Tuesday, July 20, 2021

 Best Practices

The “cringeworthy” phrase that has run its course

Let’s face it; we have all used this phrase “Best Practices.” There is even a definition in Webster's dictionary, "A best practice is a method or technique that has been generally accepted as superior to any alternatives because it produces results that are superior to those achieved by other means or because it has become a standard way of doing things, e.g., a standard way of complying with legal or ethical requirements." For Security, at one time, it was the battle cry for “what needs to be done.” Salespeople love to refer to “Best Practices,” and young practitioners are empowered because they feel they “know” these as absolute truths.

In many of my discussions with people, I often find myself either quietly biting my lip or actively challenging the use of this overused phrase. Some folks understand, yet some may wonder why, for security, I find this term inaccurate (I am not alone, I know of others in the Security profession that agree).
I have spent the last 30+ years of my over four decades in IT, practicing security. In that time, I have seen the evolution of our collective understanding and the growth of the craft, given the fluid nature of the development of security technologies. To illustrate my point as to why the term "Best Practices" does not accurately apply to the Security trade, I will look at log management as an example.

At an early stage in the evolution of our craft in, what is now widely referred to as “Cybersecurity, the focus was “Logging, Logging, Logging” log everything. Then the explosion of storage requirements and log management, in general, became cumbersome. The control evolved into “Log Aggregation,” which then evolved further to include “normalization.” With advances in Security Event and Incident Management (SEIM) technologies, we come to log aggregation, normalization, and event correlation. Side note - Before my security purist friends call me out on the acronym choice and definition, I used SEIM on purpose as SIEM alludes to a focus on Information and not the “incident as a whole.” The SEIM process and control now focus on collecting evidence of the related events across the enterprise, as evidence of an Indication of Compromise (IoC) or Indication of Attack (IoA) is being sequestered. Simultaneously the SEIM analysts orchestrate the Incident Response (IR) workflow (or playbook) to ensure all stakeholders complete their necessary tasks to mitigate risk to the organization. With all the evolution, each iteration of Log management was, at one time, considered “Best Practice.”

There’s that term again. What we meant was that these were practices that were best “at the time.” So, that answers one variable (“Best when?”), but now, how about for “what environment?”. 

Let’s look at this “log management evolution” example as it applies to the Operational Technologies (OT) environment or Industrial Automation Control Systems (IACS). We find that not until very recently was centralized anomaly alerting a real possibility. Until technologies emerged like those offered by Dragos and Nozomi Networks, which allows for “out of band” OT SIEM data management to be integrated into IT EDR Platforms like Tanium, it was physically impossible to perform Log Management activities (short of minimal manual review on device-by-device basis). The limitations of the endpoints coupled with the minimalist operating systems and very limited memory capacity of the Human Machine Interfaces (HMIs), Programmable Logic Controllers (PLCs), and Field Input/Output (Field I/Os) would not tolerate additional burdens associated with rudimentary security tools. So, the answer to the "for what environment?" variable is that the practices may not be “Best” across the collective enterprise. On to the next logical variable, “Best according to what Risk?”

If one were to look across the enterprise and find very low-risk assets, we must question ourselves, are these assets worthy of the same level of scrutiny as higher-risk assets? With unlimited resources, one may conclude it is inconsequential. However, in an enterprise that closely controls resource utilization and operational overhead, the answer may be that those low-risk assets may not need to be as closely monitored. This diminished rigor requirement may conclude that universally applied log management practices may not be “Best” under all risk profiles from the perspective of resource utilization or operational overhead.

The term “Best Practices” has run its course. It is a catchphrase that seasoned security professionals more and more question as it is very subjective. “Best,” best for whom? Best under what circumstances? Bust for what risk profile? 

I prefer to use more defensible terms like “leading industry-accepted standards.” Standards, frameworks, and practices developed and supported broadly across the security industry. There are emerging standards and technologies and established standards. The emerging technologies and standards are still on the initial climb up the Hype Cycle. Established Standards and technologies have leveled out on the Hype Cycle and have been embraced broadly across the security industry. Another term I like to use is “necessary practices.” Necessary practices are those that are necessary to defend commensurately against genuine threats and risks.

Because we have been saying the “BP” phrase for so long, it will be a learning curve to re-train our vocabulary, but, in the long run, we will be much more accurate in our discussions and leave less to interpretation.

No comments:

Post a Comment