HackDig : Dig high-quality web security articles for hacker

Oil Tankers and Row Boats: The Security of Enterprises and Startups

2014-12-22 19:15

One of my high school teachers used a great analogy for large and small companies: the oil tanker and the row boat. It’s a common example given in many business schools to describe the agility of a row boat, which can maneuver quickly, versus an oil tanker, which can take miles to change direction. The row boat, however, requires a lot more input to be controlled and more effort to propel forward. I still use this analogy today with my clients, but in the context of cyberdefense and security. An oil tanker is a bigger, more obvious target, but a row boat is much easier to capsize.

Big Companies Versus Startups

As a consultant, most of my clients are large companies with global reach and are true oil tankers in their industries. However, I also have a history of working closely with startups and keep a close eye on the startup community. I find the different ways in which these diametric opposites of the business world approach cyberdefense to be fascinating.

Large corporations have a multitude of tools to prevent and mitigate breaches, but they expect out-of-the-box solutions without defining cybersecurity policies and frameworks. Startups usually swing the opposite way, relying on specific SQL queries to a log server of some kind to find specific examples of what they think a breach event might resemble. The best place to be is somewhere in the middle, with defined cybersecurity policies tailored to defense and detection systems that then leverage analytics, data and trends.

The cliche line of the startup crowd is that big business is full of red tape and processes. I don’t dispute this, and I often see its effects when consulting with clients and delivering solutions to them. “Can we just open a firewall port to debug this?” is met by winces. There are motivations and justifications for this, and I think this is sometimes where startups can learn about building their products and companies securely from the ground up. With only a little resource overhead (something in precious supply), those extra checks and balances and second pairs of eyes can prove invaluable as a company scales without the need to undertake the huge centralization or consolidation projects that come with maturation.

Contrary to this, I think the slowness to react to threats and the monitoring of systems in large enterprises can be a real challenge to deal with. Security intelligence is starting to combat this with single-pane views and posture overviews, but there is still a long way to go. For startups, changes and patches can be pushed in seconds across a variety of application nodes and the use of agile, on-the-fly, modern, configurable technologies can be much quicker to remediate threats and intrusions.


The Heartbleed vulnerability is quickly becoming the poster child of cybersecurity and vulnerabilities, but I can imagine that it was dealt with very differently in each case. For instance, let’s take Big Corp Plc. (BCP) and agile.io, two imaginary companies. BCP is a huge vertical global enterprise in its industry, while agile.io is a software-as-a-service startup disrupting a well-established duopoly market.

BCP has a 24/7 security operations center monitoring every aspect of its IT estate, so it knows about the vulnerabilities and potential breaches almost immediately after they surface on its news tickets. This gives the company a head start over agile.io, which finds out when its system administrator arrives in the morning and reads the latest news.

Although the BCP estate has thousands of servers with a bunch of Linux servers, the company has no process to automate, mass-deploy or upgrade packages since the systems are managed by different departments. Agile.io, on the other hand, uses Linux containers automated with a puppet on a cloud service and has Jim, the don when it comes to DevOps and the system administrator who knows everything about the agile.io environment. BCP has an asset database that controls all changes and logs which application levels are on each server throughout its network. It also has a vulnerability scanner, so it has already started scanning its ranges to find vulnerable servers, using its asset database to reduce the amount of scanning required.

One can already see a contrast. BCP is highly automated to detect threats, and due to all the processes and documentation, it has a full list of its servers even though there are thousands of them. However, it is this process that restricts the company and holds it back, since making changes to all these systems can take weeks.

Agile.io is a much smaller estate and can deploy the patches and upgrades much more quickly, but it doesn’t track which servers are where or its software levels. Instead, the company relies on Jim, who needs to recall or check which servers run which versions and press their developers to check all their development/test/pre-pod virtual machines, as he has no control over those.

I appreciate that this is all just speculation, but the situation could be real, and we can start to see emerging trends. BCP is slower to execute, but it has more information and resources to fix the problem; agile.io can execute in seconds, but it has less documentation, information and focus on information security.

This is where I start to see each company being able to learn from each other. The fast and from-the-hip nature of startups with a lack of information security focus can lead to a loss of control of their server assets, increasing the attack surface and leaving dormant servers ripe for advanced persistent threat jump boxes. The same situation possibly occurs even more often in large organizations because no one person in the company has the knowledge of the network layout. However, with good vulnerability scanners, intrusion prevention systems and security intelligence, these threats can be detected, and those Windows XP boxes or Server 2000 can be decommissioned.

Executing remediation is another place in which the startup excels; Jim might have to check with the development manager, but he can have the box reprovisioned or recycled in hours. Information security teams at large enterprises usually never have such power. Instead, they have to instruct other departments to undertake the work, which is charged back or pushed to the bottom of the list since information security is not a functional priority for that department.

In conclusion, both types are susceptible to cybersecurity events and have different ways of handling them. Their business can also be ruined by them to equal degrees. An esteemed multinational bank being hacked would make international news, decimate its brand and make it likely to lose its banking license. The startup could be killed before it began by losing its funding if early adopters abandoned it after the breach.

Security Lessons Learned

The following are lessons learned on both sides:


  • Always have scale in mind. How are you going to detect and triage threats when you start growing?
  • Security still matters, no matter how small you think you are.
  • Double-checking or checking off boxes may seem like a chore, but people are trusting you to get it right when there isn’t an information security team to back you up.

Large Enterprises

  • Build lean processes with the minimum amount of time to allow for fast reactions to a situation. Build in break-glass or emergency procedures by default.
  • Other areas of IT must have time to prioritize remediation and assistance. Success doesn’t occur when threats are detected, and security is a joint responsibility.
  • New technologies can help automate and allow for quick mitigation. When evaluating new software, involve your information security team. What are the attack vectors for the product?
  • How quickly could you patch threats? What data or value would this expose to an attacker?

The waves of cyberthreats are ever-changing, so fit bow thrusters to that oil tanker and an outboard engine to the row boat to have the best of both worlds when responding to them.

The post Oil Tankers and Row Boats: The Security of Enterprises and Startups appeared first on Security Intelligence.

Source: /wf029OWo4pQ/3~/ecnegilletnIytiruceS/r~/moc.elgoog.yxorpdeef

“Oil Tankers and Row Boats: The Security of Enterprises and Startups”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud