A thread of ballache things from doing security at enterprises for decades, which needs improvement.

I used to run vulnerability management @coopuk, with a team of 3 a significant amount of time was spent trying to keep $VENDOR tool working, chasing firewall rules for scanning, change requests for scanning etc.

Having vuln mgmt is half battle, the next is trying to get business to do anything.

Difficult to give business access to data, and demonstrating remediation steps. PDF reports look like cat shat in litter box, ate the shite, then shat it back out.

Needs easier actionability.

Threat Intelligence - it’s rarely actionable as you don’t even truly know if you’re impacted. It’s usually like being told you’re drowning but not knowing you’re drowning until, oh, you drowned last Tuesday.

Antivirus. Welcome to 4 different AV solutions when there’s supposed to be 1, lots of machines which have broke AV but nobody realises, and 22 different policies with whitelisting everywhere copied between AV projects because nobody knows what the rules mean.

Audits. Companies usually have internal auditors do cybersecurity audits, but they’re not usually trained in cybersecurity, so you end up having to guide them and gather things at short notice.

Would be better to dashboard stuff by design for auditors, then give ‘em access.

Lack of incentive to concentrate on ‘basics’. And by basics I mean fundamentals. You end up layering on controls and solutions because nothing really says like ‘oh your endpoints all have firewall disabled’.

SIEM aa a tick box. Every org told they need to collect logs.. so they do.. then nothing happens. Needs to be easier to empty out value from logs (of which there is lots).

Patching. It’s much easier with OS patching nowadays... but have you tried patching SQL server clusters with SharePoint hanging off them? It’s like playing Jenga while drunk fighting Keanu Reeves.

OS patching much improved. Applications? Nope.

Lack of clear picture of posture to those making decisions. Eg people thinking risk is acceptable as there’s a compensating control.. when in reality it isn’t actually enabled. Somebody somewhere in business knows. But not the people making the decisions.

Configuration errors or issues. It’s super easy to setup SharePoint to run as domain admin, and then notice when a 17 year old owns your network and deploys Matrix themed meme ransomware.

Lack of visibility about protocols in use, eg SMB 1, LDAP etc. Orgs consistently over estimate their maturity as they just don’t know what their network is doing.

Difficulty to detect lateral movement and credential misuse. PAM solutions are great, but realistically also super easy to bypass - attackers don’t even bother using the $$$$ PAM box.

Lack of consistent way for orgs to assess their maturity, leading to overly optimistic or pessimistic view. CIS is actually a good way to do this, but it depends on knowing real state of things across org and business units.

Silo’d knowledge. Eg vuln team who won’t tell business their vulns in case exploited, firewall admins in a silo, SOC wrapped in business as usual etc.

Spread the knowledge and be transparent btw. Attackers don’t need you to give permission to knowledge about gaps. They know.

Insecure cybersecurity products, eg VPN boxes purchased by security which end up being the cause of network penetration due to decades old bugs and crappy code.

Overly complicated cybersecurity products. Things which are basically impossible to realistically deploy with resources the customer has, but get sold anyway, and just make the situation worse.

Unrealistic business expectations, eg pitting internal teams against MSSPs which cost $15 and who look like sniff crack, then asking why internal provides better value. Expecting security to solve security, when it’s really about dealing with risk.

Most of all, lack of porgs to play with in the office.

Oh god I was cranky when I wrote this (and mostly right).