Simply buying additional expensive security products and configuring them no more completely or precisely than you did the last slew of protection tools you purchased is a road map to recurring breaches. Misconfigured tools fail to shield your existing attack surface and add vulnerabilities to it. The quality of the tools, the intent of the enterprise, and the discipline of the employees are not typically the issues.
The needs of the enterprise have stacked so many security products against a critical shortage of talent that your people can’t keep up. “A typical large enterprise may have deployed over 60 different security products to configure, tune, and patch. Many of these products generate hundreds if not thousands of alerts a day,” says Franklin Witter, principal industry consultant, Cybersecurity Solutions, SAS. If the same staff are fielding alerts and maintaining the tools, there may be no way to stay ahead of attacks.
CSO juxtapositions these and other complications of this security product configuration juggling act, prodding experts for their analysis of contributing factors and potential solutions.
Misconfiguration or no configuration leads to increased vulnerabilities
The larger the enterprise, the more likely it is that it has many, many security tools. Staff might not learn, use, or update any number of these, perhaps either because there is something off-putting about the technology (some kind of complexity, for example) or because it is one more task on top of an already overwhelming pile. When these tools stay connected and running on the network in a misconfigured, outdated fashion, they become vulnerabilities for attacker entry and liabilities for the enterprise.
Security products can come with native remote access capabilities. When enterprises use such products and leave remote access open with default or easily guessed credentials, this turns a security advantage the enterprise should leverage into a security vulnerability. “The industry has found numerous products that contain backdoors in their code, including products from Juniper and Fortinet,” says Dave Shackleford, lead faculty, IANS. “Many products contain open source code and libraries that have been vulnerable to Heartbleed, Shellshock, and other well-known attacks."
Availability, allocation of security personnel
The count for qualified professionals in the security space falls short of the need. “Security professional scarcity is a consistent theme voiced by the nearly 14,000 security professionals that responded to the 2015 survey. Despite satisfaction with their jobs, current data and historical perspectives on employment, salaries, and tenure point to difficulty in attracting sufficient numbers of qualified entrants into the profession,” says The 2015 (ISC)2 Global Information Security Workforce Study.
Individual security staff may not have sufficiently broad or deep training in the security product areas the enterprise focuses on. “There may be a lack of understanding related to patch or firmware impact on security product performance for the more complex or critical infrastructure components such as firewalls, network IDS/IPS, and proxies leading to long delays or negligence in updates,” says Shackleford.
Sign up for CIO Asia eNewsletters.