Have you ever noticed that the average Infosec practitioner only really gets excited, interested and focused on advanced security activities? If you start talking about how to do real time forensic packet inspection across your network, a half dozen security engineer types show up out of the blue to kibitz with you. Talk about how to patch your windows desktop and its like a ghost town around your desk.
This is a serious problem. Very serious. According to both the Mandiant and Verizon reports this year, the vast majority of successful intrusions involved two crucial factors. One was a human that could be tricked in to accessing malware in some way, whether that was a website, a spreadsheet or some other attack vector. Second was a system that wasn’t protected by the basics; like anti-virus, up to date patches or properly configured browsers.
I submit to you that all the vendor emphasis on selling new products, the security fascination with new stuff, and the fact that information security is much too heavily oriented on technology is the core of the problem. The attacks i am aware of could have been, for the most part, stopped with humans aware of the problem and systems that were patched.
We have to move beyond the advanced stuff and get back to basics. We need to understand what our our core, fundamental skills, tools and controls should be and what our common, likely threats are. You really don’t need fancy new tools if your systems aren’t patched, your humans aren’t resilient, your risk assessments aren’t realistic and your incident response is non-existent.
You may laugh and say of course that’s obvious. But clearly some major organizations didn’t do the basics consistently.
If you must buy new tools, have them be ones that help solve those fundamental problems you haven’t gotten good at yet. Figure out where your unmatched systems are, find new ways to increase human resilience, identify the high risk system accounts and strengthen them. These things are far more likely to secure your organization successfully than a shiny new toy that will end up as shelf ware.
Just do the basics, get some due diligence under your belt …. Be a professional who does the hard things, the boring things. Let someone else be the hobbyist chasing the next shiny toy.
I agree that we need to get back to the basics but what you are describing is sysadmin basics not security basics. Patching, AV, and browser configs should be a routine part of sysadmin work just like changing default passwords or configuring backups. Infosec professionals should be focused on architecture, identifying improperly configured systems (testing), and intrusion detection and response.
I think you missed my point. Security professionals need to work on the basics, not get distracted by shiny toys.
Also, it’s important to note that not every organization does things the same way. In some orgs, security engineering runs anti-virus, in others desktop engineering, and so forth. The key is not to argue over specifically who does what. It is to solve the basic problems. If your organization sucks at patching, then the security professionals need to get focused on that, even if they aren’t the ones who actually patch the boxes.