If you’re gonna fad, at least learn something.

Have you ever noticed that security is an industry driven in large parts by fads?

It’s true.  There are a few different types of fads out there.  First, there are technology fads.  If you’ve been in the industry for a while, you probably remember at least a few of them.  Remember the HIPS revolution? For a while there, everybody needed a HIPS solution and it was “be there or be square” on the HIPS.  I particularly liked it when people referred to both host based and network based IPS together (HIPS and NIPS)…  because that’s just hilarious.  Or you maybe remember when anti-spyware was its own product category (totally separate and distinct from AV of course)?  Or when “heuristic malware detection” was something everybody needed to have?  When file integrity monitoring, session authentication state maintenance (i.e. cookies and such), virtual taps, or some other technology “du jour” was what everybody really cared about?

There are also fads that aren’t about technology but instead target the practice of security.  For example, have you noticed how fired up everyone was about threat intelligence after Lockheed published their kill chain paper?  For a while there, there were mid-market companies – hamburger companies,  hotel chains, staffing services, and restaurants – investing significantly in sophisticated threat intelligence gathering and analysis capability.  For reals.  Another example of this phenomenon would be the three lines of defense that one encounters more and more often in the wild nowadays.  [In fairness I should probably note that the original source for that was FERMA/ECIIA guidance and not the IIA position paper that I linked to… but the IIA does a better job (I think) of explaining the concept – both motivation for and implications of.]

Anyway, these fads can be useful — but they can also be dangerous.  With a technology fad, there’s a defined cycle: some new fad comes along, everybody and their brother jumps on the bandwagon until the technology permeates the collective security echo-chamber.  Then, in relatively short order, it gets sublimated — it gets folded into the status quo.  Don’t believe it?  Look at HIPS.  HIPS is still around – it’s just that it’s not front of mind because it’s embedded in a number of security products (and operating systems for that matter).  Anti-spyware same deal.  It’s still a “thing” — it’s just that we don’t need to run a separate instance of grep anti-malware to look for spyware but can instead do so inside of other software we already have.

The upside is that we’re cultivating a new capability or a different way of doing something.  But there’s a downside too.  Technology trends for example can stifle innovation because 1) everyone wants to view whatever is new through the lens of what’s “hot” and 2) it creates disinformation as marketing teams stretch to claim that their product is the hot new thing.  Likewise, broader trends like TI and three lines of defense can distract from the fundamentals.  Does a hamburger company really need a sophisticated threat analysis capability when they can’t patch or when they give administrator access to the point of sale system to associates at retail locations?  I’d argue there’s a priority issue if they know what Russian attackers are up to but they don’t know how to monitor their own associates.

So what’s the point?  I think it’s to be critical of fads.  If there’s a technology fad that everyone is talking about (cognitive springs to mind right now), it’s likely to wind up sublimated if you wait a few months.  So maybe it’s not the end of the world if you don’t sweat it too much right now.  If it’s a broader fad — one that asks you to think about security in a different way, that’s great too, but incorporate the lesson only to the extent it makes sense in your business.  For example, understanding adversary activity as part of a interruptable campaign as kill chain analysis does is awesome — but understand why you need that and act accordingly.  Underscoring the value of independent verification as the three lines of defense does is also a really great lesson – but only to the extent that you incorporate it into your goals, your business context, your practice.  When you’re just servicing the fad — doing something because it’s “hot” – chances are high you’re missing the point.