A old colleague of mine introduced me to an interesting metaphor: he said he always wanted to sell products that were aspirin and not vitamins. “Vitamins are great,” he said, “they make you healthy and you can buy them whenever or wherever you want — there’s no urgency. But if you have a headache, you want an aspirin now.” This is great for a vendor selling a product, but the aspirin rarely addresses the root cause of your problem — it just masks the symptom and doesn’t actually solve your problem.
As applied to the security world, this analogy seems even stronger than in other industries. As a security professional, you’re faced with addressing an endless array of threat surfaces. Luckily, there are a myriad of analgesics — each claiming to instantly solve your headaches. Wandering through the RSA show in San Francisco this past week, there are a myriad of companies offering endpoint protection, threat intelligence, anti-malware, vulnerability assessment, forensic tools — just to name a few categories. Maintaining control over a complex enterprise environment can easily degenerate into an exercise of purchasing, integrating, supporting and monitoring new solutions. But if all of these are aspirin, there is a separate pill for each different type of ache: head, neck, muscle, or … perhaps just pain in the posterior? What happens when your headache comes from taking too many aspirin?
Why don’t we address the root causes of the various aches and pains: today’s environments are too open and too easy to break into. Each layer of application and infrastructure is a surface to be covered, and each new framework (virtualization, containerization, continuous deployment systems) also needs hardening, which adds more and more complex controls. Trying to detect and respond to every possible threat is even more futile. The problem is complexity, not insecurity. Instead of adding new kinds of aspirin to cover every security headache, what happens if we focus our efforts on making it easier to cover all the gaps we already have — and reduce the complexity in the system overall? Instead of trying new and more complex methods to detect and stop each new advanced threat, why not instead focus on limiting the impact of any event?
The problem with these metaphorical vitamins is that there is no mystery, and it involves not only good technology but a fair amount of good diligence to maintain. A strong posture requires not only an architectural approach, but careful adherence to best practice. It’s arduous, and it’s not sexy — but it works. In the world of physical security, containment and zero trust are two of the most powerful tools for securing an environment. Limit access to where an attacker can breach your environment, and more importantly: assume breach. What if you could focus your efforts on limiting the next steps of an attack than preventing the first step. Then add effective surveillance, so you can effectively track where your adversary actually makes progress and spend less time looking at the noise as they rattle cages along the way.
What happens when the vitamin becomes easy to use, and perhaps even tastes good? If a strong security posture is easy to maintain, and doesn’t require complex architectural designs, and is simple and effective to deploy and maintain — would you be more likely to use it? What if it actually made your environment less complex and easier to deploy, troubleshoot, and maintain?
At Skyport, we believe that security should be more like a vitamin — a proactive and hardened architectural approach that becomes a transparent part of your infrastructure. SkySecure embeds effective security controls into the infrastructure itself. It’s an architecture that delivers not only hardened systems, but assurance for your security posture as well: proof that effective controls and policies are delivered correctly every time, and that they are working. If vitamins taste good and help prevent your headaches too, they’d be a much better investment than adding more aspirin.
Bonus: Doug Gourlay and I stopped by the TWiT podcast studios last Friday to share our thoughts on RSA, as well as the work that Skyport is doing to support secure Active Directory deployments. Our segment starts at 36:30 into the podcast. Check out Skyport Systems on This Week in Enterprise Tech.