How to be an effective security buyer

Make sure every tool or appliance you buy can be applied to different types of risk and attack

In previous columns I have repeatedly emphasized the importance of interoperability and the danger of security fragmentation. Security is so fragmented that it is often hard to discern between hype and reality. Large security vendors try to draw you into a single-vendor closed integration package. Small vendors try to sell you the latest magic bullet, presenting what should be a feature as a whole new industry. Inevitably, you are left to cobble together disparate systems in order to get the depth of defense and layering of controls that you need.

MORE ON SECURITY: The Sony PlayStation breach notification letter that broke 77 million hearts

Here are some quick tips on how to be an effective "buyer" of security:

Never buy a single-purpose tool. Inspired by Alton Brown, who advises not to buy kitchen tools that are "uni-taskers" (e.g. a cherry pitter). Instead, make sure every tool or appliance you buy can be applied to different types of risk and attack. Widely applicable tools that are not specific to one threat will make a more effective toolbox and will provide deeper defenses and more overlapping layers of defense. Evaluate whether the tool or security solution covers:

•External and insider attacks

•Malicious and inadvertent incidents

•Know and unknown threats

•Automated and targeted attacks

• Heterogeneous OS and platforms (including mobile)

Avoid management feature overlap. You don't need another reporting engine for compliance. You need the tool to integrate with your existing reporting engine. For each of the following areas you should think about building a multi-vendor, open-standards based, shared infrastructure. You should avoid replicating these functions in every tool:

•Logging and auditing

•User, group and role directory

•Policy management

• Alerting and notification

Focus on assets, not threats. A tool that protects any asset against one specific type of threat (e.g. guns, but not box cutters) is not as useful as a tool that protects one asset against any threat (e.g. reinforced flight-deck door). If attackers can simply switch attack vectors, they will. If they have to switch targets you have disadvantaged them.

Mortar, not bricks. The part that makes a wall strong is the mortar, not the bricks. Disconnected bricks fall down with a slight nudge. Buy "glue" software and security solutions that tie together various controls, monitoring systems, notification systems, etc. A well-integrated system with fewer controls is better than lots of disparate controls with no glue.

Empower people. Security cannot be automated as much as you'd like. Human adversaries will always be smarter than automated tools and will leverage human ingenuity to skirt around your protections. You can't replace well-trained security professionals exercising judgment with computers. So empower the people by giving them tools that multiply their impact and productivity, instead of trying to replace them.

Standards, standards, standards. Interoperability and "glue" infrastructure requires open APIs, open protocols, open formats and open standards. How do you know it's really open and not just a committee endorsement of pseudo-standards? Look at how many different, potentially competing companies can interoperate using the standard. Ask the vendor: "Which of your competitors uses this?" If the answer is "none," then it's not a standard.

If all security buyers make slightly different choices, the industry will shift, dramatically and rapidly. There has never been a greater need for change in our industry.

Read more about wide area network in Network World's Wide Area Network section.

Tags securitysony

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Andreas M. Antonopoulos

Network World

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?