Security at the Crossroads: Cybersecurity Fundamentals

By Claudiu Enache

The absence of a universally accepted set of security best practices has given rise to a prevailing perspective that characterises cybersecurity as a 'market for lemons'. This viewpoint is ardently embraced by a number of high-profile executives and influential analysts, sparking an organised initiative that actively calls for decisive action. Similar to the concept of a market for lemons, cybersecurity solutions are perceived as lacking transparency, leading to concerns about their efficacy and prompting a collective push for comprehensive reforms in security practices. This endeavour is unmistakably reminiscent of the magmatic burbles that announced the eruptive changes in enterprise design when the digital transformation was eerily introduced. Unfortunately, in the cybersecurity industry, extracurricular initiatives seldomly pick outside daily routines. The community simply does not feel obliged to provide a constructive written response. This non-inquisitive, if not dogmatic industry attitude is most likely one of the traits that allows industry analysts and influencers to superimpose their own beliefs and consequently course-correct the evolution of cybersecurity practice, outside industry-specific drivers. Several years ago, I responded to the most radical change in enterprise architecture and coined it as the Copernican revolution in enterprise design; the market calls it SASE – Secure Access Service Edge. Today, I strongly believe that a clearing exercise around the question of cybersecurity is warranted, especially if somehow cybersecurity microcosmically reflects some of the wider problems that our global village suffers from. The market ironically does not expect technological professionals to master suprastructural arguments, but I believe that when it comes to security, cybersecurity professionals are in fact in a better position than anyone else to ask what its sublime object is. Security professionals navigate complex terrains, where understanding nuances and contexts is as important as deciphering broader technical implications and potential engineering risks.

• Language: English
• Publisher: Claudiu Enache
• Release date: Jan 19, 2024

Claudiu Enache

Claudiu Enache is a Technical Director at Symantec, specializing in networking and cybersecurity. In his current role, Claudiu is responsible for designing blueprint reference architectures for global enterprises, as well as productizing and industrializing Symantec as a solution within service provider-managed security product portfolios. He sits at the nexus of technology and business, constantly navigating the international waters of technical innovations and product management. Throughout his career, Claudiu has developed and managed global infrastructures, directed IT programs and operations, mobilized cross-functional teams, and delivered complex, multi-stage projects. Prior to joining Symantec, Claudiu developed and ran his own cloud platform based on DDoS mitigation and worked for other market leaders such as Zscaler and SonicWall.

Book preview

Copyright © 2024 by Claudiu Enache

All rights reserved.

No parts from this publication may be reproduced, distributed, or transmitted in any form by any means, including photocopying, or other electronic or mechanical methods, without prior written permission of the author, except in the case of brief quotations embodied in critical reviews and certain other non-commercial uses permitted by copyright law.

All trademarks used herein are the property of their respective owners. The use of any trademark in the text does not vest in the author or publisher any trademark ownership rights in such trademarks, nor does the use of such trademarks imply any affiliation with or endorsement of this publication by such owners.

Although every precaution has been taken to verify the accuracy of the information contained herein, the author and publisher assume no responsibility for any errors or omissions. No liability is assumed for damages that may result from the use of information contained within.

This paper was first published in 2024 by Claudiu Enache through the Smashwords publishing platform: https://www.smashwords.com/.

ISBN

Table of Contents

Problem Statement

Scope and Objectives

Security Market

Security Strategy

Security Topology

Security Fabric

Security Engines

Security Intelligence

Security Products

Security Operations

Security Frameworks

Bibliography

Problem Statement

The question of best practice in enterprise security has been answered in so many ways and variations that it is almost impossible to validate objectively any security stance, standard, policy, or practice. There are multiple reasons for this, some are straightforward and intuitive, others complex and convoluted. Most established security best practices are predominantly driven by business profiles and verticals, regions and operating theatres, data compliance, and regulations. However, our technical ability to differentiate between security propositions at very minute degrees leads to multiple security scenarios and possible implementations. For instance, a public sector organisation should have, in principle, a more robust and restrictive security posture, governed by a security management system that fits into a wider framework. An enterprise, on the other hand, may have a so-called 'standard' approach to security, mostly driven by its internal security specialists. Two businesses in the same vertical may have different approaches to security just because their thought leadership may be diametrically opposed. Whatever the case may be, it is clear that this state of affairs can quickly introduce variations and iterations that obfuscate any practical security guidelines.

Moreover, this gets more complex and convoluted when security practices are articulated by an amalgamation of service providers, systems integrators, and cybersecurity vendors. Service providers or systems integrators may not necessarily have their own agendas, but their counsel or advice may be involuntarily contaminated or biased, despite the fact that an agnostic position would actually be in their own interest. For security vendors and software providers this may be even more challenging. To be truly successful, a security vendor needs to believe in its product and produce thought leadership and best practices that are adopted at a global scale, across the spectrum. Being partisan is at the very heart of its identity. Of course, this inevitably leads to virtually the same number of coined and advocated security practices as the number of competitive security vendors.

If so, how can an organisation be in the informed position to make an assured, objective decision over its security practice? Even if these predicaments and challenges are quietly accepted or willingly disregarded, the same resounding question is raised in a more immediate and practical way by the realities of cybercrime. How can we explain that despite our best efforts, dedicated infrastructures, security departments, and threat hunting centres, the number of successful breaches is on the rise, victimising the most heavily guarded organisations and civilians alike?

Enterprises are continually increasing their financial and technological commitments to cybersecurity, yet the number of breaches and cyber attacks appears to grow concomitantly with the asserted commitment to stop them. Even the most sceptical analysts, who consider negligence as one of the main causes of the inability to successfully thwart cyber attacks consistently, would agree that our own efficiency, given the amount of effort that we put in, is questionable if not suspect. There is certainly a contradiction between the effort and budgets that organisations put towards securing their digital assets and data, and the number of successful breaches. The two cannot be reconciled. In other words, it would be detrimental to both the cybersecurity industry and society at large to indolently ignore such a critical question – which sits today at the core of our own progress and evolution. We simply cannot afford to conveniently qualify it as something vague or incomprehensible, a Gordian knot that we better pass over in silence. This position would certainly be acceptable for those who are not directly responsible for providing security in an enterprise, business-as-usual environment. But the reality is that the advent of the digital transformation has firmly made information technology (IT) part of the business value chain and raised its profile accordingly. Today, we are all dependent on technology. The profile of enterprise security has grown concurrently with this self-inflicted dependency, and whilst five years ago security was not a boardroom item, it is today.

The absence of a universally accepted set of security best practices has given rise to a prevailing perspective that characterises cybersecurity as a 'market for lemons'. This viewpoint is ardently embraced by a number of high-profile executives and influential analysts, sparking an organised initiative that actively calls for decisive action. Similar to the concept of a market for lemons, cybersecurity solutions are perceived as lacking transparency, leading to concerns about their efficacy and prompting a collective push for comprehensive reforms in security practices. This endeavour is unmistakably reminiscent of the magmatic burbles that announced the eruptive changes in enterprise design when the digital transformation was eerily introduced. Unfortunately, extracurricular initiatives in the cybersecurity industry seldomly venture outside daily routines. The community simply does not feel obliged to provide a constructive written response. This non-inquisitive, if not dogmatic industry attitude, is most likely one of the traits that allows industry analysts and influencers to superimpose their own beliefs and consequently course-correct the evolution of cybersecurity practice outside industry-specific drivers. Several years ago, I responded to the most radical change in enterprise architecture and coined it as the Copernican revolution in enterprise design; the market calls it SASE – Secure Access Service Edge. Today, I strongly believe that a clearing exercise around the question of cybersecurity is warranted, especially if somehow cybersecurity microcosmically reflects some of the wider problems that our global village suffers from. The market ironically does not expect technological professionals to master suprastructural arguments, but I believe that when it comes to security, cybersecurity professionals are in fact in a better position than anyone else to ask what its sublime object is. Security professionals navigate complex terrains, where understanding nuances and contexts is as important as deciphering broader technical implications and potential engineering risks.

Scope and Objectives

Given the above, my aim is twofold: to understand, exemplify, and reconcile why security solutions fail and to put forward a practical proposition on how user-centric security should be implemented in an enterprise environment. My intention is not to introduce new security concepts or functions but to find a more efficient, ‘gluten-free’ manner to get the best out of the security products available today. Fundamentally, this approach is not meant to trigger immediate or dramatic changes, since it will address in essence the same security functions and will use the same vocabulary, but to advocate a set of refined adjustments that as a whole would have long-lasting, technically effective results, regardless of the operating confines or market schisms. There are a fair number of reputable security best practice papers, yet this effort will certainly not be a discussion on how to use a firewall, document security policies, or enforce safe password practices. It will instead allow organisations to independently benchmark their security best practice, assess the efficacy of their security solutions, and attest the degree of their security due diligence. Enterprise security can be tagged and classified in multiple ways. It lends itself quite easily to misinterpretation, especially when not defined or qualified properly. For this very reason, my take is not concerned with prefacing or defining new theoretical approaches, which today probably exhaust the vast majority of the security discussions, but I am concerned with how security is actually applied.

Whilst not immediately apparent, my approach will seek to use a top-down architectural principle rather than a purely historical perspective. The latter may indeed be an easier route, but over the years has been overused and remained neglectfully stuck to a descriptive level that adds no critical thinking dimension. It seems that the analytical aspects that are so crucial for problem-solving in engineering are somehow totally forgotten when confronted with structurally relevant issues. This in itself can be a subject of investigation. As such, the deeper aspects of the cybersecurity industry must be probed, going beyond reporting robotically on the advent of newer technologies or how they work for example. Understanding the security market and its inner workings is a prerequisite for drafting a sound security strategy. But without profoundly understanding what the role of a strategy should be in the first place, many professionals are prevented from navigating the topology that underpins enterprise architecture in an optimal manner. Being an intrinsic part of the technology topology, the vendors inevitably also play a major role in protocol development and standardisation. In turn, the architectural dependencies are further compounded by the evolution of the increasingly sophisticated standards and protocols at a fabric level. The existing fabric will dictate how security engines must behave in order to be efficient and fit for purpose. Packaging the security engines and the intelligence required to keep them working is a responsibility assumed by security vendors who build products which must also have operational relevance. The operating models themselves can be tailored according to maturity or industry-specific frameworks. These frameworks also have wider social implications besides their technical dimension. Put differently, for drafting a sound security practice, security professionals are forced to go