My experience leads me to think that information security is, in actual practice, more a matter of reacting to something bad that happened in the news shaking up the C-level enough to do something. But I don’t think the solemn promises of tighter security and subsequent actions match up. I may not be able to spot a tell like Patrick Jane, but something doesn’t seem right.
I’m not really a security expert, but I’ve worked on enough network security projects and am ramping up for one now to have some opinions. Networking Field Day 11 wasn’t really security-focused, but there was discussion from one vendor and then during a roundtable that got the wheels turning.
At the NFD 11 roundtable on security, Greg Ferro posited that the ROI in information security isn’t worth it. It was certainly a provocative statement that only Mr. Ferro could get away with in his own inimable way, and that began a thought process for me on whether or not we actually want good information security in the first place. The beginnings of that was a comment in the PacketPushers Show 272 right around 10:17.
Information security used to be an afterthought, but it’s becoming top of mind for technical and non-technical people alike. However, though I think folks are more aware of a need for good security, I don’t think it’s mainly for the reason of actually securing networks. I’ve seen IPS appliances in racks, powered on, and doing nothing whatsoever but sitting on the management subnet in order to meet a compliance requirement. And in many cases it has little or nothing to do with compliance. These are expensive devices, and they have a predictable lifecycle: they’re purchased, configured by a specialist, start causing trouble, then taken out of prod but left on the network. If security is such a priority these days, why is this ok? Buying this gear isn’t a trivial matter, so something doesn’t add up.
My initial thought is that these reactive actions are mainly to provide peace of mind while knowing full well not much is being done to secure anything. Seeing the gear in the racks and software icons in the toolbar feels good, and it feels good to the end-users. It’s good PR.
How often is a persistent end-user given a back door to their work desktop without going through change management?
If you get to know the security guards, maybe bring them a bottle of cheap wine at Christmas, would you be able to get through most badge access doors at your facility?
How many times have you seen endpoint security software installed everywhere but disabled on the most critical servers because of the performance hit or because something’s interfering with an application?
Don’t get me wrong. I’ve seen some of these technologies and methods used effectively as part of a real security strategy, especially in the government space, but the number of times I’ve seen security done poorly and then forgotten suggests that I’m not off base here. I kind of feel like we don’t really care about security even though we say we do.
One of the recurring themes at Network Field Day 11 was that we need to get back to the heart of the matter: the business use case. A webserver exists to host a website that people can access easily to buy stuff, read stuff, or whatever. But the narrative in the news tells us the bad guys are coming, so orgs pile on the widgets, security protocols and HR consequences to mitigate today’s popular attacks. But lock it or the back-end process down too much, and it undermines its business use case.
So what’s good security then?
Matt Oswalt made a good point in one of the roundtables that one reason for server insecurity is people writing bad code. The guys at Skyport Systems, Inc discussed micro-segmentation of workloads to secure applications from lateral attacks, and they cast their argument in terms of protecting against misconfigured firewalls. To me, both Matt and the folks at Skyport gave good examples of people not doing their jobs very well. Could it be that good security is just a matter of everyone actually sticking to the best practices in their area?
A webserver is vulnerable on port 80 and/or 443 because it’s a webserver. You can’t lock it down completely unless you just shut the thing off. But is the best way to secure it a big expensive application firewall looking at GET requests and sending TCP-resets? Maybe, but as soon as it negatively impacts user experience it’s going to get pulled out. Maybe someone just needs to stop writing bad PHP code. Or maybe someone needs to stop adding a permit ip any any in their firewall (hyperbole, I hope).
Skyport posed the question – how do you build the most secure server possible? Their answer was technology: never trust the VM. If someone owns the underlying operating system they own the applications. They proposed a technology to protect actual workloads in anticipation of the trend to disaggregate application workloads among many systems. This is really cool and makes sense to me. Big Switch discussed visibility into network traffic with their pervasive monitoring and security solution. This is awesome, and according to Greg, something we should have been doing for years. So the technology is there. Maybe it’s not absolutely perfect, but the technology is there.
But I think much of this technology addresses symptoms of a deeper problem. The desire for security seems to be there, but there is little effort to QC what’s already in place and certainly not at the expense of user experience. We don’t really want information security. We just want peace of mind even if it’s unfounded.
So what does good security look like? I’m wondering if it’s just a simple matter of everyone in the stack doing their jobs correctly. Sounds simple, but really that’s a difficult strategy. No more untidy firewall rule sets. No more random IP tables. No more 300 year old versions of CentOS. Extra effort getting code peer reviewed. Actually sticking to corporate security policy even when no one’s looking.
The reality is that if we want to maintain an acceptable user experience, we really can’t have perfect security. So maybe good security is just doing what we’re already doing – but better. But until we do, with a wink a nod, we’ll probably just add more widgets to the network to feel more secure.