In 2018 I spent an exceedingly large amount of time arguing with managed care attorneys. I was representing a healthcare company that didn't fit traditional classifications, and in turn, "lively discussions" around traditional security requirements were occurring constantly.
In one particular call, we discussed their requirement for an around the clock, eyes on glass SIEM solution before our $5-million contract could start. This requirement was overkill for the operation, and it was my job to convince them.
Eventually, they backed off the need of around the clock, eyes on glass, but they still insisted for a traditional SIEM solution. Their recommendation was for us to use a company called SolarWinds.
I had concerns for TWO main reasons:
- We already built top tiered solutions for security monitoring
- More importantly, I wasn't (and still not) fully comfortable adding additional parties where someone else has control and there is no visibility into their security practices
Their response: "SolarWinds is used by DOD, FBI and almost all Fortune 500 companies, I promise you their security is better than yours."
Recognizing I had to bend on this particular requirement, I agreed. However, I wanted to be on the record noting that I didn't believe SolarWinds solution was better, but more importantly point out that they ARE a bigger target, which made me uncomfortable giving them access to our network and data.
Fast forward to 2020 and SolarWinds is now the source of what in my opinion will be seen as the largest security breach to date. Having Microsoft Source code stolen is hugely problematic in so many ways I'd need a whole other blog post (or ten) to detail. Then came the US Government agencies breached. And the more time and info we uncover, the worse it gets.
This is reminiscent of this summer's SonarQube hack of the FBI (also reminiscent for me because due to other discussions I had with a different set of MCO attorneys over SAST testing requirements and their suggestion to use SonarQube).
This topic will probably be controversial for certain vested interests, so let's get a disclaimer out the way. If you are a Fortune 500 company, a large government agency, or if part of an "IT security company" this post isn't for you. This post will be beneficial for healthcare companies that are not hospitals/doctors offices/pharmacies, generating $50-$200 million in revenue.
Disclaimer out of the way, onto the real controversial statement.
The current unfashionable practice of "security through obscurity" (when combined with other key security measures) is prudent and needs to make a comeback.
If you're still reading you are probably: 1) vehemently opposed to that statement and looking for a pitch fork, 2) you agree with me (very unlikely), or 3) you have no idea what I'm talking about.
So for third group, security through obscurity is the past belief that there was security in no one knowing your source code and your technology apparatus.
For the pitchfork folks, before we go too far, I am not saying that "security through obscurity" should be the only security measure. But rather we increasingly find that attack vectors come through adding services (yes, even security services) to one's network, and maybe as serious IT professionals we should consider limiting the amount of entities on our network for the sake of security. This principal applies doubly to small and medium sized companies.
Blindly adding services on top of one another is like adding more entrances to the White House without ensuring additional security precautions. In short, you're asking for trouble.
You need a solution that thinks through the most cost-effective (emphasis on effective) method of security. You need a solution that will look at your company's entire landscape and make the best decisions to keep your data safe. You need a solution that doesn't just regurgitate industry jargon like "standards" and "best practices" especially since every business is different and has their own specific needs. With these ideals in mind, Vy can not only ensure an effective tailored security solution but we can usually implement at a lower total cost. Truly a win-win.
Maybe your operation needs an incredibly well hardened software that has limited attack vectors. If that is the case, Vy would love to have a conversation with you.