This is a story about vulnerability management and patching, and the sheer number of wasted resources there’s to be found here.
It’s a vicious cycle that is hype driven, which stimulates impulsive behaviour, and fundamentally undermines what proper security should look like. Fuelled by the capitalisation on fear that organisations increasingly have, induced (in part) by the cyber security industry. You don’t want to get ransomed, do you? Here is our solution, just buy that instead!
Take log4j. Oh no, another big scary vulnerability. Your organisation is at incredible risk! (Is it though? - will touch on this later) Security professionals on Twitter and LinkedIn start screaming to patch and that doom awaits if you don’t. With some luck, mainstream media picks it up as well. Company owners, directors, high level government officials start asking questions. Basic (non-technical) questions that most organisations don’t even know how to answer. Try asking - even now - what systems at any organisation of choice uses log4j. Most organisations don’t even have a basic overview of what IT is in use. Somehow this is marked as a “security” issue, but it’s IT management at its core. The panic increases, let’s call external security professionals to figure it out for us. Do it right, and make it a full-blown compromise assessment with incident response hourly rates, and seal the deal with an MDR agreement for a few years. A few months have gone by, and everyone has forgotten log4j. We’re just waiting for the next vulnerability to start our cycle again.
Cyber security should be focused on behavioural detection that is data driven, fitting the budgets and needs of the organisation - knowing your risks and threats. This is also exactly what organisations struggle with or choose the wrong path. They don’t have the data, don’t know the risks, don’t choose to be data driven.
Note how I said behavioural detection? This does not even include patching or vulnerability management, why am I even talking about this. I’m not sure when and where this became a “security” thing, but software management (vulnerabilities and patching) on your IT systems - is IT management. It has nothing to do with cyber security. Some will think I’m crazy for saying this, obviously IT management is tightly intertwined with cyber security risks and capabilities - but that doesn’t mean that patching and vulnerability management is the responsibility or domain of cyber security organisations/professionals. Whom are you even kidding, if you’re dependent on trivial and simple detection and a hot patch of some new overhyped vulnerability - you’re security is inadequate anyways (regardless of your thread model). Using data driven behavioural detection for the threats that are relevant for your organisation, you’ll detect and prevent attackers either way. That’s the whole point and why it’s the way forward. If you’re really going for it (which you should), you can even automatically respond by e.g. isolating IT systems based on certain behaviour.
Most people don’t understand this yet, but time will catch up. The paradigm shift will come, and when it does - we’re all better off for it.