An “issue tree” is a term that I came up with to describe one of the core problems with the Information Security status quo.
Picture a big sturdy tree trunk. Then out of that come 5 or 6 large branches. Then each of those branches has 10 or more branches, then each of those has a few more not insignificant branches, and each of those has more small offshoots than you can count. You end up with thousands of branches.
Now imagine each one of those branches is an issue. And the reason each sprouts into more is because, just like branches, not properly addressing an issue and allowing it to persist leads to more issues.
In information security we need to have controls around those issues. But, for some reason, we insist on not addressing fundamentals and waiting for those 5-6 essential areas (our first big branches coming off the trunk) to become a thousand branches, all over the organisation, each requiring slightly different solutions, usually several organisational layers away from where we are and our direct control.
At this level, even the solutions we employ sprout little branches of their own: Resources have to be taken from somewhere to operate the solutions, plus we now have to manage not just their operation, but their upkeep, configuration, certificates, etc. it all results in simply too many things to maintain visibility and control over. You end up spending more time managing security tools than security.
All you have to do is look at InfoSec job listings to see the truth in this. We’re looking for far more people that can handle tools than people that actually have security-minded thinking. Heck the latter have been replaced completely in some areas.
It’s not just expensive having to control 1,000’s of branches, it’s also exhausting and unsustainable. Things will get through the cracks.
We must focus on the core branches, and control them before they sprout more issues.
Remember: In an ideal world you could solve 99.99% of InfoSec issues with the following 3 actions:
Develop interpersonal relationships. Talk with your people. Whether they be developers, architects, InfoSec, or regular users. Help them understand you and guide their work to take security into account. And let them help you understand what really goes on in your organisation. It is most certainly not whatever your reporting says.
Produce clean and tested code not susceptible to common software bugs such as buffer overflows, race conditions, etc. No more bugs, vulnerabilities, patches, exploits. Magic. This is especially true of internal and enterprise applications.
Now that you have systems made of rock solid code, ensure systems and access are configured properly and consistently over time. No point in building Fort Knox if you leave the windows open.
And that’s it. But we’re not really doing these things (we’re certainly not allocating anywhere near the majority of our resources to them), and as a result businesses now have thousands of separate points that need information security technologies and processes around them.
This is expensive, and doomed to fail for the simple reason that it’s just too much to manage without sacrificing levels of visibility and quality. That loss of visibility will eventually lead to those solutions becoming ineffective or failing completely, often without [InfoSec] management’s knowledge.
This is why layering on more and more new flavour of the month technologies cannot work. To add insult to injury, vendors and industry “experts” are now shifting to a stance that says “You can’t keep them out, it’s too complex, you have to prioritise!”
Sod off.
If you’d focused less than half as much effort at a lower level, by which I mean upstream, where you only still had 5-10 branches, in order to keep them from branching into thousands, you wouldn’t have to worry about prioritising, you’d have ample resources to have near perfect control.
The solution to effective information security, while for some reason elusive to what is nearing a trillion dollar security industry (*cough* sales *cough*), is dead simple: Don’t let the issue tree grow to where you have an absolutely impossible number of branches to manage. Keep it trim.
Effective architecture that takes into account your entire estate, a secure SDLC, a well-defined operational framework, clear build standards, effective provisioning, secure consolidated IT management tools and, above all, InfoSec management that talks with everyone so they can address the real issues and not whatever some bogus reporting says.
Imagine if you had code development standards that meant your code wasn’t subject to buffer overflows or other vulnerabilities. Imagine if your architecture meant you could have consistent and easy to maintain access controls. Imagine you had IT management tooling and processes that ensured systems were clean and every OS, application, and database ran with least privilege. Imagine if your patching was automatic and completed within 24 hours of patches being available, including testing, because your infrastructure was designed accordingly?
The vast majority of InfoSec is finding and remediating known vulnerabilities. How about setting things up so they simply don’t happen. We know what causes these vulnerabilities, fix that. It’s easier, far cheaper, and actually effective.
No environment can be perfect, you will still have a handful of issues. But that’s few enough that you can address them, comprehensively, with the best technologies, and by creating the absolute best processes and procedures for your organisation. And that last part is only possible when you have so few issue branches that you have the time to make sure they’re addressed perfectly instead of running around like a headless chicken trying to keep 1,000 different security systems running (and missing most of what’s actually going on).
I can’t think of a single security technology that’s come out in the past ten years that addresses a problem that couldn’t just have been eliminated by sorting root causes. The problem, perhaps, is that it requires a skillset, a degree of thought effort, and a level of human involvement that the now nearly ubiquitous information security industry indoctrination doesn’t allow. Let’s change that.
Now, please, stop burning through cash, stop layering the latest “fix-everything” technology over last year’s “fix-everything” technology. No amount of AI, or correlation, or canned user awareness, or incident response, or “zero-trust security” (quadruple facepalm on that last one), or appliances of any genre is going to be as effective as shaping your issue tree to where you only have a handful of issues that can be easily and cost effectively covered.