Security Experts:

What Can The Philosophy of Unix Teach Us About Security?

UNIX Security

I don’t know how often Unix users think about philosophy. Though if they did, they might explain the philosophy of Unix as follows: Useful, nimble, lightweight tools that when combined in the appropriate manner get the job done quickly and efficiently. In other words, the concept of pipes is not only alive and well, it is thriving.

In some sense, I see security philosophy gradually going the way of the Unix philosophy. More specifically, within the areas of security operations and incident response, I believe that this transition has been underway for quite some time. What do I mean by this?  Allow me to elaborate.

Whether the security team is in-house at a large enterprise or part of a managed services offering, the trend seems to be the same. Security teams have given up on building their workflow around a small number of “silver bullets” that claim to solve most of their problems. Instead, most security teams have started to go about it the other way. They build the workflow that works for their particular organization, based on their priorities and objectives. Then they turn their attention to finding solutions that address particular needs within the workflow.

Security teams are no longer interested in closed, heavyweight tools developed for highly specialized purposes. They want useful, lightweight, nimble, and open tools can be easily dropped into their particular workflow where certain requirements need to be addressed.

For security vendors, this shift in philosophy has a number of consequences:

● Don’t expect to be the center of the universe. I’ve actually seen vendors try to position themselves as the center of the security workflow on many occasions. Give it up. No security team is going to rip up their existing workflow and make you the center of the universe.

● If your solution is not open, keep on walking. As I described above, the concept of pipes is thriving in the security world. If you’re not familiar with the philosophy of Unix, becoming familiar with it would likely help you understand the evolving role of vendors in the eyes of security teams. If your solution can’t be dropped in behind one of the pipes I need a solution for, it just isn’t going to be an easy sell.

● Do your part to end swivel chair. Of course, every solution needs to come with its own console and easy-to-use GUI. But don’t expect it to get much use - at least not by security analysts.  Security teams already have too much to do, even if they are working out of a single, unified work queue.  If your solution can’t log to and integrate with the unified work queue, it just isn’t going to work.

● Understand where you add value. One of the most important things a security vendor can do is to learn what life is like day to day inside a security program. Only by learning how security practitioners work and where their pain points and needs are can you truly understand where you add value.

For enterprises and managed service providers, there are a number of consequences as well:

● Know your enterprise. As the years have gone by, the duties of the security team have continued to expand. In parallel, the pace at which attackers innovate and modify their behaviors has been increasing. This has made the both the depth and breadth of ground a security team is expected to cover larger than ever. Because of this, it has become more important than ever for defenders to really know their enterprises. That is the only way to properly prioritize risk and converge to a manageable workflow.

● Develop the right workflow. Different organizations have different priorities, processes, and procedures. There is no one size fits all approach to a security workflow. The organization needs to understand what steps need to be taken, and in what order, to properly detection, analyze, and respond to events. These different steps represent different pieces of functionality that can be piped together, automating where appropriate.

● Understand where you have gaps. No organization is expected to have every step of the security workflow fully worked out. Identifying where gaps exist is an important and often overlooked step in maturing the security posture of an organization.

● Fill in your gaps with the right solutions. Gaps in your security workflow provide an opportunity to identify the right solution or solutions to fill those gaps. Searching for solutions based on gaps identified in the security workflow is one of the best ways to ensure that security dollars have maximum impact. If someone is trying to sell you something that doesn’t fit into one of these pipes, chances are you don’t really have a great use for it. Unless, of course, you feel you’ve had an oversight and need to adapt or modify your security workflow.

Unix philosophy may not be the first thing that comes to mind when you think about security. But, I think that we as security practitioners can learn a lot from it.  Piping together the right tools in an efficient and lightweight manner can go a long way towards improving the maturity of our respective security programs.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.