Agile Security Manifesto #9 - Security is Not an Aggregation of Policies or Checkboxes

I’m secure; I’ve got a firewall and an endpoint suite deployed”- that is the answer that many business owners give in the response to the question - are you secure?  It is a predictable answer across vertical industries following a compliance check list:  Firewall? Check. Endpoint protection? Check. IPS? Check. SIEM? Check. GRC process? Check. Plus, sometimes, the over-hyped buzzword bingo box dujour... check.  Agile Security isn’t just checking all of these functional boxes nor is it implementing these individual capabilities. It’s a holistic, strategic approach to dynamic, flexible protection.

Enterprises today are working with antiquated processes, complex outsourcing relationships, as well as siloed decision, planning, and buying structures. The result of this mix is a system more suited to telling leadership the process or policy didn’t screw up the checkboxes, rather than keeping the organization secure from attack. Today’s security posture is too preoccupied with minimizing change than real time deployment of countermeasures. The benchmarks for security success are all focused on yesterday’s problems.

Before you think this is just another ‘glass-is-half-empty’ view of security today, consider the successes adversaries are having targeting highly controlled systems like satellites and military drone aircraft.  We can no longer argue that the so-called state of the art security is good enough. The world today is more fundamentally challenged however.

The real challenge is the belief that an ever-expanding and complicated set of policies evolving on their own functional paths with the “glue” of compliance and event management integrations will lead to better security. The reality is that enterprises can make all of these investments in controls and still succumb to a targeted threat despite their many policies.  The adversary is well-versed in the tactics of enterprises and their propensity towards the status quo.

Organizations today are struggling to reduce risk and maximize protection. They have a firewall access policy, a Web Filtering policy,  a DLP policy, a system/endpoint policy, etc.  All of these policies help to reduce the surface area for potential attacks, but they don’t stop attacks as the bad guys will find a way to get around policy controls (or, perhaps, already have!). Today’s attackers are like ants, no matter what you do, they will find a way in.

Barriers don't stop all ants from getting into a dwelling.

Enterprises and the security industry together need to adopt an agile frame of mind. Security is not a firewall; it is not policy; it is not “checking the box.” It is not one thing and can’t be made to be one thing. It’s a suite of coordinated capabilities that are leveraged to minimize risk and maximize protection - and remain responsive to the dynamic environment they serve. Sourcefire has been focused on a holistic, agile approach to security for many years by delivering the world’s most flexible detection engine paired with innovations in awareness technologies and centralized management that let you see in real time beyond mere policies and understand and adapt to what is really going on in the real world.

How do you respond to changes? Are you relying only on policies to keep the ants out? How do you know you are really minimizing risk and maximizing protection beyond your policies?