Back to Basics - Good Security Starts With Solid Foundations
30 April 2015





The fundamental principles of good security are simple and very easy to understand however many organisations fail dismally to apply them. It appears that there is a distinct lack of recognition of the importance of getting the basics right before adding security solutions that provide marginal gains. There is also a misconception across organisations in that spending the ever increasing security budget on new security technology and services is the way to improve security, reduce risk and protect their assets. Think back to the recent banking crisis, most of the big banks invested heavily in the derivatives market and took risks they did not understand. Some industry commentary highlights this reckless investment trend being due to institutions and regulators blindly following what other institutions and regulators were doing without the appropriate due diligence. The same is happening with security in the enterprise. The blind are leading the blind down a path to massive risk and insecurity. Organisations appear to be rushing to implement security technology and services based on industry hype and what other organisations are doing in the security space.

There is no doubt that many of the latest security trends and technologies have benefits and may have their place in an organisation but they should only be considered once the security basics are correctly established. Some strategies are driven by regulation but there is a lot more to realising the real benefit of many products and services such as *DLP, *APT protection, *SIEM, *IAM, and *PIM etc than simply buying and installing it or paying a third party to manage it. This is because many of the more advanced and automated security technology is predicated on sound security fundamentals being in place. The basics are the foundation of enterprise security and are fundamental to building a robust and resilient security posture. It is imperative that an organisation knows their assets, fully understands their network and the traffic on it as well as correctly configured and managed basic technical security controls. An organisation with those fundamentals in place will be significantly less vulnerable than an enterprise that simply deploys all of the latest security technology on top of weak basics. Generally all of these products produce pretty reports that may gain boardroom recognition but such reports are often meaningless to those they are aimed at and worthless to those who understand them. It is an all too familiar scenario to find a SIEM system with alarms simply tuned out as noise because nobody knows what the traffic or behaviour really is. Or, that a privileged access alert observed early in the morning at a weekend is simply attributed to some mysterious monthly legacy process without any investigation.

Layered security is good and it works but the current trend to constantly layer up all of the latest security wares on top of a weak security posture does not improve security in most instances, nor does it reduce risk. The only thing being achieved is more layers of complexity which actually leads to a less security and higher risks that are not recognised or understood. Currently it is all too easy to penetrate, persist and extract data from large organisations even with all of the latest security products and services deployed. In many instances this can be attributed to the fact that organisations often overlook or assume the basics are in place. The problem is compounded by assigning overstretched staff to security projects that will never deliver the benefits that they are truly capable of if the basics don’t exist.

The advice is simple, improve security and reduce risk by focusing on rock solid security basics before rushing to buy the latest security products or services. Don't follow other organisations or implement the latest and greatest security technology just because others companies are. Focus available budget and skilled resources on auditing, fixing, documenting and managing the basics correctly. Only begin to introduce more advanced technologies once that is done.

An organisation must understand its assets, network and information flows intimately. All of this information must be documented in detail and any changes updated in a timely manner. The lack of design documentation within many organisations is woeful and it is rare to find a consolidated log of IP address allocation. Basic technical controls such as firewalls must be tightly configured and regularly reviewed with all flows documented with their purpose. User and directory data must be accurate and complete. End user software installation must be strictly controlled, not simply stated in a security policy to cut operational costs.

The security decision makers should not be fooled by vendor promises to automate or manage security controls with big returns. Retrospectively correcting security fundamentals may be a daunting task for many large organisations but it will ultimately pay dividends. One thing is for certain, ignoring the basics and layering up complex security solutions is little more than an attempt to compensate for neglecting the basics in many instances. Such behaviour will lead to increased vulnerabilities, higher risks and makes life very easy for the cyber criminal.

Security vendors will never say you don’t need their products or services. This often leads to a scenario where products, solutions and services are poorly configured, poorly operated and poorly managed once they are installed and the project signed off. Presentations from many of the security vendors follow the classic FUD (Fear, Uncertainty and Doubt) sales pitch. The sad fact is that many vulnerable stakeholders happily consume that message. A widely used IT cliché from the 1970's was, “Nobody ever got fired for buying IBM”. Many security decision makers within organisations today appear to be following a new mantra, “I won’t get fired for following the latest industry hype or what other organisations are doing”.

There is no point attempting to build advanced security defences without solid security foundations because it will inevitably end with a huge data breach. You can build a castle on sand but it will eventually come crashing down.

*DLP (Data Loss Prevention),  APT (Advanced Persistent Threat) protection ,  SIEM (Security Information and Event Management),  IAM (Identity and Access Management),  PIM (Privileged Identity Management)

varlogsecurity blog
The place where I share my personal opinion and observations on the world of IT security.

© 2013

Modified heading photo. Original photo by Rick Audet. Creative Commons Attribution