In this episode of CyberSound, we explain what will bring the most value to your security plan.
Security Products – Silver Bullets vs Snake Oil
Listen to this episode on
[00:00:00.380] – Speaker This is Cybersound. Your simplified and fundamental focused source for all things cybersecurity, with your host, Jason Pufahl and Stephen Maresca.
[00:00:11.650] – Pufahl
Welcome to Cybersound. I’m your host, Jason Pufahl, joined by Steve Maresca, as usual. Hi, Steve.
[00:00:18.010] – Steve
Hi. How are you doing today?
[00:00:19.160] – Pufahl
Good. So here’s a topic that we’ve been debating for a little while. Security products, silver bullets versus snake oil. And so I want to start, though, and I want to be clear about this right from the get go.
[00:00:32.520] – Pufahl
This is not a discussion around security products to be see bad, or in some way, a negative discussion about security products. But I honestly do feel strongly that the security industry, in general, I think, doesn’t really do itself a favor in its marketing approaches and just generalize branding around their products.
[00:01:04.110] – Pufahl
I think too often we see security products positioned as really that silver bullet, the solution that’s going to address all of your security needs. And I think in a way gives customers overconfidence or a sense of overconfidence in what their security posture is without doing some of those more basic things that we often talk about.
[00:01:25.790] – Pufahl
So I do want to spend some time on that today. Is the security industry marketing itself properly? Are we selling products that actually solve problems so they too niche for their own good?
[00:01:38.520] – Pufahl
Spend some time around that in our line, I think. I know we’re recently well aligned there, but I suspect we probably have some differences in this regard.
[00:01:47.080] – Steve
So a false sense of protection is the worst possible thing that you can have as a customer. When you deploy a new security product means that you think you’re ready for an attack when you’re not really.
[00:01:56.420] – Pufahl
So let’s talk about a couple of common ones. So the firewall is probably the most recognizable, at least, security products that exist out there. We’ve been deploying them for 30 years, 25 years, a long time, and they’ve evolved significantly.
[00:02:17.010] – Steve
Antivirus being another one. I mean, everyone’s familiar with that for the greater period of the same time frame. Do they do what they’re intended to do? Hopefully, I think that most people deploy them because they think that they should not because they know what they do.
[00:02:33.640] – Pufahl
And with antivirus, you should? They’re not a perfect solution, but you should have them.
[00:02:40.000] – Steve
Certainly. And it’s efficacy. How good are they? What involvement do they need from you in order to work properly?
[00:02:47.690] – Pufahl
It’s interesting with antivirus, in particular, because that’s evolved a lot over the last half dozen years or so.
[00:02:54.800] – Steve
And some might say degraded over time, too.
[00:02:57.870] – Pufahl
In what way?
[00:02:59.650] – Steve
Well, the common line of thought is that antivirus platforms these days are, though, believe to be 100 percent guardians of your systems. They’re like 30-50 percent effective depending upon which vendor we’re talking about.
[00:03:13.840] – Steve
Threats evolve. Threats are unique to each target. From an attacker standpoint. Antivirus works best when it knows what an attack is. It only works in the realm of known threats. When it’s new, it’ll miss it.
[00:03:28.500] – Pufahl
So I think some of the the old school viruses that would happen, they’re very predictable. So antivirus, the basic definition base work better.
[00:03:38.880] – Pufahl
We do see a lot more activity now. Maturation is based to try and identified behavior rather than just purely definition based. So I think they’ve made some improvements significantly. Of course, I say the more sophisticated, the called the basic antivirus platform, probably the more expensive, too.
[00:03:57.590] – Steve
And getting back to firewalls because you introduced that upfront. At the end of the day, your business has to make holes into your network in order to function. And sometimes those can be broad enough to let anybody in.
[00:04:09.320] – Steve
It’s a question of how they’re deployed and whether they are fit for purpose, not necessarily whether they’re going to keep someone out. If you need a service to be exposed, that means it’s exposed to an attacker too, potentially.
[00:04:23.320] – Pufahl
The biggest challenge that I have with a firewall… I guess there’s probably a couple of them. But one of the things that I think is one of the hardest is, do you have a competent firewall administrator to actually deploy, manage, and oversee that? Because they’re really sold and build as that main protective gate. That has been the line of thinking around firewall for a long time.
[00:04:49.970] – Pufahl
And there’s some things that make them probably not as effective as they were 10 years ago. There’s been a huge shift now to encrypt more traffic, certainly web traffic.
[00:05:02.900] – Pufahl
A lot of the firewalls are designed to look for web-based threats. And frankly, unless you’re going to deploy some fairly sophisticated techniques to evaluate that traffic, your firewall can’t see or inspect encrypted traffic.
[00:05:17.790] – Pufahl
So it limits their capability. And I think a lot of people don’t really fully understand that. And I think treat these as that silver bullying.
[00:05:26.450] – Steve
To your point. You deploy a fire wall because you don’t have one. You think it’s protecting you. It’s right there in the name. It’s a wall, antivirus, anti. It’s the connotation.
[00:05:36.620] – Steve
And if they are simply not capable of inspecting things, that means that you need to have additional effort, additional expense. It’s not something that you anticipate at the beginning, and that’s missed on a lot of entities, unfortunately.
[00:05:53.290] – Pufahl
And it’s hard. So I want to be careful and really be fair to firewall companies. Managing a firewall policy set or firewall rule set for anything bigger than a 10-person company is complex.
[00:06:08.960] – Steve
And it’s not the feeling of the vendor. It’s expected that the purchaser do that work.
[00:06:14.470] – Pufahl
And we see it all the time. You deploy a new service, it doesn’t work. You assume, maybe correctly, that it’s the firewall. You implement a policy that says, permit this traffic anywhere, and then you never go back and fix it.
[00:06:30.780] – Pufahl
So firewalls have a tendency, I’d say of a firewall policy or rule basis have tendency of probably getting more permissive over time than originally intended. It takes real discipline to go back and review those rules and make sure that they are actually providing the protection that you think or desire.
[00:06:46.980] – Steve
So neither of these are snake oil. These are things we would recommend on a regular basis. These are proven technologies, one employed appropriately. But when they fail, what’s the common story?
[00:06:59.960] – Steve
The threads that I perceive are that a customer is upset because an attacker was able to get in. Well, how? I have this protective device in place. The data that I consider most important leaked. How is that possible?
[00:07:15.390] – Pufahl
And circumstances often influence the deployment of device like that. So if you think about the last year, maybe 18 months now, but there is a big migration from on-prem office-based workforce to remote, either fully remote, partly remote. Whatever the case might be, you had your IT staff forced to trying to figure out to accommodate that remote workforce, and a lot of time that meant opening firewall policies or reducing the restrictiveness of firewall policy to permit external people from getting in.
[00:07:52.680] – Pufahl
We’ve seen a lot of cases where we’ve chatted with clients where they’ve been overly permissive to make sure that they were able to get the totality of their workforce exposing themselves.
[00:08:02.310] – Steve
I’ll go even further. We’ve seen several incidents that we have dealt with explicitly that are caused by some of these more permissive changes, and they’re not necessarily going away.
[00:08:11.640] – Steve
There’s now an expectation of remote work to some degree. I don’t see that as a negative. It’s flexibility in the workplace. That’s always a good thing, but we have to adapt to it. And everyone that had to make those changes need to reevaluate, especially now, as we’re considering a shift back to the office in some places. So reevaluation is necessary.
[00:08:34.560] – Steve
Everything that’s deployed from an antivirus, firewall, and every other solution that we might consider, these things need to grow with an organization and be revisited regularly.
[00:08:44.720] – Pufahl
So you made a comment that I liked. I can’t remember if we did here or if when we were chatting about this a little bit before, but around the idea that if you don’t understand or fully understand the technology that a vendor might be trying to sell you, you’re probably not ready for it.
[00:09:05.250] – Pufahl
It’s a strong statement and maybe a little bit of hyperbole there, but I don’t think it’s totally off base. I think if you’re having a conversation with a vendor and they’re using terms or they’re talking to you about things that is going to protect for you, and you don’t really understand what those things are, but you might want to look at some more basic solutions in some case.
[00:09:26.860] – Pufahl
And we’re talking a little bit about, in this case, some hardware vendors. I say the same thing about solution providers. How many conversations have we been in where we’ve spoken with a client about the difference between a vulnerability assessment and a penetration test?
[00:09:40.990] – Pufahl
And depending on the vendor that they’ve spoken with, they’re treated as one and the same. Or we’ve seen pen tests that are really nothing more than just the vulnerability scan. There is no baseline for how vendors talk about their products, or in some cases, our clients actually understand.
[00:10:00.180] – Steve
At the end of the day, if when evaluating a new tool, even outside of security, it doesn’t map easily to what you already do in your business, there’s probably not a path directly to it, and that likely means you’re not ready to do any deployment.
[00:10:14.760] – Steve
So I think we both agree generally that firewalls, antivirus, both of those are staples for most security programs. And certainly, we regularly revisit the idea of security fundamentals. And I don’t think that we’ll probably go podcast without talking about just basic patching. And some of the things that you really need to do is that under paying.
[00:10:43.000] – Steve
What I want to be careful here is that we don’t convey any sense that the products that are out there don’t have value. What I want to drive home, I think, is that often times say the marketing or the way that the products are explained really promoting an overdeveloped sense of capabilities and therefore security.
[00:11:09.980] – Pufahl
And we’ve had a lot of conversations with the customers who say, “Well, I’ve implemented mail protection or I’ve implemented a firewall, and we’re fine.” You spend a lot of money on a product, no doubt. But that doesn’t mean that you’ve addressed your underlying security issues.
[00:11:27.060] – Steve
I want to think of it in terms of security sustainment versus security fixing, fixes, in general. Solutions that are deployed are often reactively done so. Solutions are deployed in order to fix a problem that has either been experienced or that is perceived, it’s in the news, something to that effect.
[00:11:46.930] – Steve
And that’s great, maybe they are fit for purpose. But security over time erodes. It’s an inevitability. It’s just like anything else. Assets depreciate, buildings crumble, security has the same path as time goes on.
[00:12:03.850] – Steve
And everything that is really deployed to protect an organization or an individual, for that matter, really needs to be forward looking capable, maybe not fully deployed. There are abilities for it to improve over time.
[00:12:18.240] – Steve
But bottom line is that it supports security over a long term by giving good data, by having external input, by having the ability for regular maintenance to be applied. And it’s not something static. We don’t live in a static world, and many of the products that exist are marketed in such a way or built in such a way that they don’t really respond to dynamic change.
[00:12:44.100] – Pufahl
Yeah, it’s totally fair. And I think one of the challenges that a lot of businesses or business owners have is that they probably haven’t done some of the evaluation assessment work that they would need to do.
[00:13:03.460] – Pufahl
So I think the common flow is small business as a an IT person, or maybe a handful of IT people, they’re largely not security focused. They’re probably pretty focused on day to day in the sense that it’s break fix for end user, making sure that their workforce is working or some service deployment for their server farm.
[00:13:28.840] – Pufahl
And then they take calls from people in the security industry saying you need this. Our data shows that you’re at risk to the following types of things, so you should spend money on this type of product, and that all may be true.
[00:13:44.270] – Pufahl
But if you’re not spending it in accordance to what your actual risk is, if you haven’t done a risk assessment or vulnerability assessment or something that actually gives you a baseline of where you are today and a progression of where you should take your security program, you’re apt to buy something that maybe does address a really niche issue, but probably isn’t your most important thing.
[00:14:07.350] – Steve
You’re saying a variant of what I did a moment ago. Technology changes, and at the end of the day, it’s in response to business needs. If you cannot deploy something that is responsive to change over time, it’s not what you need.
[00:14:25.730] – Steve
And I think ultimately that businesses, especially when they don’t have dedicated personnel for IT, tend to be controlling their spend relative to business needs without necessarily having the data to make clean decisions.
[00:14:42.360] – Steve
And the data is what really helps to control that span. I think that risk assessments, security assessments, whatever they happen to be called by a services provider that they can be perceived as, hey, yeah, we did that two years ago, we’re good. But in our realm, in our world, that’s stale data, and you can’t make decisions based on something of that age.
[00:15:05.140] – Pufahl
So I’ll tell us on two things. One, I love to regurgitate things that you say. So I have no shame in that whatsoever. But more seriously, you don’t have to do a grandiose in assessment either.
[00:15:20.680] – Pufahl
So we’ve done some basic just question and answer format for customers and unearth things like, we don’t do backups, and by the way, we never patch. So depending on how sophisticated security program is, maybe you need to do a really complicated, a really in depth security assessment, or maybe you can truly go through and look critically at some really basic things and say, we’re just not ready to spend a ton of money on really sophisticated products because some of the basic blocking and tackling, we don’t do.
[00:15:51.260] – Pufahl
And I always want to stress with people, don’t over complicated if you don’t have to. But to your point, do get a baseline understanding, some data to back up your potential spend in the future.
[00:16:06.220] – Steve
I’m going to close today by talking about the fact that our subject snake oil. Solutions are possible when they map to things that you know you need to resolve and assessments are cyclical, they’re meant to be. Security is cyclical. Point in time solutions are only going to be point in time fixes, and they’re only going to defend around the time that they’re deployed.
[00:16:31.680] – Steve
So just like anything else that requires sustainment over time and maintenance over time, so does Security. And if something purports to solve a problem that is so esoteric that it’s not really even directly tied to the business, it’s properly beyond what’s necessary.
[00:16:49.440] – Pufahl
I think it’s a fair point. And I know we’re up against time. And anytime I hear the word purport and esoteric tried to tell into thing, I think, all right, that’s the pinnacle of this time, that’s for sure.
[00:17:02.520] – Pufahl
As always, if anybody wants to hear more or talk more about this concept of silver bullets versus snake oil in the security industry, places where the security industry is doing well, maybe places where potentially you feel like it’s failed in the past, I think it’s an interesting topic and happy to explore it a little bit more.
[00:17:24.070] – Pufahl
Reach out to us on Twitter at Vancord Security, we’ll cover it with more detail. And until next time, we appreciate everybody listening. I hope you got some value out of this. Thank you.
[00:17:35.910] – Speaker
Stay vigilant. Stay resilient. This has been Cybersound.