity will resolve the problems by itself.
We do need to start considering reducing security exposure with more accounting of third-party vendors with appropriate off-boarding and include shadow IT. We need time dedicated to auditing and reducing the size of source code. That ultimately means raising the bar for adding more security products into the ecosystem.
Those answers weren't apparent at this event. The most legitimate fear, uncertainty and doubt (“FUD”) we should have is that the very industry meant for defense against digital attacks may be the biggest liability.
About the author: George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives on creating unorthodox solutions to ordinary problems.
About ClearOPS. ClearOPS revolutionizes third-party risk with its support for both buy-side and sell-side vendor management, powered by Generative A.I. Take your vendor management to the next level and fix your internal workflows for maximum efficiency. Inquiries: info@clearops.io