Having just returned from the latest calendar offering for ICS Security conferences I am reminded of the phrase 'the more things change, the more they stay the same. This, for me, is due to two very specific observations, one which supports the conclusion of the other.
Ok so get to the point. What I am trying to say is that in my 14 plus years in this space I have not yet said a whole lot that is overly new, novel or surprising (from my stand point anyway) but we still get large audiences of people nodding their heads and taking notes when we tell our story.
This is because the topic, its challenges, the constraints on end users (read: budgets, staff, support, understanding, OEMs, politics, etc) have never really changed. All that we see, cycle after cycle, is new and evolving tools. Ever in pursuit of a 'silver bullet' the market gets whipped into a frenzy about the latest way to solve the impossible! In the end, we realize that we invariably return to reality. The reality that security is a program. A never ending, constantly evolving, user supported, technology enabled program.
So what happened last week to make me realize this? First there was the S4x18 ICS detection challenge. In a nod to the aforementioned market frenzy a whole lot of anomaly detection tools has been leading market discussion about the pros and cons of the relative offerings in this space. Make no mistake - there is good technology under the hood. And alarm/event monitoring with either signature or behavior based models is a progression of technology.
What is missing, however, is the context in which these tools add value (that context is one in which an AD tool is but one component of a larger overall strategy). What we saw this week is that technology is never perfect. The results of the challenge have been widely publicized by the various participants each stating their victory within their view of the exercise.
However from where I stand I see all of these tools as being a single discipline within an overall security program. Not a standalone silver bullet or final destination for 100% of your security budget. The second thing we saw was in the trend of topics, the conclusions of many and, quite informally, the polling of the average participant as to what their biggest challenge was. In no particular order there were 3 main areas of concern:
- Help reduce cost/complexity of compliance (regulatory, corporate or best practice)
- Help capture investment (Don't kid yourselves, lots of money has been spent!)
- Help tie services and software together (we need skilled people)
In other words the struggle is in the execution of a program consistently and in the face of increased threats/technology, decreased budgets and a lack of skilled staff. What it boils down to is not which tool you use but how you use the tools you have. If you want to hear more about the practical and effective use of tools within a cohesive and comprehensive platform then check us out. If you would rather wait for the next best tool set then I guess I will see you at the next conference!