Seems like this time of year everyone in technology starts assembling a security wish list for Santa. The efforts are borne from real frustration with the industry and the lack of progress we seem to be making in certain areas, such as security. I thought this year I'd do something different. Instead of a letter with a list of changes and improvements I'd like to see, I'm proposing some recommendations for Santa's naughty and nice lists. I'm offering up those who should be getting coal in their stockings and the ones that should get ponies or Red Rider BB Guns.
Overall, it's been a rough year for St. Nick, and he's got some heavy lifting with Edward Snowden and the whole NSA debacle to handle, so I thought I'd take some of the workload by compiling this enterprise security wish list for the new year.
On the naughty list: No more buzzwords that don't mean anything
Let's start with naughty. First, I'd like to nominate any vendor who uses the term "next-gen" in a product name or in marketing literature. The word was provocative and intriguing the first 100 times I heard it, but it's starting to wear thin. Originally, it applied to firewalls and implied new subtleties in application inspection, but now I'm hearing it used liberally with everything from network hardware and applications to intrusion detection systems.
Colleagues keep asking me what next-gen actually means and my answer is, "That's what marketing people say when they can't point out any real feature improvements anymore, but still want your attention." It's the modern equivalent of new and improved, since you can't really use that phrase anymore without arousing consumer skepticism.
Threat intelligence is offered, but without explaining how it's done
How about anyone using the phrase "threat intelligence" (TI) as a feature in a security product without actually defining how it's provided? When a security vendor concedes that "usage of the term [isn't] consistent," you know you have a problem. Gartner terms TI like this: "…evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard."
For the love of Diffie-Hellman, please continue this work.
But as the industry moves toward more managed security services and away from processes formally performed by in-house security teams, it seems TI more often represents curated threat and vulnerability data combined with some on-demand malware analysis -- all available through a single portal. I don't have a problem with the delivery mechanism or its monetization, but I'm not convinced this represents a comprehensive definition of threat intelligence usually found with the Information Sharing and analysis Centers (ISAC) model.
Next on my list is any organization that allows users to take home unencrypted laptops that have personally identifiable information on them. We're still having the same painful breach disclosures every year, even though everyone knows better. Yes, implementation of security controls is work, but there are plenty of straightforward methods to protect user data.
There's tokenization, substituting the sensitive information with a placeholder. Intel AES-NI makes full-disk encryption barely impact system performance anymore, especially with a solid-state drive. Additionally, self-encrypting hard drives perform the work in the controller. There are also a number of data leak prevention application agents available, which can detect the presence of sensitive information on a user's system. With all these options, there's no excuse to continue being poor custodians of the information entrusted to you. These options don't guarantee you won't have a breach, but at least you're not leaving the front door unlocked.
How about companies that create those yearly online security-awareness training classes for users? They should get a lump of coal the size of Iceland. They're bad, boring and seem to be created just so someone can hit a check box on a compliance form. And an even bigger lump of coal should go to the security departments that think those classes should be the extent of their communication and awareness training for users. It's disengaged and insulting, so you get what you deserve. Please remember that when you're attempting to figure out why your CFO responded to a spear phishing email. Instead, try talking to the user community, really educating them about the threats in cyberspace. Maybe you'll actually make a difference.
On the nice side: Making email encryption usable
Now for the nice. Anyone who's actually working to make email encryption usable and less excruciating for users, I applaud you. I know it's hard to get right, but I'm really tired of the interpretive dance I have to do when training users how to send email with asymmetric encryption using public/private key pairs. For the love of Diffie-Hellman, please continue this work.
What about those tireless privacy advocates who are constantly checking websites, browsers and plug-ins to determine how much of my data winds up with Big Brother? While I used to think Bruce Schneier and Christopher Soghoian were a couple of tin-foil hat-wearing paranoids, I no longer have the illusion that I can be invisible on the Internet. At least I know there are researchers disclosing how much of my information is no longer private. If I could put magical unicorns in your stockings, I would.
Finally, a toast to those companies and individuals working on and promoting software-defined networking (SDN). As a security professional, I have glimpsed the future of orchestration and policy management resulting in easier auditing: It's beautiful. I have hopes that SDN can integrate security into network and systems operations so that I don't have to spend my days babysitting every major application deployment. If you guys can get this right, you should get to pull Santa's sleigh, pushing Rudolph to the back of the line.