We lost the network – MUST focus on the endpoints! We lost the endpoint – MUST focus on the network! We lost the network – MUST focus on the endpoints! We lost the endpoint – MUST focus on the network! We lost the network – MUST focus on the endpoints! We lost the endpoint – MUST focus on the network!
Got a headache yet? As my security analytics research project is nearing its end, these conflicting messages have finally exploded my brain. Vendors (and, occasionally, security managers) pronounce either of the above two lines as “god-given truth” – without any awareness that the opposite message is just as powerful…
So, think about this:
|We lost the network – MUST focus on the endpoints!||We lost the endpoint – MUST focus on the network!|
|Anybody can connect to our network||Malware everywhere – antivirus effectiveness low|
|Business partners connect entire other networks to our network||Users click things, phishing just works, etc|
|Many connections to the internet, some with no controls||Drive-by and browser exploits dime a dozen|
|BYOD wifi, 3G/4G, etc||BYOD – no control over the endpoint at all|
|Our network spans 100 countries, managed by different people, etc||Laptops are hard to manage remotely, patch, etc|
The existence of this paradox is explained (IMHO) by one sad reason: silos!
People who “live” on the right side (let’s call them “the network guys”) know that their side is badly broken and they hope that the grass is greener on the other side – maybe the endpoint guys would block the attack. Naturally, people who “live” on the left (let’s call them “the system guys”) know that the endpoint is infected, the user incorrigible and that the malware is pervasive, but they hope that the network guys “got it.”
Surprise! The other side is just as fucked up as yours!!!
Hey, Anton, what is the point of all this?
- Silos kill!
- Generally speaking, we lost both sides 🙁
- Security must transcend IT silos (for example, incident response cannot be constrained to a silo)
- Security analytics should also go across and incorporate logs, traffic (packets, session metadata) and endpoint data (EDR / ETDR style) – and also application monitoring data
- Those who ignore today’s realities and insist on sticking to “just better netsec” or “just next-gen AV” (or whatever other false hope on the endpoint), risk losing their only advantage – see “Defender’s Advantage”
- If you think that at your particular organization, security can never bridge this gap than either change the organization or change organizations.
Blog posts tagged “philosophical”: