We lost the network – MUST focus on the endpoints! We lost the endpoint – MUST focus on the network! We lost the network – MUST focus on the endpoints! We lost the endpoint – MUST focus on the network! We lost the network – MUST focus on the endpoints! We lost the endpoint – MUST focus on the network!
Got a headache yet? As my security analytics research project is nearing its end, these conflicting messages have finally exploded my brain. Vendors (and, occasionally, security managers) pronounce either of the above two lines as “god-given truth” – without any awareness that the opposite message is just as powerful…
So, think about this:
|We lost the network – MUST focus on the endpoints!||We lost the endpoint – MUST focus on the network!|
|Anybody can connect to our network||Malware everywhere – antivirus effectiveness low|
|Business partners connect entire other networks to our network||Users click things, phishing just works, etc|
|Many connections to the internet, some with no controls||Drive-by and browser exploits dime a dozen|
|BYOD wifi, 3G/4G, etc||BYOD – no control over the endpoint at all|
|Our network spans 100 countries, managed by different people, etc||Laptops are hard to manage remotely, patch, etc|
The existence of this paradox is explained (IMHO) by one sad reason: silos!
People who “live” on the right side (let’s call them “the network guys”) know that their side is badly broken and they hope that the grass is greener on the other side – maybe the endpoint guys would block the attack. Naturally, people who “live” on the left (let’s call them “the system guys”) know that the endpoint is infected, the user incorrigible and that the malware is pervasive, but they hope that the network guys “got it.”
Surprise! The other side is just as fucked up as yours!!!
Hey, Anton, what is the point of all this?
- Silos kill!
- Generally speaking, we lost both sides 🙁
- Security must transcend IT silos (for example, incident response cannot be constrained to a silo)
- Security analytics should also go across and incorporate logs, traffic (packets, session metadata) and endpoint data (EDR / ETDR style) – and also application monitoring data
- Those who ignore today’s realities and insist on sticking to “just better netsec” or “just next-gen AV” (or whatever other false hope on the endpoint), risk losing their only advantage – see “Defender’s Advantage”
- If you think that at your particular organization, security can never bridge this gap than either change the organization or change organizations.
Blog posts tagged “philosophical”:
- Defeat The Casual Attacker First!!
- Critical Vulnerability Kills Again!!!
- Security Essentials? Basics? Fundamentals? Bare Minimum?
- On “Defender’s Advantage”
- Security And/Or/Vs/Not Compliance?
- Bye-bye, Compliance Thinking. Welcome, Military Thinking!
- Security Chasm Illustrated
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.