Alfonso Barreiro warns that there are no silver bullets in security. Here are the risks of becoming too complacent in your security posture or relying too heavily on technological solutions.
It should be surprising that in this day and age there are organizations (and even security pros) that are looking for shortcuts to address their security concerns. With the "new normal" of doing more with less, the frantic pace in which attacks and countermeasures evolve, and tech media or vendors hyping new threats or products, it's easy to see why they are looking for quick solutions or silver bullets. Obtaining a silver bullet however, involves many dangers:Overreliance on vendors: In the search for a silver bullet, you might find yourself relying on a vendor (or vendors) to tell you what you need. Remember that a vendor might not have your security best interests at heart or that their definition of security does not match your actual security needs. By relying too much on a third party for your security needs you may end up relinquishing control of your security strategy. It's true that there might be security services or products best served by allowing vendors to run them, but that doesn't mean that you should give up control completely. Neglecting your security processes: Sometimes the search for a silver bullet is fueled by a need to solve a particular pain point in your security strategy. Instead of revising the process or controls involved in that particular area, by throwing technology at the problem in the hopes of eliminating it, you could actually make the situation worse by hiding the true root cause. Take, for instance, patch management: if you are having problems, you can buy and use different tools, but if you don't take the time to review your process, talk to the people involved, or assess the risk of the patches, the end result will be the same. Technology is important, but the people and the process may be more important. Security tools running on autopilot: Information security tools are not an automated 24/7 security analyst. Having "the best" product or technology will not solve your security woes without applying some thought and work to get the most of it. Most information security tools require monitoring, tuning and they must support a process. A common example can be found with log management or SIEM solutions. Just buying "log management" or "correlation" is not enough. The information regarding security incidents will probably be captured in the tools, but if they are not reviewed regularly or if actions are not taken in response to them, your security will not improve. Hubris: If you somehow manage to find your "silver bullet," you may become overconfident about your security posture and neglect your other controls. Relying blindly on your chosen solution might open your organization to different (or new) threats. When a security incident occurs, you may not be prepared to deal with it effectively or communicate appropriately with management or your customers. Just look at the many organizations whose responses to security incidents have been slow or simply irresponsible.
Instead of pursuing silver bullets in order to dismiss your security concerns or mark a box in a compliance checklist, you should be creating a security-in-depth strategy. In the end, it may be hard to accept, but in information security, there are no silver bullets.
(Well... except maybe this one.)