January 10, 2019 CLOUD SECURITY, CYBER SECURITY, DATA BREACHES, WEB APPLICATION FIREWALL (WAF)

When Does Security Become Too Much?

Is there even such a thing as too much cyber security? And can it be counterproductive?

In my opinion the answer is yes to both questions, and I want to try and show you why.

I recently presented our solutions to a prospect. To tailor my presentation, I started investigating what they were currently using to secure their network. It quickly became obvious that their network security was, to use a euphemism, rather complicated. Let me elaborate. I counted 9 devices – an external IPS, a firewall, an internal IPS, 2 proxies to filter HTTP traffic, an internal IDS, an internal SIEM, 2 internal systems to scan emails – 9 devices!

One might say this is a great example of layered security. I disagree. When we talk about layered security, the last thing we mean is ‘complicate your life to the point of not being able to do your job’ which is to secure your network. Layered security means scanning your traffic multiple times, and not that you’ll need a team of specialists just to keep up with all the systems you’ve installed. For instance, you might have an AV solution at the gateway and a different AV on your workstations – that’s layered security. Scan the same traffic twice, with systems that are complementary, not overlapping, to ensure you catch everything possible.

Instead, what we have here is a babel tower of systems that will inevitably interfere with each other, and the maintenance of which is near impossible plus it’s easy to break. But what’s most worrying is that the complicated nature of this system will cause gaping holes in the overall setup, because any possible security issue will be tough to find.

Imagine checking the logs. If you count 30 minutes per device, that’s 4½ hours every day just to check logs. Maybe you’ll be so good at it that after a while you’ll scale this down to 3 hours. But it’s still 3 hours of your schedule, every day, to check logs of your too-many security systems.

Now imagine running reports. Tell me what Joe has been up to. Has he been browsing too much? I don’t know; let me check the logs on 2 proxies and run 2 reports, then put them into a spreadsheet to integrate them. What if he wasn’t browsing but was downloading files using FTP? Or some other download technology? Or sending too many emails? For every single one of these questions, you’ll need to check a different system; maybe 2. Then you’re going to put the data into a spreadsheet and compile the numbers to see how much data Joe has been downloading. And by the time you’re done, you really can’t prove much of what he’s been up to. How’s that for an exercise in futility?

And what if, right this moment, your network is crawling and you need to quickly identify what’s hogging your resources? Which system do you check first? The proxy? Maybe; that might be a good assumption considering that 90% of our internet activities are browser-based. But what if the culprit is not a human using a browser but a bot running on a different port? You’re running a report on the proxy, while the bot continues, undeterred, to consume your resources and possibly taint the reputation of your IP addresses. How long will it take you to figure that out? Oh wait, there’s that alerting system that should be calling you just about now to tell you what’s going on. But they don’t really have the amount of visibility you thought they did, and all they can tell you is that your network is saturated. Right. Thanks. I knew that.

One more example. Try troubleshooting an issue. Having to deal with 9 different vendors. Something isn’t working and you don’t know if it’s the proxy or the internal IPS or the external IPS or whatever else it could possibly be. You scratch your head and set up a test bed to see if you can figure out where the connection is breaking for that particular application. I’ve seen this happen and believe me when I say it’s an IT nightmare! Oh, and don’t try calling the vendors. They’ll point fingers at each other and, eventually, they’ll all point them to the firewall.

What’s scariest though isn’t that the setting is complicated, but rather, in spite of this complication, security remains incomplete and (too) easily bypassed. This client had no HTTPS scanning. The internet is over 75% encrypted. If you’re not scanning HTTPS, you’re not scanning 75% of the browsing traffic your users are generating. You might as well turn off your security systems altogether. That’s how much at risk your network is.

Since there’s zero monitoring, zero management (except for the SIEM), no one knows if the various systems are up to date; if the signatures are up to date or how old they are, and if they’re even working properly. Considering that right now we’re seeing over 1200 new variants of malware every minute, you can easily see how a security system that’s neither monitored nor constantly updated is practically useless within a few minutes. Imagine how useful (not) it is after a full day of no one looking at it!

On top of all this, there’s no one monitoring the perimeter. Only the inside of the network is being monitored. So you put cameras to watch your living room, but no cameras at your door. You don’t want to catch them before they get in; you want to see them while they’re stealing your jewels. I can’t fathom why one would do that, but that was the case with this particular prospect. Likely for a misunderstanding of what was being purchased; or an erroneous recommendation from someone who was purely interested in selling, and not really in protecting a client’s network.

As such, while this network may appear adequately protected, overly even, in reality it’s grossly under-protected. Exposed. Vulnerable. Which is a great contradiction because this company spent a very large amount of money, and continues to spend a lot, in recurring maintenance fees. Their management probably believes they’re safe, but I’d wager that they’ve already been compromised, they just don’t know it yet.

So we come back to the original question – is too much security a bad thing? Is there even such a thing as too much security? Yes, and yes. Security needs to be sufficient and adequate, of course. When it is too much, however, not only does it get in the way and impede efficacy, it can also be counter productive.

The analogy of too many cooks spoiling the broth comes to mind.