Wendy is awesome. Her posts are awesome. I wanted to link to two must-reads. I’ll quote soundbytes, but really every paragraph drips of awesome.
First, let’s skip ahead to, “In 50 gigabytes, turn left: data-driven security.”
“Yes, automation is getting better, but it’s not there yet. There are still too many alerts taking up too much time to sort through (particularly in the tuning phase). IT staff get hundreds of emails a day; they can’t handle more than two or three alerts that require real investigation. (By the way, this is why operations often can’t respond to something until it’s down — it’s the most severe and least frequent kind of alert that they receive all day, and they don’t have time to chase down anything lower-level, like a warning message that hasn’t resulted in badness yet.)”
There’s a parallel here to another piece I just read today via the PCIGuru blog: People in the Loop: Are They a Failsafe or a Liability?, by Dan Geer.
And also check out Wendy’s Insecure at any speed:
“What this indicates to me is that our IT infrastructure — from the networks to mobile — is inherently, badly insecure. And we’re so far down the road in its widespread implementation that it will be decades before the problem is substantially fixed, even assuming we started today with all software developers and manufacturers. Nobody is going to pay to replace what’s running just fine today — until someone loses a figurative eye.”
I love her explanation of telling security pros vs operations staff about business insecurity, and how their reactions are so different. You can pretty much tell someone’s background by their resigned or indignant reactions to the same ol’ news.
In the latter post, Wendy essentially talks about baking security into technology from the start. While I do agree with this, I’m not holding my breath on it. In fact, I just am not sure this will actually ever happen, even on a small scale.
The sad part is I can’t read posts like this without hearing my phone ring with 3 vendors proffering their wares as “the turnkey/plug-n-play solution” to any of the above issues before they even know what sort of business they just called.