blog post
Vintage Post from the Summer of 2021
It’s too damned hard.
Admit it.
After what seems like a million white papers, positioning briefs, eBooks and blog posts explaining the myriad of hyped point solutions to address the exploding increase in cyber-crime, the truth is, it’s too damned hard.
The list of tools that companies buy to ‘solve’ for the cybersecurity problem are too complicated to be deployed correctly, and so end up on shelves.
Very often, zero value is extracted.
Why?
It’s too hard.
Patching sounds easy, but not to experienced network engineers who have actual experience patching Microsoft things. Try patching a network server sometime and call me if you have questions.
The interconnections grow each quarter with differing versions of .NET Framework, Active Directory schemas, delivery and transport agents, Teams, AAD, One Drive, SharePoint clusters, etc.
We have achieved peak complexity.
And it’s not Microsoft’s fault any more than it is Fortinet’s or Palo’s.
The truth is we cannot support what we have today let alone any additional layers or landscape shifts.
Like Edge computing, SASE, 5G or WiFi 6, advanced microsegmentation, AI, multi-cloud, or intent based networking.
“But those are all the new, cutting edge and cool technologies that will enable us to achieve digital transformation, climb to the Industry 4.0 stars and glimpse the Promised Land,” say the protagonists for progress.
Progress?
Since 2017, we have rushed to push products up to the network border and then when COVID-19 hit, that border disappeared.
Engineers worked hard to apply those patches, but through that exercise, the green curtain blew open and revealed a living nightmare.
And while we are frantically trying to keep pace with the threats, the threats keep morphing and growing in complexity and sophistication.
2021 is littered with progressively maturing attacks starting with SolarWinds and Accellion, continuing through Colonial and JBS and most recently with a double leveraged, inside knowledge, Internet facing, tunnel attack on Kaseya, the Friday before the July 4th holiday weekend.
That attack was enabled by a zero-day authentication bypass flaw and antivirus workarounds Kaseya had intentionally built into its products to allow for automatic updates.
IOW, Kaseya engineered their own disaster.
So, while we are busily patching through this dense network of layered goodies, the topology of which I would challenge any company to explain, why aren’t we looking closely at the design of the third party products we routinely depend upon for managing our system and network assets?
Why don’t we?
If the size of the problem space isn’t obvious to everyone, we have an even larger problem.
No magic security beans will make this problem disappear.
So, what do we do?
There’s only one answer.
And, no one will like it.
Network down.
I spent 4 hours Sunday morning with 2 network techs from Cox, trying to recover an Internet connection from a storm-related Cox outage of the night before.
I am not a network engineer, but I might be the next best thing.
I rebooted everything I could find to re-boot, and reconfigured my router.
I reset my modem.
I rewired my closet.
After 20 failed attempts, we finally came back up.
Do you know why?
Of course, you don’t, but neither did the 2 Cox network engineers.
After a long discussion, the lead said, “Well, you know – sometimes these things just work that way – it’s quite a mystery, really.”
Seriously?
4 years ago, we could troubleshoot a problem in 10 minutes.
It is a mirror of the complexity we have committed to and it shows up everywhere.
When you can see the picture from a few thousand feet above, the threat landscape unfolds quite clearly and you are compelled to draw a few conclusions:
1) defending against these threats, given our current infrastructure, networks, third-party products and systems, and backlog of known vulnerabilities in Microsoft and other leading vendor products, is impossible,
2) we are substantially under-resourced and under-skilled,
3) the environment will only get more challenging
4) there is no silver bullet, no magic beans, no knight in shining armor.
Our only hope is education, and while we have embarked on a massive program here at ISMG to build a Learning Experience that will be so compelling that practitioners who now log into LinkedIn every morning, will instead be logging in to CyberEd.io with enthusiasm, seeking the education and information we will be providing daily through our master classes and conversations, I am pretty sure selling this to F500 consumers will be a tough slog.
It shouldn’t be because it is the only way we will ever make any progress against the beast from hell, but resistance lurks at every corner. When I figure this out, y’all will be the first to know and in the meantime, we will never give up.
Author
Steve King
Managing Director, CyberEd
King, an experienced cybersecurity professional, has served in senior leadership roles in technology development for the past 20 years. He has founded nine startups, including Endymion Systems and seeCommerce. He has held leadership roles in marketing and product development, operating as CEO, CTO and CISO for several startups, including Netswitch Technology Management. He also served as CIO for Memorex and was the co-founder of the Cambridge Systems Group.