Security's Everyman

Security's Everyman

Wednesday, July 11, 2007

The Slow, Blue Poop Security Model

The other day I was on the TCC Silc channel and mad a comment about security being considered a four letter word at some companies. Well true to form James Costello and Larry Pesce both chimed in with several four letter words: slow, easy, blue, poop, none. The the conversation went south from there. Some how Larry coined the term "Slow, Blue Poop Security". I knew there was a blog hidden in there somewhere. Well here it is.

What does a SBP security model look like? It looks a lot like what you may have seen at your company or a company that you once worked for. It the security model that does just enough to get by. The security that keeps you from having you network owned by every hacker in the world but not enough to really offer protection. It provides just enough to make you feel like everything is OK but you really don't know what is going on. What is happening with your clients and servers? Just because AV doesn't report anything doesn't mean there isn't anything to report. Richard Bejtlich has a post today about something very similar. The SBP Security model doesn't let you know what is really going on on your network.

Sometimes the SBP model even looks good to the casual information security professional. The network has many tools and devices that look good and provide lots of pretty blinking lights. But there is no real plan behind them. These are devices that allow them to check boxes on their compliance audit. They have a device for each check box, yet there is still gaping holes in the network.

The point of all this is to say that there is no room for the SBP Security model in today's world. SBP security only causes things to be less secure in the long run. It keeps compromised systems on the network and allows them to still spew their SBP to the rest of the world. It gives the bad guys a cloak of privacy to do their bidding without being discovered because SBP makes you feel good.

That's where our job comes in to rid the world of SBP networks. To build our case for building networks that are really secure and that actually provide our companies, users and customers with the protection, privacy, and security that they really deserve.

And to quote Sun Tzu.................. Just kidding Amrit. :)

Larry, bet you didn't think I could do it.

2 comments:

Allen Baranov, CISSP said...

Hi Andy,

How about the opposite of 4 letter word type security (slow blue poop), you have 3 letter word security (sun tzu art war sec)?

Allen Baranov

Dr Anton Chuvakin said...

>It looks a lot like what you may
>have seen at your company or a
>company that you once worked for.


Hmm, isn't what it is supposed to do? If you do "get by", then by definition you are OK and security is doing an adequate job....

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.