Security hardware vendors spend a lot of time, energy and resources developing great and powerful technology to help us defend our companies against cyber attacks. Unfortunately, there are situations where they may be indirectly creating vulnerabilities that expose our networks to attacks. Here is a situation I experienced a few years ago that may be similar to what we have all gone through.
Most of us have been in the situation where we need to select a security framework to address a compliance (such as PCI, HIPAA, ISO, NIST …) requirement for our organization. This framework decision requires us to have security controls such as disaster recovery, blocking non-required inbound and outbound services, intrusion detection and prevention, and restricted and privileged internet access, along with many others. These controls create a need to buy security appliances.
The appliances we need may include network firewalls, end point protection, IPS / IDS, DNS firewall, application firewall, proxy, encryption, multi factor authentication, and many more controls. For the sake of this blog, let’s assume we are successful in our budgeting efforts and get all the funding we need.
Our next step is to select a vendor. Many companies will approach us with lots of wonderful and compelling features and benefits of their exceptional products. Typically, they won’t spend much time trying to understand our security design and security control requirements. They spend more time trying to meet their lofty sales targets with as many appliances as they can sell us.
If they are successful, and we know their tenacity will eventually wear us down and our feeling that more is better usually wins, we have now spent more money than we needed on more appliances than are required. This excessive purchase comes with additional costs due to the extra security management overhead. Additionally, we now have a larger attack surface because there are more vulnerabilities in these extra appliances. More appliances mean more patches to manage and ultimately more potential headaches.
The best cure for these headaches is a neutral or third-party security advisor who:
- Understands all the levels of the entire information security landscape
- Has been through these exercises several times before
- Knows how to avoid the desires of excess and the pitfalls of uncertainty
Here is a specific example from my 18 years of experience in this domain. I was working for a Fortune 500 client, unfortunately I can’t mention their name. They originally spent over $1.5M on several next generation firewall appliances. Within a month, they were in discussion with several vendors who were trying to sell them IPS / IDS and URL filtering appliances. What they didn’t know was that their new next generation firewalls already had these security controls. I was able to educate their teams, avoid an unnecessary purchase, avoid an increase in their attack surface, and avoid all the work over the next 3-5 years of maintaining these unnecessary appliances.
Later, I will share another experience based on our security assessments and how we were able to avoid unnecessary gaps and vulnerabilities. Stay tuned.