Working in the Department of Redundancy Department

by Hank Berkley
Contributing Editor

Perfection is not achievable, yet information technology relies upon it every day. Cyber security teams deal with the small imperfections in computer software that inadvertently allow bad actors to cause the software to do things that were not anticipated. These flaws might be in the original design or in the implementation of that design. Regardless of their origins, information security today is all about protecting our assets from hackers who try to take advantage of those weaknesses.

Your security team is challenged to block 100% of the attacks on an indeterminate number of weaknesses that are as yet unknown. Anything less than a perfect job can mean a data breach or worse. It might only take a single bug or design flaw to allow a hacker to shut down your production floor. Since we know that achieving perfection all the time is not possible, how can they be successful?

The answer is that perfection cannot be achieved, but there are things that can be done to approximate 100% effectiveness. How close you come depends upon making good choices in your cyber planning and often upon how much you spend.

A principle method used to improve security results is to use overlapping solutions. In the cyber field this is often referred to as layered security, but it really means that multiple approaches are put in place. Think of a burglar alarm system. An office might have sensors on the windows and doors to detect someone entering during off-hours, but the interior might also have motion detectors in case someone gets past the sensors, perhaps by entering during regular hours and hiding when the office closes. Particularly valuable areas might have additional security such as infrared detectors and possibly cameras.

What would be inappropriate would be having multiple sensors that serve the exact same purpose, such as two motion detectors, in case one fails. A failed detector is rare and is compensated by the existence of the other types of sensors.*

Best cyber security practice is the same. Using multiple anti-virus tools that detect malware in the same basic way might provide a small marginal improvement, but having 99.9% functional duplication is not likely the best way to spend your limited resources. A common mistake that security teams often make is focusing on these small increments that can be achieved by a different vendor’s product rather than looking for alternative methods that can provide a greater benefit.

As with so many things, determining the duplication and overlap of products is far easier to write about than to do. In some firms where cyber security is distributed among departments, even building an inventory of tools that are in place can be a challenge. Creating that list and then charting the risks that each one addresses needs to be done with a high-level perspective of the entire environment. The outcome should be an understanding of the amount of overlap. From that decisions can be made to keep or eliminate tools.

But eliminating security products is not the ultimate goal. The real benefits of this analysis are (a) it may detect gaps in the overall security plan and (b) it could free up resources that could be used to cover the costs of plugging those gaps.

Cyber security infrastructures do not come in a box. Each is customized to the business needs and each evolves over time. Additional tools and methods are added over time, but it is rare for firms to take a full assessment of what they have in place. The result can be an expensive and redundant environment, or worse, one that may not be offering the level of protection needed for the dollars being spent. A periodic review can reap great rewards.

* Having redundant sensors is not always wrong. The recent crashes of Boeing’s 737-Max 8 was apparently caused by the failure of a single sensor. While the sensor itself was duplicated, the software only took readings from one of them, making it a single-point-of-failure.