We told you not to trust your neighbor. But you should be able to trust your vendors, right? Not necessarily!
In recent weeks there have been a couple of high profile security vendor breaches/vulnerabilities. Juniper Networks disclosed two backdoors in their firewall code and Fortinet also had a backdoor/vulnerability within their software. Both Juniper and Fortinet backdoors would give an attacker access to your firewall. Your firewall! Remember — this is the very device that is supposed to keep your network protected!! Oh, the irony.
So… Down with vendors, then?
Obviously, no. We cannot grow all of our solutions at home. And even if we could, they would be questionable and only marginally supportable. So we have to compensate with good solid practice and creative architecture.
A great way to help reduce the risk of vendor security flaws is to utilize the old adage of defense-in-depth. If you implement multiple overlapping capabilities from different vendors throughout the network protection stack, a single flaw is not enough to make a hole.
Pros of a defense-in-depth strategy:
- Multiple different inspection mechanisms for the data traversing on a network
- Analytics allows for deeper understanding of “normal” for the network traffic flows
- Higher fidelity of alerts
Cons of a defense-in-depth strategy:
- Cost – While not always the case, the introduction of overlap most likely results in additional licensing and hardware costs
- Personnel – Those additional systems require care, feeding, patching, rebooting, etc. Talk about piling more food onto an already overflowing plate!
- Complexity – The environment now requires more depth of understanding to truly understand
How can you mitigate the cons?
- MSSP – A Managed Security Services Provider will free up some room on your personnel’s plate. The MSSP can filter your alerts, triage them, and even help you with mitigation
- Redesign – Take advantage of the opportunity to rearchitect the network when introducing the new technologies. You will likely find that there are cost savings to be mined by eliminating the sins of your predecessors
- Automation – Anything you do more than once without scripting is a waste of effort. Automate your detections, filtering, and output. Watch your cost-per-incident start to fall!
I choose to believe that vendors whose products become vulnerable are not (usually) malicious. I choose to believe that vulnerabilities, either arising from negligence or accident, are an inevitability and it is incumbent upon us as security professionals to design our cyber security systems to be resilient enough to handle the flaws. If we expect failure in all components and design solutions with resiliency in mind, we can instead focus on the positives these vendors bring to us rather than fearing the inevitable exposé and patch.