There is a cyber poverty mark that plagues the Cyber Security Industry. The global 2000 and the federal government have budgets that allow them to build strong defenses, hire large teams, and perform full and complete investigations. In this talk, we discuss what can be done if your cyber security budget has been cut, or is extremely limited, to begin with.
Let’s go ahead and make the distinction up front between the cyber-rich and the cyber poor. I’m not using these terms to pit groups against each other or be derogatory towards one group. It’s just a fact that the global 2000 and the federal government can afford better security tools and more talent than the hundreds of thousands of other companies out there. However, even their budgets get slashed.
It’s important to recognize that cyber poverty exists and it’s a problem. It’s not just a problem for the business that can’t afford the best security tools, it’s a problem for the consumers of their products, and that consumer may even be a company that is part of the cyber-rich. If you are one of the cyber-rich, that’s great. However, I’m sure you work with plenty of outsourced vendors that are cyber poor, and this creates a gap in your security program.
So, what can be done when you have little to no budget? How can you build a strong cyber security program within tight constraints? Well, it’s going to be a large undertaking and it won’t happen overnight, so learn to enjoy the process of building or rebuilding your program.
Open Source Software
Okay, let’s start with Open Source Software. I’m definitely not an open source expert, so I’m just going to talk about some of the software that’s been around for a while.
Let’s talk about the upsides of open source software. The biggest one is that it’s free. Another is that it is monitored by a community of security experts, the people that use the tools day in and day out. A lot of these experts even contribute to the code. The down side is the lack of support. However, this may be supplemented with a partner. Another potential downside is that the code is open to another level of security experts, but unfortunately, they are your adversaries. Having exposed code allows them to find zero-day exploits easier. It also allows them to understand better how to subvert the tool. We can work around this by utilizing layers of open source software to fill in gaps in commercial products. I wouldn’t recommend having a completely open source security tool program, but supplementing with it in areas you can’t afford to cover.
The important thing to keep in mind when looking into open source tools of any sort is that there will be a time trade-off in implementation and support, and they really are just a tool. They still aren’t much use to you and your team if you don’t have the knowledge to use them properly.
I took a dive into training in an earlier post, where I laid out why I think it’s important to take the time to train. In short, it’s important to get better at what you love doing. Before making an investment in training, make sure you take the time to research the instructors and the course.
If you don’t think you have the time to train, you probably do. You’re just making up excuses or you are spending your time doing the wrong things.
I’ve run into so many people who don’t know how to work efficiently, not just in security, but in all jobs. It’s really not something we’re taught, so I get why. I plan on writing up a whole post on working efficiently, so I’m not going to dive right into it here (I get deeper into it in the video if you need to know how to work efficiently right now).
Understand a few key points for this post though:
- Multi-tasking isn’t real. You can’t do multiple things well when you are doing them all at the same time.
- Put a system in place to get things done.
- Start your day with something that motivates and/or inspires you.
Building Your Security Program
In this portion of the talk, I really stress the importance of documenting. Start documenting things in the way that is easiest for you. This could be video, it could be audio, it could be written text. Whatever way is the easiest to get the content out of your head – start there. Once it is out of your head, you can format it in other ways for people to consume.
When you begin to build or re-build your security program, assess the tools that you already have. They should be providing value. They should not be adding time to your day. If you want specifics on how to document your existing program in terms of RoI, check out Charles Herring’s talk “Process – The Salvation of Incident Response.”
How to Talk to Your Vendors
Vendors should be more than just the people that sell you stuff. They should be your consultants, they should be your teachers, and they should be your advocates. When working with partners to find a new solution, make sure you are asking questions about how much noise or time a new tool will add. By noise, I don’t mean how much more of your network will it illuminate. I’m talking specifically about false positives. How much money or time will you have to spend to tune out those false positives? These are all important things to know before purchase. Don’t forget, vendors lie (yes, I know I’m a vendor), so make sure they backup what they are saying with proof.
Together, we are stronger. If we learn how to share information in the appropriate way and in the appropriate settings, we can help each other to defend our networks better. Places like user’s groups, conferences, and meetings with partners and vendors are good places to share information and ideas with each other.
In the cyber arena – technologies like STIX, TAXII and CybOX can help share information across geographies, departments, and countries. This can lead to not only better attribution, but better threat prevention.
No Magic Bullet
There is not a single solution to solving this very large problem. It takes more than just technology to make these things happen and fix the problems we currently have. It takes the talent and hustle of the cyber security warrior that is taking the time to come to security conference talks and read security blog posts.