Recently, the Girl Scouts of America began to offer a cybersecurity badge as part of their emphasis on STEM-related badges that young girls can earn. While this may seem trivial, it is emblematic of the climate that abounds in today’s well-wired world of information technology; if the Girl Scouts of the USA are taking responsibility to be more prepared with cybersecurity, so should major enterprises. The age of do-it-yourself cybersecurity is upon us; it is expected now more than ever before.
Cybersecurity remains a persistent challenge in information technology. As reported in The Wall Street Journal, 121.6 million new malware programs were discovered in 2017, according to a report by German research institute AV-Test GmbH. That is equivalent to about 231 new malware samples every minute.
Think about it: in every minute, of every day, about 230 new malware samples find their way into enterprise networks. Protecting networks and sensitive data from the vulnerability of malware and threats brings up a decision point for many IT leaders: must we always rely on vendors and their tools to protect against cyber threats, or can we use such tools ourselves? Is do-it-yourself cybersecurity a viable alternative?
Indeed, technology such as artificial intelligence (AI), biometrics, and more can be put to work to prevent cybersecurity compromises. In 2017, The Enterprise Strategy Group surveyed 412 cybersecurity professionals about the use of AI for cybersecurity. They found that more than 80 percent of those surveyed were using AI in some capacity to combat cybersecurity threats.
Avoiding Vendor Dependence
For IT security professionals, AI and other tools are valuable for organically managing cybersecurity without depending on vendors that might have more sophisticated tools and experience using them. "Established network vendors have an inherent bias toward sales, which are often not aligned with maximizing network operations innovation," Andrew Lerner, research VP at Gartner, told Network Computing. How true.
Jesse Emerson is the vice president of managed security services at Trustwave in Chicago, Illinois. Emerson says that IT departments that want to reduce reliance on external vendors do have a lot of resources that can help them be successful; however, the do-it-yourself security path is not for the faint of heart and is not appropriate for every organization.
“If you’re in a highly regulated organization or one with a low tolerance for risk such as banking, critical infrastructure, healthcare, then there is a strong case for leveraging mature and proven solutions and partners in your security program,” Emerson told InfoSec Insider in a recent interview. “For most organizations that require 24x7 threat protection and detection, it makes a world of sense to leverage the managed security services model rather than build and staff it independently.”
For JP Morgan Chase and Charles Schwab, for example, biometric technology is used to verify users through authentication tools such as voice recognition technology to prevent any disguised intruders from accessing sensitive information such as a financial account. They’ll purchase technology from a technology developer (in this case Nuance, which has a longstanding reputation in voice recognition technologies), then install and manage it themselves, without a security service provider.
Stick to a Standard and Get Help as Required
Emerson says that security programs should be rooted in policy and backed by standards wherever possible. He points out that industry standards such as the NIST Cybersecurity Framework are great resources to help a firm structure their security program by identifying key capabilities and program components, often mapping back to more detailed resources.
“While it’s tempting to spend a lot of time on the sexy side of security, ensuring that the basics like patch management and end-user education are performed well often has the largest impact on overall success,” he says.
But all tools and tactics still require external advisors, to some extent, to help implement and use them. Vendors and contractors, admittedly, can become like an addictive drug: once an application is purchased and used, an enterprise can become dependent on that vendor. So, you still need them, but it doesn't mean they have to do all the work.
Emerson says that even for the DIYer, it can be helpful to engage a third party to assist with defining business requirements, assessing current capabilities, and helping define a plan to establish the security program that is appropriate. In fact, one of the biggest risks to success in most programs of this nature is needing to re-engineer based on blind spots that occurred during the planning process. That’s where experience comes in.
"When developing a security program, firms should avoid the trap of focusing only on technology” Emerson notes. “Always consider the triad of people, process, and technology, and tie the program back to requirements of the business that it is protecting and supporting.”
The bottom line: use vendors and their network security tools as required. Avoid becoming dependent on them. Focus on finding technologies that adhere to policy established for your particular business that operates within your industries. Emphasize the use of technology—AI, biometrics, and other authentication tools—to be implemented and operated organically by your own staff wherever and whenever possible. Don’t rule out security-as-a-service where it makes sense and when such a commission provides more value than taking it on alone.
“I always suggest building your security architecture in a modular fashion so that no single vendor or solution can hold you hostage,” Emerson adds. “This often means focusing on building frameworks around capabilities rather than vendors, and then ensuring that the solutions you choose have integration capabilities based on open standards.”
As Emerson cautions, don’t wait to go through the pain of recreating the wheel for products that are full-featured and mature in the marketplace, such as firewalls and antivirus. Once enterprises meet the foundational elements of the security program, those wanting to push for advanced functionality and solve for edge-use cases can often make solid progress with DIY approaches. For security areas that are still rapidly evolving, there’s often more ability to innovate independently and work with open source solutions. Even commercial off-the-shelf (COTS) products often require a lot of customization.
"I caution the DIYer that turns their security team into a DevOps shop. The more your program is dependent on custom code, the less supportable and sustainable the solution," he explains. "You exchange vendor reliance for reliance on individuals, which can result in high risk if something were to happen to that individual. While it may sometimes feel uncomfortable to pay for COTS solutions, they do generally come with product-level documentation, maintenance, and support, things that are usually lacking in most DIY solutions."
Modular Approach Around Capabilities
Your approach to a secure IT infrastructure should be modeled in a modular mode. It enables isolation and makes any damage or problems that may arise from a cyber attack manageable, should such adverse situations ever occur. Use such a structure to integrate technology that allows you to do it yourself.
"This often means focusing on building frameworks around capabilities rather than vendors, and then ensuring that the solutions you choose have integration capabilities based on open standards,” Emerson says.
For more insights on running the business of cybersecurity, be sure to visit InfoSec Insider on a weekly basis and sign up for our newsletter.