I'm not burned out, I'm pissed off — myname.website

By myname.website

A couple of weeks ago I had a meeting with my boss where I told him I was burned out and was looking for a new opportunity. “Burn out” is the polite way to say it. In reality, I'm disappointed. I'm mad. I'm pissed off.

I'm pissed off at the state of information security. I'm pissed off that our tooling is falling behind. I'm pissed off that my clients don't seem to take it seriously, and I'm pissed off that the vendors don't seem to want to help. Let me ask you: is the state of information security really any better today than it was 8 years ago when I started? The easy answer is no. The better answer is, it's worse.

I'm an information security consultant. I work for a vendor. I won't say who because this isn't about the who. I'm absolutely not picking on any one person or company or team or product. I'm picking on the mindset of the entire industry, and the companies who use our services. This is ultimately going to end up being multiple posts, but every therapy session has to start somewhere.

So what am I mad about? I'm mad at how often I have to say no. No, we can't do that. No, it doesn't support that. No, the vendor doesn't allow for that. No, you don't have the right license. No, no, no. Isn't the point of technology to enable businesses? So why am I saying no so often?

I'm mad that my clients are still getting breached. That I've installed the best-in-breed security software, configured it with the best-in-breed rules and add-ons and analytics tools and staffed it with a best-in-breed SOC using the best-in-breed processes and a Wordpress vulnerability brings down the entire company. Or a misconfigured S3 bucket. Or an employee sending an email or browsing Facebook, or sharing a document.

I'm mad at my company's software. It was built for a time that no longer exists, where machines kept the same hostname and the same IP address and served one function. A time where infrastructure never changed. I'm mad the software STILL expects the infrastructure to never change. I'm mad that it keys off of IP addresses first and foremost. In a world with software defined networking, where the IP address can change on a moment's notice or the service is load balanced, it just doesn't make sense. I'm mad that it will create records of machines it has seen on the network and send out alerts when those machines drop off the network or change hostname. Of course they do! It's fucking VDI! That's the entire point!

I'm mad at MSSPs. Humans whose only job is to look blindly at an escalation list and fire off a low priority alert to the on-call phone at 3am anyway. Who are so used to false positives that they close any ticket that has a familiar name, but so incompetent that they can't actually tune the rule to fix it. Who read from a checklist without applying any critical thinking because critical thinking is expensive and expensive means lower profit margins.

I'm mad at other vendors. I'm going to call out Cisco by fucking name and elaborate more on this in a follow-up post, but the simple question is how do you move a god damned security product to the cloud and not have a logging API?! I'm mad that I sat on a call representing my company's (not cloud native) cloud offering listening to Cisco tell us that the only way to get logs from god damned IRONPORT in the cloud was to use syslog! OVER THE INTERNET. FOR SECURITY LOGS.

I'm mad that syslog even exists anymore. But I'm even more mad that Windows can only natively log to other Windows systems and logging to a Linux system requires an agent. I'm mad that my clients refuse to install our agent. I'm mad that agents have been so poorly written in the past that they've given agents a bad name forever, and I'm mad that OUR agent was that bad in the beginning too.

Mostly I'm mad that our product can't consume logs from an API without being programmed to do so by a team that's so far behind that they're still trying to support Compuserve, and I'm mad that Microsoft changes their Azure logging format so often that our integration team spends half their time re-writing our Event Hub and O365 support.

So what am I going to do about it?

That's the meat of a follow-up, but it all started with the last point I mentioned: API support. I've spent the past few years becoming more and more disillusioned with how traditional info sec has been run, and I've spent the past few months helping to bring the product I have some control over kicking and screaming into the modern world. I've been writing apps that connect to various APIs to convert their logs into old-school syslog so our product can consume it.

And along the way I learned a ton about cloud technologies. About Azure Sentinel and Chronicle Backstory. About microservices and Kubernetes and zero-trust networking and BeyondCorp and real actual security.

And at the end of that road is the end of my interest in SIEMs and syslog and hardware appliances and software agents and legacy OSes. Leave it all for dead, discarded at the side of a road like that broken down Olds 88. Take off the license plate, file off the VIN, and walk away. It's someone else's problem now.