5 Key Points in selecting your Security Vendor
Technical and infrastructure readiness is important for all organisations in terms of Cyber. How can you select your best vendor in the journey?
Lot of organisations were asking the question Are We Secure? Best answer I could provide you for this question is, security is never a destination, it's always a journey.
Checking your health at key milestones in this journey is required to understand weather you are really secure. Out of many factors there are few key points that would have the most impact in selecting your security vendor.
1. Core Competency
If your All-in-one Printer blocks scanning of documents labelled CONFIDENTIAL, try turning the document 90 degrees and see if it works. How many times have we seen the firewalls, Intrusion Prevention Systems (IPS), Antivirus (AV) products are prone to pass files that violates policy under increased load. Many devices perform as expected in normal network traffic conditions but degrade sharply with mixed or real traffic. How many times have we seen security consultants demonstrate lack of hands on experience in real world scenarios. The idea is that we must look for the results of extensive testing and how much actual world exposure that the product/service contains. It is important to get previous customer testimonials and understand their product testing mechanisms. If it's consultancy services, have they tried similar practices with their own organisations, have they ever tried to live the life that they recommend. If the core functionality of the service/product is questionable, moving forward would anyway create problems in the long run.
This is an idea around the device/solution does some kind of correct and consistent recording around activities related to "Who, What and When". Logging sometimes happen to be inaccurate, sometimes inadequate and sometimes does't log at all. IPSec VPN, Network IPS and Anti-Malware reported to have the least scoring related to logging. One of the most interesting observations related logging is that it is extremely difficult to fix that in a device unless already well built. It requires immense re engineering to enable logging capability. At the same time organisations would find this out only at a time of an incident or an investigation. The mindset of vendors and users that logging is useless and it's just a compliance act has significant contribution towards organizations failing to identify and respond to incidents effectively.
3. Product Security
Do security devices subject to vulnerabilities? Yes. As per ICSA test labs 40% of security devices they have tested are subject to these vulnerabilities. There are instances that I have observed Web Application Firewalls (WAF) subjected to Cross site scripting (XSS), SQL injection and buffer overflow and unencrypted admin interfaces are seen in WAF and network firewall programs. Many of the security troubles for SSLVPN would be traced back to OpenSSL toolkit. Where as IPSec VPN shows less security violations. Being a security product does not mean that it would have less vulnerabilities. The devices that you install to close vulnerabilities may itself opens new vulnerabilities. It is essential to carry out post implementation review and periodic device diagnostics and vulnerability assessments to reduce the exposure.
4. Default Setup
This is the state that product default settings state shall take into the security considerations. Most of the devices "Out of the box" state does not state leading security practices in their configuration. A product may enable features that it should not by default and neglect the features that it should. E.g., Firewalls are expected to block the traversal of traffic and startup and disable unwanted remote administrative services by default, but not all do. Same applies to SIEMs, where as most of the tuning and use cases require work after implementation. But organisation does not clearly understand the necessity moving ahead from default/vendor setup initial set up to moving into the customized and optimized configuration that best fits the business requirement of the organization and the risk appetite.
5. Revision and Patching
This is to address the minor updates and patches deployed between major version changes. Approximately 20% of the products fails in this section. Patching is almost as important as the core function for some security solutions. E.g., Anti Virus which does not incorporate new virus definitions is almost useless. IPS are also reliant continuous flow of information of new attack signatures. All products require firmware updates and software patches to remain viable in the long run. It is important to identify and monitor how frequent, how critical patches are released by the vendor analyzing historical data and contractual terms. Non evolving product would not cater security requirements going forward by any means.