Cyber Security: Quotes from sales and marketing to listen out for

At the time of writing it is only a few weeks until Infosec Europe 2018 – the big London cyber security show – rolls into town at Kensington Olympia on 5th-7thJune (Huntsman Security is on stand E190).

This annual event is always an interesting time in the cyber security calendar.  This year it is hard to predict what the key themes will be.

The RSA show in the US was back in April; and there is often a trend, topic or theme that is on everyone’s lips at that event.  Sometimes that theme is echoed in the slightly later Infosec, but not always. This year RSA didn’t have such a prominent, all consuming topic – it saw discussion of sound risk management and a continuation of interest in AI, but there was no common “silver bullet”.  So it is hard to extrapolate forward from that.  See our blog post here.

Also this year the “go live” date for GDPR has just passed.  25thMay was the day when, in theory at least, that little compliance initiative went live.  Although in reality the flurry of “confirm you want to keep hearing from us” is the tip of the ice berg.  GDPR will be a topic at Infosec, but possibly less so that the year before.

Some popular quotes, and how to interpret them

One thing is for sure, with the continuing prevalence and growth of threats (a recent study by the IISP highlighted that threats were growing at a faster rate than budgets and defences) there is more than enough Fear, Uncertainty and Doubt around to keep sales teams busy in cyber security.  So this “cyber security quotes” post will highlight some of the service and product claims made and what they mean.

Cyber security quotes: “This product is all you need”

It is easy to characterise a particular issue and a corresponding product as the entirety of a problem and its solution.  We saw this a few years back with firewalls – which prevented network attacks and hence made networks safe – which did very little to protect against application-layer vulnerabilities or systems that were connected around them.

However we still see this today with products that cover off families of attacks that are perceived (or described) as being a panacea – so they might control application execution and hence stop all malware, viruses, phishing and insider attacks; or they might provide a network gateway that filters/policies everything, or hold data in such a way that rogue actions cannot pass through, or be performed on it.

We all (hopefully now) recognise that security is like a wall of many bricks and that any one solution might guard/prevent/stop/detect one type or route for attacks – but that often just moves the attackers to an alternative route, in a different type of exploit or a different layer of the network protocol/application stack.

Cyber security quotes: “Problem z is the worst problem, we have solved it”

For the vendor who has solved problem z, it is the only problem that matters.  To the CISO or security operations team all of the problems they are facing are the worst problem, because at any one time they have to defend all systems against all threats on all vectors.  The worst problem is simply the one small chink in the armour they miss; which a hacker or attack then detects and exploits.

This asymmetry between the success/failure of attackers and defenders really epitomises the nature of the cyber security challenge.

So problem z may be a valid problem, but once you have solved it (with the solution offered) it is immediately replaced by the next worse problem which moves into the number one spot. So in essence thinking this way is akin to deriving security strategy by the order in which you encounter vendors on a trade show floor or in the alphabetical show catalogue.

Cyber security quotes: “The product works by <something that sounds really complicated>”

This type of claim is often used to avoid talking about a concept that is really quite simple, or exists elsewhere, but which forms the basis of a product or feature that the supplier has to generate some excitement and hype about.

Often the “complicated thing” is mathematical or relates to the nature of the code; and to the non-mathematical or non-programmer audience; this science can be indistinguishable from magic (to quote Arthur C Clarke’s third adage).

So a solution or package with a large number of features or integrations might be partly formulated by a considerable number of Powershell, python or bash scripts that actually do the hard work (but are each individually really very simple).

Conversely is a situation where a solution provides a capability that is so hard to understand, configure and get set up right; let alone use; that it requires content support contact and professional services time – or ongoing tuning and adjustment.

Security technologies that are simple but obfuscated to sound clever often can be easily reproduced with a little ingenuity at the coal-face.  And the last thing the complex challenge of cyber security needs is the technological equivalent of the Rube Goldberg machine.

Yes, some things are complex.  Other things are made to sound complex to help sell them or justify a higher price.

Cyber security quotes: “Its unbreakable” (or any derivative)

This is really the security equivalent of wild west snake oil.  A technology that is so advanced, so complex, so simple and so clever (insert superlatives as needed) that it cannot be broken, defeated, subverted or hacked into.

Those who have been in security for some time will have seen enough of these to be able to a) spot them immediately (b) bypass them and move on and (c) probably figure out a way to break them if they needed to.

Often it is not the fallibility of the code itself, but the management environment, the reality of user activity or the demands of the operational environment.  But in most cases its just simply not worth delving further; and if the claim relates to cryptography just walk away – anyone who has such a fundamental misunderstanding of how crypto works as to make a claim like that (often one that has had no peer review and is “proprietary”) has no business selling you solutions that claim to protect your data.

Cyber security quotes: “This suite of products is all you need because it works together”

A vendor with a suite of products may claim it is countering the issue of multiple avenues of attack by providing a set of separate technologies, services or solutions that cover off these multiple access routes, exploit vectors or avenues for ingress of malware or egress of data.

There are two problems here. The first is that even if the suite of solutions gives a comprehensive range of coverage (maybe it detects viruses at a gateway, an endpoint, a server and on removable media) the component parts might not be the best-in-breed at each point or in each characteristic of the solution.  So it might be the best firewall but not the best DLP; or the best content filter but not the best VPN endpoint etc.  Buying a complete suite is a trade off between a set of products that work together but might be a compromise of functionality or quality, and buying best of breed solutions that tick the quality box, but might not work together or integrate (or use the same console/management interface).

The second problem is that in many cases these suites of products have not been designed or written by the same team or even the same company.  They have been acquired, rebadged and then kind of made to work together in some way. As the versions progress this can improve, but often the three integrated products will have different data stores or interfaces, or command syntaxes etc.  All you are doing here is saving the effort to raise separate purchases orders, and if you are working through a reseller then even that is a slim benefit.

All the elements work together – but do they?

Cyber security quotes: “This will detect x extra threats or find y types of attacks”

It is a truism in cyber security that as defenders address (or try to) a particular threat or avenue of attack, those seeking to compromise systems will investigate other means. Hence firewalls that protected against network level attacks ended up being subverted in many cases by web application exposures such as SQL injection that operated at the application layer that the firewall was allowing through.

On the face of it this arms race is an inherent feature of the cyber security landscape, although there is a risk management decision as to how far down the road you are prepared to travel. In particular, how early you invest in a new technology that might be market-leading and premium-level initially, and hence expensive; but a few months later once rival products and even existing products have implemented similar ideas, they might be more mainstream and considerably cheaper.

However the bigger challenge is not “when to invest?” in detecting a new family of attacks; it is “how to deal with the increased volume?”

Past inventions, such as IDS, were greeted with great excitement by the market, but then were often followed by huge annoyance at the level of noise and traffic they generated which had to be dealt with.  “Tuning” these systems became a black art and inevitably the de-sensitising of some alerts and the ignoring of others was not the right approach.  Having a process, a workflow and the necessary “management” toolsets in place to deal with the volume of alerts (whether these are true, valid attacks, false positives or background noise) is essential.

Cyber security quotes: “Let’s arrange a proof-of-concept/value, try it for two weeks and see how you get on”

This approach is very common; particularly for products that “detect things”.  It allows an easy distinction to be drawn between the “before state”, where you couldn’t see things and the “after state”, where you can.

However, bear in mind that during any such process the sensitivity of any such solution is going to be at the maximum level possible – far higher than might be either sensible or operationally practical.  For the sales team, the more things they find the better – however once live (and the goal will always be that you pay them to not take the system away) the operational demands of the solution, even in a tuned and perhaps more realistically sensitive form, might be onerous.

During the POC you will have pre-sales consultants and plenty of advice and a discrete window when the most interesting cases can draw the focus and those that are less interesting (to budget holders and sales representatives) can be ignored; once purchased and “live” you are on your own with the complete set of operational reports and challenges to deal with (and quite possibly extremely busy).

Finding real alerts amongst false positives is like finding Wally

Having lots of issues to deal with is only a good thing if the total number of issues is your sole metric; otherwise it is just more stressful.

Infosec Europe 2018

So as the trade show commences, bear in mind these warnings.  Watch out for the sales and marketing quotes; and take time to talk to vendors that are of interest to understand what they offer and how it could help you, rather than being sold the solution they want to sell.

The challenges and fast moving nature of the threats faced mean that innovation, research and development move very quickly in the cyber security arena.

This does lead to the release of some genuinely clever technologies and solutions.  The ones to seek out are those that are designed to solve problems holistically and with an eye on business outcomes; rather than those that simply aim to sound “sexy” and be easily “saleable”.

Enjoy the show if you do attend!  Huntsman Security is on stand E190 – right by the highly advanced, revolutionary, manual floor transition apparatus (stairs).

Benchmark your existing security strategy with our 5 Step Cyber Security Tool: