Epitaph of Entropy

While I am a fan of embracing these ideals in general, this article is directed specifically at using the ideals of the punk rock movement to improve your security program.  I came upon this idea after hearing that our budget had gotten slashed yet again, despite demand and risk vectors increasing.  While not everyone will be in the same situation, I do believe it never hurts to embrace these.

• Non-conformity - If you've attended a security conference recently you've heard the example that there are no silver bullets in security.  Its a fact that while depressing, and in spite of the number and cost of commercial products increasing annually, cannot be ignored.  My example of conforming when it comes to security is adopting a program that is focused solely on compliance check marks, and less on widespan comprehensive programs that product what is truely valuable to the company. 
  
  Magazines, vendors, and even the buzzwords that senior level management are fed all lead to directives to buy more to meet a checkmark, when really we are inundating ourselves with products that hardly work, despite their adding additional load onto what we're expected to do every day.  Until there is mass adopting of the ideas starting to be spread by the Penetration Testing Execution Standard, your program is better off not to follow suit.  If you do conform your spending hundreds of thousands of dollars to comply with regulations that are too lose and don't really protect your assets.
   
• Lo-fi - One of the greatest aspects of the punk rock culture is that you don't have to have expensive gear or tons of experience to participate, just the drive to contribute and make yourself heard.  I work in an understaffed team due to budget constraints, which leads to the jack of all trades master of none pitfall.  We need to convince our management to let us change our ways so that we do have the expertise, but to do this without additional staff or budget, we rely only on our drive to keep up.
  
  When you have a smaller staff, its easy to see that management would rather spend money on expensive pre-packaged solutions than on staff, because at the end of the day they only care that they can be compliant.  I'm recommending that you add in part of your evaluation process that asks the questions that aren't typically asked.
  
  1. How many staff members will we need to administer this?
  2. How customizable is the product, can it be tailored to meet our needs or interact with existing infrastructure?
  3. Does it have an API that we can leverage to allow for it to completely meet our needs instead of only meeting 60-80% of them?
  
  Asking questions like these (assuming you get honest answers back) allow you to weigh the options better.  Would it be more cost effective to leverage existing open source projects and a little development time to create your own solution?  While management doesn't always support development during busy schedules, any solution that you acquire will have time and resources dedicated to learn, implement, and administer it.  You may find in some cases its easier to dedicate one person to developing a solution for a week rather than tying up different groups over the same amount of time to get a product integrated.  Lo-fi is lower cost in terms of time and money, and usually solutions that you create or leverage on your own don't leave you stranded when you need that extra 20-40% of features that commercial offerings aren't providing you.
   
• DIY - The reasons above all lead into do it yourself.  No two companies are the same (with the exception of chains with branches).  As such, why do we allow vendors to sell products to us with examples that the solution works great for a list of other companies?  One thing that didn't jump out as obvious to me until recently is the vendors that do show their client lists, don't be wowed by the client, consider what their security budget is compared to yours.  Takes yours divided by theirs and you get a percentage.  While rough and without hard numbers, I propose that this percentage represents the products effectiveness in your environment.
  
  We've allowed the industry to mold security teams into looking for solutions that instantly resolve issues, despite knowing that the attacks that are more likely to cripple the business won't get stopped by one piece of protection alone.  To achieve proper protection, you have to build your own solution.  I'm not opposed to utilizing products in your own solution, so long as it has other parts.  The overall solution should be your design, for every service you need to provide, or protection you need to ensure.  You likely won't have time to develop your own anti-virus, but you might have time to write some code that passes potential at risk files through multiple scanning tools to get more complete results.