Gartner Blog Network

How Much of Your Security Gear Is Misconfigured or Not Configured?

by Anton Chuvakin  |  February 23, 2018  |  3 Comments

Now that we are truly done with SOAR, our Testing Security project continues in full force. This post is a bit contemplative, and related to the question of ‘why test security if we are >>oh-so-sure<< that we did things right here?’

From my very first days doing security, I’ve heard the mantra that a good pentester always gets in.” Sure, of course, fine, OK. Perhaps this was true in 1998 and it is true in 2018. Along the same lines, an insightful BAS vendor [that shall remain nameless here as per my policy of not mentioning vendor names on this blog] shared that every time they POC their threat simulation (BAS) tool at a new prospect environment, they find glaring holes. Mind you, he didn’t say 76.3% or something – but every time. And, also, this applies to organizations with 9-digit … count ‘em, NINE … security budgets.

Now, you recall that I often lament that organizations blow the budget on the “boxes” and then not have any money left to hire the good people to run them. This would apply to SIEM, DLP, UEBA, NTA, EDR, etc – namely to security technologies with ongoing operations process requirements, typically in my beloved detection, intelligence and monitoring domains.

However, this is NOT my point here. The point here is a lot of preventative [as well as detection and other] security technologies is misconfigured, not configured optimally, set to default or deployed broken in a miriad other ways. And it is rather the norm, not the exception!

From many sources, we hear stories that even “legacy” anti-malware configured by an expert is known to outperform the “next-gen” stuff running with default settings. Stories of DLP projects deployed for prevention – with prevention features never enabled. Stories of NIDS sitting on disconnected taps. Stories of SIEM with collectors crashed months ago.

People, this shit is all over the place! Beware!!

Rather, not beware but … TEST, and do NOT ASSUME!!!

P.S. This post is partially inspired by this bit of excellent reading.

Blog posts related to this project:

Category: security  testing  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on How Much of Your Security Gear Is Misconfigured or Not Configured?

  1. […] How do you know your processes to maintain devices and software inventories are working? What about the hardening, vulnerability management and privileged access management processes? How confident are you that they are working properly? […]

  2. LonerVamp says:

    *pounds the lectern as the crowd cheers!*

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.