March 13, 2019 • Darian Lewis
RSA Conference just concluded last week — RSAC 2019, to be exact — and I have never attended this particular security conference before. If you work in information security, you go to several events a year and quickly realize that some vendors spend the majority of the marketing budget on these conferences. It can be a bit of an overwhelming circus. Everyone is yelling the latest buzzwords at you, telling you if only you had their products, your problem would be solved.
This year, I was asked by Recorded Future to speak to an audience in a panel, so I decided to come and give it a try. I have been very lucky lately to have Recorded Future as a vendor because they’ve been asking me to give them my thoughts on security topics and on their solutions. One doesn’t always think of growing older in a positive way, but strangely enough, it does mean you’ve seen more things and your thoughts seem to bring all those experiences together, so I’m going to play that role for a bit.
Moreover, most vendors in the security space are pleased to have you as a customer, but aren’t really looking to hear your honest opinions on topics other than renewal. I am pleased that my experiences with Recorded Future are very different and that they’ve been forcing me to be a better security practitioner.
I have been on panels before. You sit with others in the same industry but play different roles. It’s usually on a stage with a moderator in front of your peers. The moderator comes up with great questions that make you think — he proposes them to you, and you get to go completely blank in front of an audience. It’s the best!
The idea, though, is that you think about problems from different perspectives and see if you can find a new idea in the mix or play off each other’s answers to come up with a unique solution to some of the problems we all face. If you didn’t attend this panel breakfast, you missed out on something very cool.
The win for me that day was being asked a question by a rather insightful audience member.
After stumbling my way through the moderator’s questions with a million thoughts buzzing through my head and unable to form a coherent thought, we opened the floor to the audience for questions. It was the second question asked by an audience member: “Do you think it is possible to modularize security use cases?” I had an immediate, visceral response of, “No, absolutely not,” and then had to stop and wonder why I thought that and why it evoked such an immediate response in me.
At the time that I answered that, I didn’t think it was really an effective thing to do since the use cases we have are all unique to the environment we live in — the solutions we’ve implemented to address our unique problems, the risk and attack surfaces we present, and the budgets we have to work with. Our other panel members gave very eloquent responses as to whether they thought we could or couldn’t, and why. That question stuck in my head though. I didn’t realize how pivotal that question was until after a short nap, and then it hit me — the young woman who asked it had just described the entire information security product space and was asking if it was a good idea or not, and I really didn’t think it was.
Now, I want to answer that question again, hindsight being 20/20, as the adage goes. The information security industry has been creating solutions in search of a problem for ages and it isn’t working well for us. I explained to the audience member, my thinking was that it’s a difficult proposition to take a series of solutions to individual problems and chain them together to solve your unique problems. There are gaps in the use cases that are specific to each individual security practitioner, each department within the organization, the organization as a whole, and the greater security community.
The gut feeling that hit me happened because I’ve been working through modular use cases for a year now. It’s been like putting a round peg in a square hole every time with finding a security solution that matches your individual needs. You keep getting a bigger hammer to force them in, you use glue logic and Python to stitch them together into something that gets you closer, and you fill in any gaps with really good people and a thorough understanding of your capabilities and processes.
The problem is that the result is a rat’s nest and you can’t see the blind spots you have — at least until some kind threat actor shows them to you.
Not to say that security products are bad because of this — they solve a unique set of problems that they have seen a number of times — but the responsibility is on us, the feet on the ground, to realize whether our unique problem set is solved or even described by those solutions. Making those use case solutions more modular actually takes us away from our unique problems and exacerbates the situation of solution gaps described previously. We have to hold our vendors accountable to the problems they are actually solving, and they need to hold us accountable to tell them what we really need.
If there’s not a match, each of us need to be honest with the other about it. I have been trying to do it with all the vendors I work with. I am sure it is perceived as being a difficult customer, but honestly, there’s room for each side to grow in their respective roles. We can make our vendors better able to provide the solutions we need and our vendors can make us really examine our problems in new ways if we take the time to help one another.
I think that’s the answer I would rather have given, had I been able to sleep the night before and been able to form coherent thoughts in front of an audience. Hopefully I didn’t come off as the crazed, sleep-deprived person I thought I did — but I know for a fact that I came away with more than when I went in.
I’m truly thankful to have vendors like Recorded Future who are forcing me to be a better threat intelligence analyst, a better security practitioner, and hopefully, a thought leader in an industry that needs more of them.