The Security Hierarchy of Needs
Welcome back, folks, for another episode of “Dave’s Security Soapbox”. This topic is one I’ve had mulling around in my mind for quite some time. It’s hugely subjective, so it’s virtually a guarantee that some people will vehemently disagree with my thoughts on this.
For those of you with a background in Psychology (or not) you’re probably familiar with a concept advanced by Abraham Maslow called “The Hierarchy of Needs”. This took the form of a pyramid split into several horizontal categories. The base of the triangle was the fundamental stuff – food, shelter, etc. The pinnacle of the pyramid was something called “self-actualization”, where we had infinite self-awareness and could recognize our innermost desires (the more transcendental ones).
I’m going to map out a fundamental hierarchy of needs in the infosec products space. I am headed out to RSA 2009 in a month or so (see the Events page for my presentation info), and my thoughts are all over the infosec vendorspace. The last two years I’ve gone, I’ve been spectacularly underwhelmed at the plethora of “me too!” and buzzword-laden product offerings that are just NOT technically innovative or exciting at all. And so blog I must.
Let’s start with the categories, and then I’ll explain my simple methodology. I actually used last year’s (2008) RSA Conference Guide as a reference just to make sure we’re all talking the same talk. The RSA guide categorized all the vendors on the Expo floor, and I’ve culled from that (with some condensation and modifications). Here goes:
- Access Controls: Network/Host
- Administrative Password Mgmt
- Anti-malware (spyware & virus prevention/detection/eradication)
- Application Security (code analysis)
- Application Security (Web App Firewalls, etc)
- Audit and compliance Tools
- 2-factor Auth (biometrics, smart cards, tokens, etc)
- Content filtering/mgmt
- Database monitoring
- Database encryption
- Email encryption
- Email security
- Encryption/key mgmt
- End-point Security solutions (NAC and such cruft)
- Endpoint encryption
- Network Firewalls
- Host-based firewalls
- Forensics solutions
- ID mgmt
- IM Security
- IDS / IPS
- Log Management
- NBAD solutions
- Patching and configuration management
- Penetration testing and VA tools
- Remote Access / VPN
- Risk mgmt and analysis
- Storage Security
- Wireless security
Wow. Even with my extensive efforts at consolidation and simplification, that’s a fair-sized list. To be sure, you could wrangle this in a number of ways, too. For instance, you could consolidate all email and IM solutions into something like “Messaging security”. You could lump IDS/IPS/Firewall into “Network Security”. I didn’t want to OVER-simplify here, though, just to make sure the individual purpose of each category was obvious. So now let me explain my general methodology. I broke the hierarchy into four categories, which I’ll explain here:
- Fundamental security solutions: This is the “base” category that is essential to sound security in an enterprise. Without this, chances are you’re toast or soon will be.
- Important security solutions: These are “things you SHOULD have”. If you don’t have them, you may be able to get by, but you’re really not in that nebulous “best practices” area we love so much. You will also NOT be popular at security geek cocktail parties. Just saying.
- Enhancing security solutions: These are “things you COULD have”. These solutions can make routine tasks much easier, can simplify your life, and are great if you have budget money. In certain cases, you may have a very specific business need that warrants a point solution in this category, but in many cases these are things on your wish list, and maybe the things you sort of covet at the aforementioned cocktail parties when your compadre from down the street brags about HIS sweet new implementation.
- Holistic solutions: These are the “umbrella” solutions that overarch the rest and provide “glue” that links everything together. This is the tip of the pyramid, the most technically sophisticated solutions(and the most complicated, in many cases). They’re almost always unnecessary, but let you achieve very granular control over your security controls with more centralized reporting, correlation, and all that stuff that lets you REALLY smirk a bit at these mythical infosec cocktail parties I keep talking about.
A few things are not included at all. It’s tempting to argue that things like policies, configuration standards, processes (operational/administrative) and the like are all critical here, and they ARE. However, I think those are somewhat of an overlay alongside the entire pyramid, and so let’s assume that those are integral at every layer, in varying degrees. So without further ado, my Security Hierarchy of Needs:
Alright, now for the explanations and caveats. Starting at the bottom of the hierarchy, here are some additional insights that will help explain my reasoning:
Core fundamentals layer:
- I don’t care what kind of anti-malware you use. Security people reading this may not even USE traditional anti-malware (I personally hate it), but think of the users. I know it hurts, but try. 🙂
- Network firewalls, in some form or fashion, are just a must. You could argue that this falls into “access controls”, and I would agree as a macro-level category, but firewalls have enough individuality these days to warrant their own category, and I can’t imagine not having one. Sort of like my network infosec “wubby”, or security blanket.
- IDS and IPS – I could care less which you use, really. However, you need eyes/ears on the network, and this fills that role. Whether you play the inline game or not, you need network intel and here you go.
- Some of you will scream bias in “patching and config mgmt” since I work for a vendor in this space. Of course you’re right, but this ain’t my first rodeo, either, so I’m perfectly capable of being objective during this kind of analysis. I’ve been in the trenches a LONG time, and this one is critical. If you use WSUS for patching and Windows’ included Group Policy for config mgmt (or scripting for that matter), I don’t really care about that either. As an area of infosec, this one is hands-down a core fundamental.
Important solutions layer:
- Spam can be used to trick users via phishing, etc. Gotta kill spam.
- Code analysis? Damn right. It’s all code at the end of the day, folks – hardware has no brain. We need to start getting this drilled into our brains NOW – review code. Fix code. Repeat.
- Encryption is, in many cases, the right answer. We’re not quite there yet, it’s expensive and tough to manage, but we need more of it. Just like code analysis tools, we need to get our arms around this and do it QUICKLY.
- Pen testing and VA tools can tell you what’s f***ed before someone else finds it. If you’re not proactive, you’re reactive. Get proactive and start scanning and assessing yourself regularly.
Enhancing solutions layer:
- Most platforms and such have password management sort-of built-in, so additional password mgmt really just adds a bit more functionality etc.
- End-point tools and host-based firewalls (or HIDS for that matter) sound great in theory, but they are tough to manage and keep up with. Plus more overhead on remote systems can start to clog them.
- Forensics wonks will likely pitch a fit about this category being where I placed it, but sorry. Most people don’t have the time or budget to really “do forensics”. For those of you that do, rock and roll. It’s great stuff, and can really help you get to the root of the most difficult infosec incidents. Most business owners don’t give two shits, though. Find it, fix it, get back in business. And this can be done 90% of the time sans forensics.
- Wireless security I need to make a point on: this ONLY applies to wireless security PRODUCTS. Enabling and configuring inherent wireless security in WAPs and other gear is ESSENTIAL, and really falls under the fundamental category of configuration management. You MUST have strong wireless security, I’m just saying you can usually get what you need with the gear you’re using, as it’s typically built right in.
- DLP? Ummmmm…..buzzword? If you do most of the other things right, you won’t need it. My main beef with this solution is its lack of maturity, it really does have promise and we DO need to prevent data leakage. But damn that’s one hell of an expensive enhancement to Regex.
- Log mgmt is like wireless – you really should do it, I am just not sold on BUYING anything to do it. I’ve built homegrown solutions, they worked. This is a “nice to have”, without a doubt. You may really see a need for this one, and I could go along with moving this one down a rung in the hierarchy. Convince me.
Holistic solutions layer:
- Identity management is the most nightmarish project many of us have ever been exposed to. I have candidly NEVER seen it done right, and there’s probably a plethora of reasons for that. Could it be amazing and enlightening if implemented and architected properly? Hell yes. But it’s just not practical for most enterprises.
- SSO is in the same boat as ID mgmt, and some would argue it’s a sub-category of ID mgmt in fact. Same logic applies – can be a PITA, and most of us just don’t have the time etc.
- SEM solutions can be an albatross or panacea, and sometimes both. I’ve used a lot of them, and I have seen a number of cases where these can be the ultimate tools to have and use. I’ve also seen cases where people were drowning trying to get it to work. But for my money, I’ll take SEM solutions as the best investment you can make for getting a good portion of your security house in order.
- Risk management is 100% integral to our profession, especially those (like me) with a serious business mentality. In fact, if you DON’T do this, you won’t be relevant for long in this field (I’ve ranted about this before). But do you need a SOLUTION? I don’t think so, in most cases. So the moral of the story is risk management is required, risk management solutions are not.
So here’s the rub – I’m not bashing anything on this list. I work with a lot of vendors, I teach this stuff at SANS, I have architected solutions for my consulting clients that involved everything on this list. But if I were pressed to argue what solutions are more important than others in most cases, this is probably how the chips would fall. What say ye?