• CISO Series Newsletter
  • Posts
  • [04-13-23] Do Breaches Happen Because the Tool Fails, or the Tool Was Poorly Configured?

[04-13-23] Do Breaches Happen Because the Tool Fails, or the Tool Was Poorly Configured?

Do Breaches Happen Because the Tool Fails, or the Tool Was Poorly Configured?

April 13, 2023

CISO Series

Defense in Depth

Do Breaches Happen Because the Tool Fails, or the Tool Was Poorly Configured?

Do Breaches Happen Because the Tool Fails, or the Tool Was Poorly Configured?

Security tools are supposed to do a job. Either they need to alert you, protect you, or remediate an issue. But they don't always work and that's why we have breaches. Who's at fault, the tool or the administrators who configured the tool?

Check out this post for the discussion that is the basis of our conversation on this week’s episode of Defense in Depth co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap, CISO, LinkedIn. We welcome our guest Kenneth Foster, vp of IT governance, risk and compliance at FLEETCOR. Here’s what we discussed on the show.

A perfect storm of problems results in tools being poorly maintained. “Too hard to configure/operate becomes unmanaged/unused because there are no budgets to do so properly,” said Fernando Montenegro of Omdia. To which Karen Worstell of VMware added, “Often security controls are put in place and are not operationally sustained and regularly verified to be functioning as intended. It is a perfect storm of issues: poor control design, lack of verified implementation, and poor maintenance."

Sometimes it’s just too darn hard to figure out how to configure these controls. "More often than not it’s poorly interpreted controls which leads to misconfigurations by humans," said Bruno Fonseca of S&P Global. And even if you do understand the controls it’s still not going to be easy said Robert Thomson of Allens, "All controls need a lot of care and feeding, no matter what vendors say."

Do vendors overplay the effectiveness of their products? “There's a widespread overestimation about the effectiveness of products," said Ian Tibble of Seven Stones Infosec. And Dan Holden of BigCommerce notes that even vendors struggle to be experts on their own products. 

The fact we’re having a debate exposes a weakness in our own security programs. Jared Atkinson of SpecterOps noted this very issue adding, “Knowing a control has failed is too low resolution to identify and implement the solution. Is the problem technical or is it a matter of training?" This “low resolution” can hurt us in so many ways: configuration, discovery, seeing effectiveness drift, and ultimately knowing whether what you paid for is actually doing what it’s supposed to be doing.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, AppOmni

AppOmni

CISO Series Podcast LIVE!

Join us TONIGHT (Thursday, April 13, 2023) in NYC

Join us this Thursday (4-13-23) in NYC

Don't forget we're live in NYC TONIGHT and we want you to join us. Watch this quick preview that will tell you about the show, or heck, just skip the chase and just register and join us.Joining me on stage will be guests Aaron Zollman, CISO & vp, platform engineering, Cedar and Colin Ahern, Chief Cyber Officer for the State of New York.Event is happening TONIGHT, on Thursday, April 13th, 2023.

  • 5:30pm - Doors open

  • 6:30pm - Recording begins

  • 7:15pm - Recording ends and drinks and food served until 8:30pm.

>> REGISTER HERE on Eventbrite <<

Thanks to our sponsors OpenVPN, SlashNext, and Votiro

OpenVPN
SlashNext
Votiro

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Dmitriy Sokolovskiy, CISO, Avid.

Thanks to our Cyber Security Headlines sponsor, AppOmni

AppOmni

Cyber chatter from around the web...

Jump in on these conversations 

"Changes that I notice in the cybersecurity job market" (

)

"What do you see as the most desirable cybersecurity role?" (

)

"What do startups do badly in terms of cybersecurity?" (

)

Coming Up On Super Cyber Friday...

Coming up in the weeks ahead on Super Cyber Friday we have:

  • [05-12-23] Hacking Security Culture

  • [05-19-23] Hacking the Software Supply Chain

  • [06-02-23] Hacking the Future of Risk Management 

and register for them all now!

Thank you!

Thank you for supporting CISO Series and all our programming  

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.