Don't believe the hype
However, Ian Trump, global security lead at SolarWinds MSP, warns against hype from security vendors. “Cloud, machine learning, AI, block chain, post quantum – the list is extensive, confusing and leaves anyone listening who is not in security marketing with blood rushing out of their ears," he says.
At best, Trump says, the technology stack/vendor solution is 33 percent of the people, process and technology security challenge. "What I was hoping for at [February's] RSA Conference was hubris from technology vendors. What I received was an endless supply of free drinks and how the security vendors 'have the security business problem solved.'"
Apparently, he says, his security business problem was solved before the vendors even knew anything about his business.
So, what's the big RSA take away, he asks. Vendor security tools don't live in a security vacuum and no one has the solution. Further, if the fundamentals of security are not in place, an end-user doesn't have a chance, regardless of what tools are in place. The fundamentals, he explains, include user security training, controlling administrative access and removing frequently exploited software.
"The math is easy: spend less time on the technology and more time on the people and process, the 66 percent of the security problem," Trump (left) says. "That will allow you to start racking up the wins."
Don't believe the hype that there is a software solution or blinking light box that solves all the security problems, it is just not possible, he adds. "The threat landscape includes folks just asking for you to transfer money because the 'CEO needs it right away.' There is no vendor security tool that fixes stupidity. If you have no defined process and have not invested in and trained your people, blaming the technology is like yelling at the clouds."
Teramind's Kohen agrees, saying that educating the workforce is a priority in simplifying the security posture. Recently, he worked with a university whose administration staff received an email to their university emails to update their account information and passwords. It was a phishing scam that provided the hackers with multiple administrator passwords. When he – alongside the IT security team – investigated the issue, he realized people didn't understand that it's not as easy as just changing a password again and that it's not someone manually digging through their information.
“The department put forward an initiative to explain how phishing scams work and that the consequences are someone has all the data you had access to – including people's personal data."
In particular, most likely due to the high success rate of the hackers the first time, this university's administration team was targeted multiple times afterwards. The hackers, however, failed to extract any additional information due to the administration team's new set of knowledge as they reported each phishing email afterwards and started a university-wide alert every time they received a suspicious email.