A Security Tool Won’t Save You
Please stop asking me which tool to buy — ask me this instead…
A brief interruption of my series on Automating Cybersecurity Metrics.
Free Content on Jobs in Cybersecurity | Sign up for the Email List
I got a bit side-tracked with a thought today and need to address it. People keep asking me what tool to buy, or what security company they should invest in.
Summary of what’s in this post:
- Please don’t schedule a call with me at IANS Research to ask me what security tool to buy.
- Please don’t ask me what the next big thing is in security (for investment purposes or otherwise).
- I’ll explain what you should call and ask me at the end if your objective is to secure your cloud accounts.
- But first, I will explain what you should do if you are looking at buying a cloud security tool (or any security tool). Also, I covered a lot of that in my book at the bottom of this post.
- As a bonus, I’ll tell you what I’m investing in at the end of the post (hint, it’s not security products.)
If you want to know which tool to buy to solve your particular security problem here is my advice:
- Look at Gartner. Some vendors hate Gartner because it may not fairly and accurately judge all the tools but it is a good starting point if you just want to “use what everybody else is using.” By the way I warn about that in this post:
2. Read reviews. Search around on the Internet. Read reviews. Bear in mind that some reviews can be manipulated so the star rating alone is not enough. Read through the comments. All of them. Consider whether you think the reviewer’s comments are valid and fair and if they apply to your scenario. And by the way if you use a product — help out the community and write reviews for the products you use. I just noticed that a firewall I have written about on this blog that doesn’t have a ton of market share has very good reviews on G2:
3. Review the documentation. Before you buy a product, read the documentation. Yes, read it! For. every. product. you. buy. Understand how you will integrate with your corporate directory and what firewall rules you will need to open up to support the product. What security controls will you need to configure? Does the documentation indicate that the product will do what you need it to do? What steps will you need to take to make that happen? How long will it take to implement? Does the documentation indicate that the product is secure? Will the product introduce security gaps? Can you properly monitor it? How will you handle a security incident? How much time and effort is required to tune and support the product? Can you automate common processes?Which team will be responsible for each aspect of maintaining the product and do you have available resources?
4. Try before you buy. Some customers call me up on a consulting call and complain that a product that is very popular won’t work in their cloud account or on their systems. They can’t install it. They have problems configuring it. It requires too many permissions or too much network access. TRY BEFORE YOU BUY. Especially if you are a large company. Find out exactly how the deployment works and what permissions you have to enable.
5. Monitor costs while testing. Monitor your cloud bills after deployment for any resources the product requires that increases your costs. One product I installed set up a KMS key in every AWS region. Perhaps I could just shut down regions I am not using at the organizational policy level instead. Talk to the vendor about optimizing the installation for reduced cost.
6. Perform a product security assessment. Many large companies will have a team focused on assessing new vendors and products. If you are assessing a cloud vendor use the CSA CAIQ and CCM, for example. You can also hire a third-party company to perform a security review. Personally, I don’t think SOC2 compliance is enough, but it’s better than not having it. Can the company share penetration test reports? Are the tests thorough and from a qualified vendor?
If you wanted me to perform an assessment or penetration test on a cloud security product (that works in a cloud environment) I can do that for you through my company, 2nd Sight Lab, or through IANS Research if you are ok with upfront payments as I described in another post. Reach out to me on LinkedIn.
7. Use your leverage, if you have it. I wrote a report on application software security scanners as part of my degree program through SANS Institute. The vendors would not give me the time of day or let me actually TEST their products — because I was not a company with a large amount of money who wanted to make a purchase. I can’t try every product. You, on the other hand, at a large company with a budget, have leverage. Make sure you try a product before you buy it and don’t depend on a flashy demo. Get the sales engineers to answer questions and help you deploy the product. Getting their help prior to the sale will be a lot easier than after.
8. Understand what works for someone else may not work for you. You cannot accurately compare products apples to apples in a given environment unless you run each product in the environment where it will be used. Does it have coverage of your particular software languages? Does it work within your network? Will it install on the required operating systems? Does it handle mobile and IoT? Does it have add too much overhead to a system or process to be feasible? Is the implementation and deployment secure or does it introduce security gaps due to the required permissions and network needs? Don’t wait until after you purchase the product to find this out.
9. No one person has tried every security tool on the market. If someone claims to have used every tool and says they can tell you which one is best, ask them the last time they used that tool. Did they actually deploy, implement, and operationalize it hands-on — or did they only watch a sales demo or and read the product literature? How long ago did they use it? What has changed since then? Or did they just run a survey and report the results of what everyone else is doing?
10. Clarify if you want someone to research a class of products for you. I can review documents, research, and make recommendations about products based on research such as talking to the vendors and reviewing all the information I just mentioned without having used a product in a production environment and operationalizing it. I sometimes do that for customers and try to clarify that up front. I keep telling the IANS reps — don’t ask me which tool to buy — but it seems like that’s what IANS clients are asking a lot.
11. If someone has hands on experience testing products it will typically be within a particular market segment and business size. There may be a few people working for a vendor that have experience testing competitor products in one narrow set of products, but it will be focused on a particular market segment and competitor size. For example, I worked at a SMB firewall company where a person tested related products of a similar variety and the particular competitors that directly competed with that vendor in the SMB market. They didn’t test enterprise products at the scale that would be required for a large company. Refer to number 4. Try before you buy is your best bet.
12. Is the person recommending the product paid to do so? Ask the person if they receive any form of compensation from the vendor they are recommending. If you ask me, I will tell you up front any compensation I have received from any vendor I speak about. Sometimes I get paid by a vendor to assess their product, but I still speak honestly about it — and hopefully help them improve the product as a result. Some people get paid to be a spokesperson for a product — and paid a lot. They don’t have to do anything but talk about the product and have not done any deep dive analysis of the product they are promoting. Be careful with those types of relationships.
13. Tools and attacks change constantly — don’t depend on last year’s analysis. I once worked at a company with a tool that detected ransomware. The tool would notice that a large amount of files were quickly being encrypted and react. The attackers changed their tactics and that one-trick pony had to change as well to keep up with the evolution of attacks. If you’re looking at a CSPM tool, how is the tool keeping up with changes by the cloud vendor? How fast do they get coverage for that new cloud feature? Do they only cover the CIS benchmarks? That’s not enough to secure your account.
14. Don’t call me to ask me what tool to buy. Although I have hands-on experience with many tools, products, and software languages, I would prefer if you do not call to ask me what tool to buy for all the above reasons. I can perform research for you or an actual assessment where I go read the documentation, try out the product, interview the vendor, and tell you what I find. That takes more time than a one-hour phone call.
I have hands-on experience and teach classes on AWS, GCP, and Azure security. Even with that, I am not going to tell every company that one cloud is right for everyone. I definitely have my favorite that I use for most things, but there are different aspects of each cloud provider that are intriguing or better in different scenarios. If you really want to know my opinion on the top three cloud providers I can tell you, but there’s no single answer for every organization. It depends on many factors.
15. Call me to ask me how to secure your cloud environment.
Call me for strategies to deal with evolving cloud environments and to proactively rather than reactively secure your cloud accounts.
There are so many things you should consider beyond a single tool. Let me tell you what those things are. Instead of answering a question about one type of tool, let me help you with your cloud security architecture.
In addition, do you need a third-party tool, or can you use what the cloud provider has to offer? The cloud vendors themselves are building a lot of security into the cloud platforms directly. When should you use a third-party vs. a cloud vendor tool? I can answer that as well.
Schedule a call with me at IANS Research if you want to know about the top threats to cloud environments and how to address them.
Ask me about strategies for security containers, serverless, APIs, and cloud applications.
If you would like me to review a specific product, architecture, or configuration, you can arrange that with your client representative by sending me information (encrypted with my public key if you want) in advance of a call (phone only, no video/screen share/chat/links in call).
I’m a cloud, security, and software architect. I might have solutions or ideas you haven’t thought of to simplify your cloud or application security design or strengthen your approach having done this type of work for a minute.
If you can arrange a 50% upfront payment with IANS, I can also perform deeper dive training, assessments, and penetration tests. Those services are available to non-IANS clients through 2nd Sight Lab — in which case, please reach out to me on LinkedIn to arrange a phone call (again no video for initial call, phone only.)
What am I investing in?
I’m not going to tell you the specific stocks I am investing in but I will tell you that none of them are security products specifically. I think the cloud platforms will control the future and buy or build anything a third-party can build. I once thought that a multi-cloud product might be the ticket but even Microsoft and Google are moving quickly into that space. Although I feel like the big cloud platforms aren’t going away and prices are way down right now, those are not even my primary focus.
I’m not any sort of investment guru. This is not investing advice. I’m just telling you my point of view. I worked for Capital One Investing building all the systems that handle various aspects of trading. My take for the longest time was that the market was way over-valued. I avoided the stock market altogether except what was previously investing and compounding for years and invested in my house instead. That did double in value and I sold it and cashed out to buy my current house because I felt my tiny house in Seattle was overvalued — just before the stock market crashed. Now interest rates are going up and the housing market is slowing down. Was I right? Seems like it, but maybe it was all luck.
This year due to historic lows, I started investing again. But I’m not looking for the next best tech. I’m looking for value — the kind Warren Buffet wrote about way back in the investing book I read before the dot-bomb. In addition, I’m looking for dividends. Show me the money. Ideally, you want dividends and growth. Does Google (Alphabet) pay dividends? No. Does Amazon pay dividends? No. Does Microsoft? Barely.
But they reinvest in new tech, you say? During the heyday I think those companies could spare some dividends. Though today, I see Amazon is laying off a number of people, so it’s going to be rough for a while until the Federal Reserve stops raising interest rates. Now not only are people losing jobs they have to pay more for debt they may incur due to not having a job. I still don’t understand how raising interest rates helps anyone.
Of course you need to understand the fundamentals of a company to understand whether it can continue to pay dividends but that’s my focus right now — not the next best thing in security. I am looking at areas with growth (green tech) and areas where shortages exist in the market but some of those stocks I invested in earlier this year have already greatly increased in value to the point where they are no longer my focus.
As for security products — we KNOW how to secure systems. It’s all there in the fundamentals that we need to automate and get right. It’s not some new magic formula or tool. It’s good old-fashioned security architecture, configuration management, and monitoring. And yes, one tool or the other may help you — some of them do have a lot of value — but I haven’t dug into every single tool and which one is best out every one of them available to you. And it changes constantly.
What I can tell you, if I review your account, or your architecture or design, is if I find security problems that could lead to a breach and the level of urgency. I can also recommend solutions to fix those problems. That, is what I want people to ask me. Ask me how to architect security solutions and how to prevent a data breach. It’s not a single tool. It’s an architecture and processes that work together to prevent security gaps. I focus on application and cloud security. I can recommend others who deal with on-premise and data center security through IANS research.
I stopped to write this post because once again, I seem to be getting a lot of the “what product should I buy” questions lately. In my opinion, that is not the question you should be asking. And I really don’t want to waste your time or money on things that don’t holistically help with cloud security. I want to provide the information that will make a difference.
I don’t sell or promote products. I get asked by companies all the time to be their “influencer” or participate in some kind of marketing activity and I politely decline. I am an AWS Hero because they designated me as such when I didn’t even know what that was. I didn’t lobby for that title (as I know some did), I just like AWS. It fell upon me.
In fact, they could remove that designation at any time because I don’t actively market and sell AWS. There’s no contractual arrangement to do something to get that title and no guarantee that AWS will continue to designate me as an AWS Hero. It’s just a nice thing to do for people who write about the product a lot like I do — because I use it. It’s also more legitimate than a paid influencer.
I was one of the voices that got Capital One to use AWS. I was the one who warned our AWS account reps at the time that they should do more to promote security to AWS customers…One of them came up to me at AWS re:Inforce just before the Capital One breach was announced and reminded me of this. I didn’t know why he was telling me at the time. A few days later it was clear.
I also used to run a meetup but I moved and looking for a buyer for that at the moment but only the right buyer — a company that is legitimate an will support the group well. Haven’t decided what I am going to do yet. Maybe I will just keep running it and it will become virtual, I’m not sure.
But if I don’t keep running that meetup — which I did since 2012 — who knows what Amazon will do. I don’t get paid by Amazon. I pretty much paid for that designation with a lot of my own time and money. They have compensated me for some travel where I spoke at events and part of the expenses to get to AWS conferences (paying my own airfare and sometimes hotel) but I don’t promote AWS to get any of that. It’s just a byproduct of what I was doing anyway. I just have liked AWS. I do have some concerns about the direction of the platform but hopefully they will keep the most critical aspects of why I liked AWS from the beginning in tact.
I inform people how to secure their AWS, Azure, and GCP accounts — because that’s what I care about. Cloud Security. At the last event in Atlanta I was told the most people ever showed up for what is called one of their “dev chats” so hopefully people appreciate the value of the information I am trying to provide.
So if I don’t sell products what do I do? What can you ask me?
I help architect solutions that involve many products, services, and custom automation to close security gaps. Like I’m doing in this most recent blog series.
Ask me about that!
If you would like to schedule a call with me through IANS Research and are not already a client, reach out on LinkedIn and I can put you in touch with the appropriate person. It also helps me out when I refer new clients.
Back to our batch job architecture tomorrow, and all the tactics and techniques I’m providing — without buying a tool for the most part (though I am using AWS and I may integrate a third-party authentication tool) — that will help you secure your cloud account and applications.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab