We lost the network – MUST focus on the endpoints! We lost the endpoint – MUST focus on the network! We lost the network – MUST focus on the endpoints! We lost the endpoint – MUST focus on the network! We lost the network – MUST focus on the endpoints! We lost the endpoint – MUST focus on the network!
Got a headache yet? As my security analytics research project is nearing its end, these conflicting messages have finally exploded my brain. Vendors (and, occasionally, security managers) pronounce either of the above two lines as “god-given truth” – without any awareness that the opposite message is just as powerful…
So, think about this:
| We lost the network – MUST focus on the endpoints! | We lost the endpoint – MUST focus on the network! |
| Anybody can connect to our network | Malware everywhere – antivirus effectiveness low |
| Business partners connect entire other networks to our network | Users click things, phishing just works, etc |
| Many connections to the internet, some with no controls | Drive-by and browser exploits dime a dozen |
| BYOD wifi, 3G/4G, etc | BYOD – no control over the endpoint at all |
| Our network spans 100 countries, managed by different people, etc | Laptops are hard to manage remotely, patch, etc |
The existence of this paradox is explained (IMHO) by one sad reason: silos!
People who “live” on the right side (let’s call them “the network guys”) know that their side is badly broken and they hope that the grass is greener on the other side – maybe the endpoint guys would block the attack. Naturally, people who “live” on the left (let’s call them “the system guys”) know that the endpoint is infected, the user incorrigible and that the malware is pervasive, but they hope that the network guys “got it.”
Surprise! The other side is just as fucked up as yours!!!
Hey, Anton, what is the point of all this?
- Silos kill!
- Generally speaking, we lost both sides 🙁
- Security must transcend IT silos (for example, incident response cannot be constrained to a silo)
- Security analytics should also go across and incorporate logs, traffic (packets, session metadata) and endpoint data (EDR / ETDR style) – and also application monitoring data
- Those who ignore today’s realities and insist on sticking to “just better netsec” or “just next-gen AV” (or whatever other false hope on the endpoint), risk losing their only advantage – see “Defender’s Advantage”
- If you think that at your particular organization, security can never bridge this gap than either change the organization or change organizations.
Blog posts tagged “philosophical”:
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
7 Comments
So is focus on the application/service the solution?? (like OWASP appsencor)https://www.owasp.org/index.php/OWASP_AppSensor_Project
Well, it may well be; it is definitely part of the answer [sadly, a lot of orgs also really suck at appsec; way worse than netsec and system security]
@anton_chuvakin: Local grocery installed new PoS. I tried pay w phone. Failed! Fuck that shit – credit card so much easier! And it works!
I agree, fuck that shit!
Dr. C:
Which side is fucked up as yours?
PVD
Well, one side is endpoint, another is network.
Couldn’t agree more….to get out living in their security data silos first folks have to get out of their mental silos….
“Security analytics should also go across and incorporate logs, traffic (packets, session metadata) and endpoint data (EDR / ETDR style) – and also application monitoring data”
Matt, thanks for the comment – indeed, this is emerging as one of the minor themes in the paper.