There are many comparisons we can make when it comes to identifying blind spots in network security--but my absolute favourite is the black wine glass, inspired by a recent tasting event with our marketing team. During our trip to Wente Vineyards our guide shared the story of the black glass wine tests, in which connoisseurs must determine what they’re sipping without actually seeing it first. Despite still being able to smell and taste each pour, it turns out that even sommeliers have a hard time discerning between varietals in a legitimate blind tasting.
This got me thinking about seasoned NetOps and SecOps professionals who deal with incoming threats on a daily basis. Much like a master sommelier, these folks really know their stuff. They’ve gone through years of rigorous testing and training. They’ve seen it all and they know what to look for. They are, without a doubt, the master sommeliers of networking and security. But when these experts rely too heavily on their own previous experiences, they may end up missing the mark.
Here are five wine tasting tips that can help you more accurately detect network security risks.
1. Never assume you know the outcome
What’s that old saying about assumptions making something out of you and me? There’s a reason bold declarations can backfire, and it’s usually because they’re easily challenged. Much like “The Red and the White” wine fiasco, which resulted in some pretty major hurt feelings for esteemed connoisseurs, surmising where your biggest security risks lie can have an equally devastating effect, even for total pros.
The bias that comes into play in security is that decisions aren’t often made based on the data, instead they’re made from the heart--and then you search for things that support this decision. But a good security person knows this. They understand that while their experience serves them well, it doesn’t get them all the way there. So, maybe they’ll first check where their gut tells them, but then they’ll also begin digging in other unlikely places.
Tasting notes: Making assumptions can quickly put your organisation at risk. Instead, consider all of the evidence--not just the pieces you’ve experienced--before making any conclusions.
2. Use everything you can when analysing the data
If the black-glass wine tastings proved anything, it’s that seeing is a crucial first step in accurately determining what’s actually in the glass. Without the ability to look at the wine, the sommelier has zero chance of detecting nuances in colour, clarity, or density. When there’s no visibility, the other senses then have a harder time accurately guessing the wine because there’s now a disconnect.
The same is true when protecting your network; you must first have total visibility in order for the rest of your tools to work effectively, while also recognising that no singular tool will solve the entire problem. Relying exclusively on your firewall, antivirus or SIEM is a surefire way to come up short because these tools often miss the things that are happening in between. To make the best possible choice, you need to use everything at your disposal, including network detection and response, to ensure that the information is as complete as possible.
Tasting notes: Without a comprehensive solution, you’re only scratching--or sniffing, if you will--the surface.
3. Always keep an open mind
Even a master sommelier can miss the mark if she’s quick to judge what she sees. It’s common to associate the colour of a wine with certain tasting notes, be it red (bold, velvety, earthy) or white (crisp, buttery, flowery). Like it or not, there’s an entire flavour profile--from bouquet to finish--that’s already being mostly pre-determined in our minds from the moment we see the colour. Something similar happens to our brains in network security when we’re accustomed to spotting threats in the same places. These common problem areas should still be assessed, but making them the sole focus can mean overlooking other danger zones. In order to decrease security risks and avoid costly network problems you must keep an open mind to what the data actually shows versus what you’ve been conditioned to expect, along with the next logical steps that should be considered..
Of course, this doesn’t mean leaving your years of experience at the door, but instead injecting some variety or chance into your discovery process, to see what else you may discover. When you do this, you’re more likely to catch a threat that was right there, where you least expected it.
Tasting notes: Relying on historical results will inevitably bias you, learn to look at the data from all angles.
4. Leave your judgements at the door
It’s been said that the more training a wine connoisseur has, the more mistakes they’re likely to make. These are words to live by—and not just when drinking wine. Just as sommeliers are easily influenced by the colour of the wine in their glass, security professionals are influenced by what they see day in and day out on their network, and then use that information to determine the risk level of the potential threat. As wine writer Jancis Robinson notes in her memoir, “Tasting Pleasure”, younger, less experienced tasters have a better shot at identifying a wine during a blind tasting because their memories are less clogged by years of judging many different wines. But it really doesn’t matter how sharp your judgment is or isn’t--you still need holistic solutions that allow you to see everything that’s happening on your network.
Tasting notes: Your perceptions are personal and they do influence your conclusions. To truly see what’s in front of you, step outside of your bubble.
5. Don’t be fooled by what you see
New vineyards pop up all the time and many domestic wineries--especially those in colder climates--rely on imported grapes to achieve their desired results. While these methods often make for a palatable pour, they’re not exactly authentic (not that you’ll care much after a full glass or three). A preferred tactic of a threat actor works similarly; by misusing what are mostly benign tools, threat actors can hide in plain sight. NetOps and SecOps professionals must be careful, as a small ‘blip’ of something that is normally benign may be suspicious activity, even when it looks identical. When you’re looking at the data that you’re analysing, you must combine your tools, your knowledge, and your experience to discern a genuine threat from authentic activity.
Tasting notes: The best security teams look for threats in other areas, not just where they’ve previously occurred, but in unlikely places, too.
Absolute certainty is, without a doubt, an absolutely terrible approach to both wine tasting and network security. Rather than relying solely on years of training and experience, make sure you’ve got a network visibility solution that brings your blind spots to the surface, and then step out of your comfort zone when assessing the information. Use every tool at your disposal to ensure that you have all of the information you need in order to get the full story, because the story changes dramatically based on the volume of information you’ve gleaned.
Karl Van den Bergh, Chief Marketing Officer, Gigamon