{"id":250,"date":"2017-05-31T16:07:28","date_gmt":"2017-05-31T16:07:28","guid":{"rendered":"http:\/\/securitycurve.com\/?p=250"},"modified":"2017-05-31T16:07:28","modified_gmt":"2017-05-31T16:07:28","slug":"if-youre-gonna-fad-at-least-learn-something","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=250","title":{"rendered":"If you’re gonna fad, at least learn something."},"content":{"rendered":"

\"\"<\/a>Have you ever noticed that security is an industry driven in large parts by fads?<\/p>\n

It’s true. \u00a0There are a few different types of fads out there. \u00a0First, there are technology fads. \u00a0If you’ve been in\u00a0the industry for a while, you probably remember at least a few of them. \u00a0Remember the HIPS revolution? For a while there, everybody needed a HIPS solution and it was “be there or be square” on the HIPS. \u00a0I particularly liked it when people referred to both host based and network based IPS together (HIPS and NIPS)… \u00a0because that’s just hilarious. \u00a0Or you maybe remember when anti-spyware was its own product category (totally separate and distinct from AV of course)? \u00a0Or\u00a0when “heuristic malware detection” was something everybody needed to have? \u00a0When file integrity monitoring, session authentication state maintenance (i.e. cookies and such), virtual taps, or some other technology “du jour” was what everybody really<\/strong> cared about?<\/p>\n

There are also fads that aren’t about technology but instead target the practice<\/em> of security. \u00a0For example, have you noticed how fired up everyone was about threat intelligence after Lockheed published their kill chain paper<\/a>? \u00a0For a while there, there were mid-market companies – hamburger companies, \u00a0hotel chains, staffing services, and restaurants – investing significantly in sophisticated threat intelligence gathering and analysis capability. \u00a0For reals. \u00a0Another example of this phenomenon would be the three lines of defense<\/a>\u00a0that one encounters more and more often in the wild nowadays. \u00a0[In fairness I should probably note that the original source for that was FERMA\/ECIIA<\/a>\u00a0guidance and not the IIA position paper that I linked to… but the IIA does a better job (I think) of explaining the concept – both motivation for and implications of.]<\/p>\n

Anyway, these fads can be useful — but they can also be dangerous. \u00a0With a technology fad,\u00a0there’s a defined cycle: some new fad comes along, everybody and their brother jumps on the bandwagon\u00a0until the technology permeates the collective security echo-chamber. \u00a0Then, in relatively short order, it gets sublimated\u00a0— it gets\u00a0folded into the status quo. \u00a0Don’t believe it? \u00a0Look at HIPS. \u00a0HIPS is still around – it’s just that it’s not front of mind because it’s embedded in a number of security products (and operating systems for that matter). \u00a0Anti-spyware same deal. \u00a0It’s still a “thing” — it’s just that we don’t need to run a separate instance\u00a0<\/em>of\u00a0grep<\/del>\u00a0anti-malware to look for spyware\u00a0but can instead do so inside of other software we already have.<\/p>\n

The upside is that we’re cultivating a new capability or a different way of doing something. \u00a0But there’s a downside too. \u00a0Technology trends for example can\u00a0stifle innovation because 1) everyone wants to view whatever is new through the lens of what’s “hot” and 2) it creates disinformation as marketing teams stretch to claim that their product is the hot new thing. \u00a0Likewise, broader trends like TI and three lines of defense can distract from the fundamentals. \u00a0Does a hamburger company really need a sophisticated threat analysis capability when they can’t patch or when they give administrator access to the point of sale system to associates at retail locations? \u00a0I’d argue there’s a priority issue if they know what Russian attackers are up to but they don’t know how to monitor their own associates.<\/p>\n

So what’s the point? \u00a0I think it’s to be critical of fads. \u00a0If there’s a technology fad that everyone is talking about (cognitive springs to mind right now), it’s likely to wind up sublimated if you wait a few months. \u00a0So maybe it’s not the end of the world if you don’t sweat it too much right now. \u00a0If it’s a broader fad — one that asks you to think about security in a different way, that’s great too, but incorporate the lesson only to the extent it makes sense in your business. \u00a0For example,\u00a0understanding adversary activity as part of a interruptable campaign as kill chain analysis does is awesome — but understand why you need that and act accordingly. \u00a0Underscoring the value of independent verification as the three lines of defense does is also a really great lesson –\u00a0but only to the extent that you incorporate it into your goals, your business context, your practice. \u00a0When you’re just servicing the fad — doing something because it’s “hot” – chances are high you’re missing the point.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Have you ever noticed that security is an industry driven in large parts by fads? It’s true. \u00a0There are a few different types of fads out there. \u00a0First, there are technology fads. \u00a0If you’ve been in\u00a0the industry for a while, you probably remember at least a few of them. \u00a0Remember the HIPS revolution? For a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[5,54,118],"class_list":["post-250","post","type-post","status-publish","format-standard","hentry","category-security","tag-3-lines-of-defense","tag-fads","tag-threat-intelligence"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/250","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=250"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/250\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}