SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Five wine-tasting tips that should be applied to network security
Mon, 25th May 2020
FYI, this story is more than a year old

Let's take a deep dive into what ‘visibility' really means when protecting a network, and how it takes more than experience to truly understand and analyse incoming threats.

Much like a blind wine tasting, we need to keep an open mind and trust what the data is telling us without being biased by previous results.

There are many comparisons to be made for identifying blind spots in network security,  but my absolute favourite is the black wine glass, inspired by a recent tasting event.

During a trip to a certain vineyard, the guide shared a story of black glass wine tests, in which connoisseurs must determine what they're sipping without seeing it first. Despite being able to smell and taste each pour, even sommeliers have a hard time discerning between varietals in a legitimate blind tasting.

This got me thinking about seasoned the NetOps and SecOps professionals who deal with incoming threats each day.

Much like a master sommelier, these folks really know their stuff. They've had years of rigorous testing and training. They've seen it all and know what to look for. They are, without doubt, the master sommeliers of networking and security. But when these experts rely too heavily on their own previous experiences, they may end up missing the mark.

Here are five wine tasting tips that can help us to detect network security risks more accurately.

1. Never assume to know the outcome

What's that old saying about assumptions making something out of us?

There's a reason why bold declarations can backfire, and it's usually because they're easily challenged. Much like the US red and the white wine fiasco, which resulted in major hurt feelings for esteemed connoisseurs, surmising where the biggest security risks lie can have a devastating effect, even for total pro's.

The bias that comes into play in security is that decisions aren't often made based on data, instead they're made from the heart — and then even security professionals search for things that support this decision.

But a good security person knows this. They understand that while experience serves them well, it doesn't get them all the way there. Although they will first check where their gut tells them, they will also begin digging in other unlikely places.

Tasting notes: Making assumptions can quickly put an organisation at risk. Instead, consider all the evidence, not just the pieces experienced personally, before making any conclusions.

2. Use everything available when analysing the data

If the black-glass wine tastings proved anything, it's that seeing is a crucial first step in determining accurately what's actually in the glass. Without being able to look at the wine, a sommelier has zero chance of detecting nuances in colour, clarity or density. When there's no visibility, the other senses have a harder time guessing accurately the wine, because there's now a disconnect.

The same is true when protecting a network. First, total visibility is essential in order for the rest of a toolset to work effectively, while also recognising that no single tool will solve the entire problem.

Relying exclusively on a firewall, antivirus or SIEM is a sure way to fail because these tools often miss what's happening in between. To make the best possible choice, we need to use everything at our disposal, including network detection and response, to ensure that the information is as complete as possible.

Tasting notes: Without a comprehensive solution, we're only scratching — or sniffing, if you will — the surface.

3. Always keep an open mind

Even master sommeliers can miss the mark if they are quick to judge what they see. It's common to associate the colour of a wine with certain tasting notes, be it red (bold, velvety, earthy) or white (crisp, buttery, flowery). Like it or not, there's an entire flavour profile, from bouquet to finish, that's already being mostly predetermined in our minds from the moment we see the colour.

Something similar happens to our brains in network security when we're accustomed to spotting threats in the same places. The common problem areas should still be assessed, but making them the sole focus can mean overlooking other danger zones.

In order to decrease security risks and avoid costly network problems we must keep an open mind to what the data actually shows versus what we've been conditioned to expect, along with the next logical steps that should be considered.

This doesn't mean leaving years of experience at the door, but instead injecting some variety or chance into the discovery process, to see what else we may discover. In this way we are likely to catch a threat that was right there, where it was least expected.

Tasting notes: Relying on historical results will inevitably bias us, learn to look at the data from all angles.

4. Leave judgements at the door

It's been said that the more training a wine connoisseur has, the more mistakes he or she is likely to make. These are words to live by, and not just when drinking wine.

Just as sommeliers are easily influenced by the colour of a wine, security professionals are influenced by what they see on their network day in and day out, and then use that information to determine the risk level of the potential threat.

But it really doesn't matter how sharp our judgment is or isn't — we still need holistic solutions that allow us to see everything happening on our network.

Tasting notes: Perceptions are personal and influence conclusions. To see truly what's in front of us, we need to step outside our bubble.

5. Don't be fooled by what we see

Some wineries rely on imported grapes to achieve desired results. While these methods often make for a palatable pour, they're not exactly authentic.

A threat actor's preferred tactic works similarly. By misusing what are mostly benign tools, threat actors can hide in plain sight. NetOps and SecOps professionals must be careful, as a small blip that is normally benign may be suspicious activity, even when it looks identical.

When security professionals are looking at the data they're analysing, they need to combine tools, knowledge and experience to discern a genuine threat from authentic activity.

Tasting notes: The best security teams look for threats in other areas, not just where they've previously occurred, but in unlikely places, too.

In vino veritas

Absolute certainty is clearly an absolutely terrible approach to both wine tasting and network security. Rather than relying solely on years of training and experience, security pro's must be sure they have a network visibility solution that brings blind spots to the surface, then step out of their comfort zone when assessing the information.

They must use every tool at their disposal to collate all the information needed order to get the full story. Because that story changes dramatically based on the volume of information gleaned.