One Article Review
| Source |  taosecurity |
|---|---|
| Identifiant | 1130914 |
| Date de publication | 2019-05-29 09:55:00 (vue: 2019-05-29 16:00:38) |
| Titre | Know Your Limitations |
| Texte |  At the end of the 1973 Clint Eastwood movie Magnum Force, after Dirty Harry watches his corrupt police captain explode in a car, he says "a man's got to know his limitations."I thought of this quote today as the debate rages about compromising municipalities and other information technology-constrained yet personal information-rich organizations.Several years ago I wrote If You Can't Protect It, Don't Collect It. I argued that if you are unable to defend personal information, then you should not gather and store it.In a similar spirit, here I argue that if you are unable to securely operate information technology that matters, then you should not be supporting that IT.You should outsource it to a trustworthy cloud provider, and concentrate on managing secure access to those services.If you cannot outsource it, and you remain incapable of defending it natively, then you should integrate a capable managed security provider.It's clear to me that a large portion of those running PI-processing IT are simply not capable of doing so in secure manner, and they do not bear the full cost of PI breaches.They have too many assets, with too many vulnerabilities, and are targeted by too many threat actors.These organizations lack sufficient people, processes, and technologies to mitigate the risk.They have successes, but they are generally due to the heroics of individual IT and security professionals, who often feel out-gunned by their adversaries.If you can't patch a two-year-old vulnerability prior to exploitation, or detect an intrusion and respond to the adversary before he completes his mission, then you are demonstrating that you need to change your entire approach to information technology.The security industry seems to think that throwing more people at the problem is the answer, yet year after year we read about several million job openings that remain unfilled. This is a sign that we need to change the way we are doing business. The fact is that those organziations that cannot defend themselves need to recognize their limitations and change their game.I recognize that outsourcing is not a panacea. Note that I emphasized "IT" in my recommendation. I do not see how one could outsource the critical technology running on-premise in the industrial control system (ICS) world, for example. Those operations may need to rely more on outsourced security providers, if they cannot sufficiently detect and respond to intrusions using in-house capabilities.Remember that the vast majority of organizations do not exist to run IT. They run IT to support their lines of business. Many older organizations have indeed been migrating legacy applications to the cloud, and most new organizations are cloud-native. These are hopeful signs, as the older organizations could potentially "age-out" over time.This puts a burden on the cloud providers, who fall into the "managed service provider" category that I wrote about in my recent Corelight blog. However, the more trustworthy providers have the people, proc |
| Envoyé | Oui |
| Condensat | in 1973 2003 2018 about access actors adversaries adversary after age ago answer applications approach are argue argued assets bear been before bejtlich blog blogspot breaches burden business but can cannot capabilities capable captain car category change clear clint cloud collect com completes compromising concentrate constrained control copyright corelight corrupt cost could critical debate defend defending demonstrating detect dirty doing don due eastwood emphasized end entire everyone example exist explode exploitation fact fall feel force full game gather generally got gunned handle harry have here heroics his hopeful house how however ics incapable indeed individual industrial industry information integrate intrusion intrusions job know lack large legacy limitations lines magnum majority man managed managing manner many matters may migrating million mission mitigate more most movie municipalities native natively need new not note often old older one openings operate operations organizations organziations other out outsource outsourced outsourcing over panacea patch people personal place police portion potentially premise prior problem processes processing professionals protect provider providers puts quote rages read recent recognize recommendation rely remain remember respond responsibilities rich richard risk run running says secure securely security see seems service services several should sign signs similar simply spirit store struggling successes sufficient sufficiently support supporting system taosecurity targeted technologies technology than themselves then these think those thought threat throwing time today too trustworthy two unable unfilled using vast vulnerabilities vulnerability watches way who world wrote www year years yet your |
| Tags | Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.