Seek Security Platforms that Integrate

It’s an established problem that many organisations have too many security tools deployed. Each one requires expertise, integration points, patches and in the case of many, they can even extend your attach surface. I recently read this article by Rick Howard from Paloalto Networks* and it calls attention to the fact that platforms which don’t integrate [easiliy] are likely to fail the test of enterprise deployments and will not be extensible in the long term, minimising the value they bring to the business. 

[…] most network defenders. For their entire careers, they have been trained that vendor-in-depth and best-in-breed are golden principles in cybersecurity. When all else fails, follow the golden principles. […] 

Ironically, these same network defenders have missed the point advocated by Geer’s monopoly paper. In it, the authors advocate several actions designed to limit the attack surface of the Microsoft operating system platform:

  • Publish interface specifications to major functional components of its code, both Windows and Office.
  • Foster development of alternative sources of functionality through an approach comparable to the highly successful “plug and play” technology for hardware components.
  • Work with consortia of hardware and software vendors to define specifications and interfaces for future developments in a way similar to the Internet Society’s RFC process to define new protocols for the internet.

[…] you will find that adopting a security platform that integrates with other vendors is exactly the same solution.

Source: https://researchcenter.paloaltonetworks.com/2018/03/cso-security-platform-monopoly/ 

Rick’s conclusion is valuable and in my experience, a path only some vendors are taking this space.

Publishing open APIs and carefully documenting how to extend and integrate the software with other vendors should be the baseline and not a ‘gold standard’. 

*Note that I don’t endorse Paloalto Networks, I just found this article informative and inline with my own beliefs. 

Continue Reading

Practical Risk Tolerance

Excellent article on security risk management from Black Swan Security:

“…but I don’t hear any formalisation of measuring and assessing controls that are beyond the Control Tolerance of an organisation. We care about risk tolerances and exceptions, the risk owners care about these but the risk owners and the business managers also care about the ‘Control Tolerance’ or at least they care about controls beyond it.”

“If the practical risk tolerance that the security teams are working to is below the control tolerance then such a reset is inevitable. If the control implementations are below the Control Tolerance but the Risk Tolerance would practically have allowed for less stifling control environments then such a reset will likely not only reduce the impact of stifling controls but also unnecessarily increase the overall risk tolerance and associated exposure to security risk. Ironically over-zealous security controls lead to a less well-secured environment.”

Continue Reading
1 2 3 5