I started be breaking down my security technology into two parts: active and passive security. I define passive security the way many companies do--passive security implements controls on the networks with static devices that are configured and then provide a passive block or control to network traffic. My list of some of the devices are:
- Intrusion detection/Intrusion prevention (IDS/IPS) systems
- Web application firewalls (WAFs)
- Distributed denial of service (DDoS) tools
- Logging services
All of these technologies are deployed, configured and forgotten. Firewalls rules are configured and remain static. IDS/IPS devices have rules enabled in groups or categories and then left to monitor traffic. Although a WAF should be configured often in response to new threats, most companies don't have the skills to keep updating the rules and configure the most basic functions such as the OWASP Top 10. In this context, a WAF is a passive security tool, not an active one.
Anti-DDoS tools are also passive for smaller companies because they are configured to perform rate-based protocol inspection and, possibly, protocol validation and some content inspection. Anti-DDoS appliances trigger a response once configured thresholds have been set and may take action to filter traffic that matches the configured rule base. Finally, log servers are configured and will collect and store the data from the security infrastructure.
I exclude VPN and authentication services from the security portfolio. In the past, remote access has been a high priority security topic, but now it's so important and vital to modern business that it is a unique design topic with the rise of mobile devices.
I've defined active security tools as those tools that require constant intervention and changes because they proactively change the security posture. A passive security tool enforces security policy, while active tools adapt security policy to changing conditions. My list of active tools are:
- Network and firewall audits to validate good practices and configuration
- Process reviews of firewall rule approval
- Penetration testing and vulnerability scanning
- Application testing for security holes
- Development practices to develop secure low risk code
Obviously, my list of active security tasks doesn't comprise products. There are tools to assist with delivering these services, but they require people to conduct the tasks and review the responses. When I considered this view, it seemed clear that passive security is easy to design and implement, but active security requires a different approach including recognition that IT security is a moving target that requires ongoing involvement from people.
When it came to allocating the budget, I invested in passive security. I have to have these services in place. Passive security is a mandatory requirement. But, really, I needed to invest much more in active security to get an acceptable security posture. I have found that the whole area of active security products and services is immature. Few products exist, and they are all overpriced; features are poor, and flexibility is abysmal. At the time, every vendor pitched the "fear, uncertainty and doubt" to me.
I also had some discussions with security "professionals" about what sort of people I would hire to perform the work. Frankly, I was unimpressed. These so-called security professionals had very little talent or experience in core competencies like time management, communication and business awareness, and they wanted to focus on passive security skills instead of practical issues.
In the end, I couldn't recommend an active security strategy. I couldn't hire the right people, or reasonably provide the tools they needed to make the job happen. Conclusion? The security profession is in a mess. No tools, poor skills and bad attitude across a wide range of people. It's time to be worried.