{"id":1510,"date":"2025-01-14T16:41:11","date_gmt":"2025-01-14T16:41:11","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1510"},"modified":"2025-01-14T16:41:11","modified_gmt":"2025-01-14T16:41:11","slug":"beware-cybersecurity-tech-thats-past-its-prime-5-areas-to-check-or-retire","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1510","title":{"rendered":"Beware cybersecurity tech that\u2019s past its prime \u2014 5 areas to check or retire"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Cybersecurity leaders can choose from an ever-expanding list of digital tools to help them ward off attacks and, based on market projections, they\u2019re implementing plenty of those options.<\/p>\n<p>Gartner <a href=\"https:\/\/www.gartner.com\/en\/newsroom\/press-releases\/2024-08-28-gartner-forecasts-global-information-security-spending-to-grow-15-percent-in-2025\">predicts a 15% increase in cybersecurity spending<\/a> for 2025, with global expenditures expected to reach $212 billion in the upcoming year. The research and consulting firm says spending on security software alone will jump 15.1% from 2024 to 2025, rising to nearly $100.7 billion from $87.5 billion.<\/p>\n<p>Although the purchase of new-to-market capabilities \u2014 such as those enabled by <a href=\"https:\/\/www.csoonline.com\/uk\/generative-ai\/\">generative AI<\/a> \u2014 drives a good part of that spending, CISOs say their need to upgrade from outdated tech also fuels a chunk of their planned tech purchases.<\/p>\n<p>In fact, interviews with multiple CISOs reveal that they see some longstanding cybersecurity tech as ready for replacement.<\/p>\n<p>For example, David Ulloa, CISO with US drayage firm IMC Companies, keeps a list of tech that CISOs should retire, citing signature-based antivirus, basic intrusion detection systems, outdated encryption protocols, legacy VPNs, basic endpoint protection, password-based authentication, and some firewalls.<\/p>\n<p>Here, he and other security leaders identify some major security tools (and related practices) they see as being past their prime:<\/p>\n<h2 class=\"wp-block-heading\">1. Password-based security controls<\/h2>\n<p>\u201cI think passwords are out. I think passwords are done, especially [using them] with third parties,\u201d says Richard Marcus, CISO at software maker AuditBoard. \u201cYou don\u2019t want to give a credential to a third party that can be breached and then used against you; so, unless you\u2019re really disciplined about rotating those credentials, the risk is too high.\u201d<\/p>\n<p>Marcus isn\u2019t the only one to call out passwords as problematic: The Ponemon Institute, in its 2023 Cost of a Data Breach Report, found that 50% of all breaches could be attributed to stolen or weak passwords.<\/p>\n<p>Marcus says in 2024 he started moving his company away from the use of password-enabled security controls and toward greater use of dynamic authentication.<\/p>\n<p>\u201cWhen we select vendors, we tell them we\u2019re not going to issue a password or even a token or a key, those are all examples of static authenticators,\u201d he says. \u201cBut we\u2019re also realistic, so if there is a product we need that requires passwords, then we require passwords to be rotated frequently. For us, the use of static credentials has become the exception, not the rule.\u201d<\/p>\n<h2 class=\"wp-block-heading\">2. Mandatory scheduled penetration testing<\/h2>\n<p>Although not a specific security tool, nevertheless mandatory scheduled pen testing is cited by some as an outdated strategy.<\/p>\n<p>Attila Torok, CISO at tech company GoTo, for one, believes those once- or twice-a-year penetration tests done to satisfy regulatory or vendor requirements don\u2019t effectively evaluate an organization\u2019s true security posture. Rather, he says they capture only a snapshot of the environment\u2019s security at one date in time.<\/p>\n<p>\u201cOur environment is changing all the time. We change our code multiple times a day, so having [pen testing] once a year is nothing [much of value], and it\u2019s really expensive,\u201d he says.<\/p>\n<p>Torok doesn\u2019t completely discount pen testing overall, though. In fact, he says his security department has an offensive team that regularly tests the environment for vulnerabilities, explaining that he believes that kind of dynamic approach to pen testing is more effective for ever-changing environments.<\/p>\n<p>He also has a <a href=\"https:\/\/www.csoonline.com\/article\/3619804\/bug-bounty-programs-can-deliver-significant-benefits-but-only-if-youre-ready.html\">bug bounty<\/a> program, which he also believes is more effective than semi-annual or even quarterly scheduled pen tests. \u201cWith pen tests, the company gets paid no matter what they find but for a bug bounty program, they have to find something meaningful to be paid, so they\u2019re more incentivized [to find vulnerabilities],\u201d Torok adds.<\/p>\n<h2 class=\"wp-block-heading\">3. VPNs<\/h2>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3540308\/beware-the-risks-of-vulnerable-vpns-update-maintain-monitor-and-protect.html\">Virtual private networks<\/a> are another security tool that some CISOs say has limited value today.<\/p>\n<p>\u201cVPNs are valuable, but they are valuable only in certain contexts,\u201d says Pablo Ballarin, who as co-founder of BALUSIAN, S.L. works as a CISO, cybersecurity adviser and ethical AI consultant. \u201cThey\u2019re valuable if you have many workers in your organization who have their own laptops and have no other means to securely access internal services. But there are other solutions that make more sense.\u201d<\/p>\n<p>Research has found that VPNs can be a conduit of attacks. For instance, the \u201c<a href=\"https:\/\/www.cybersecurity-insiders.com\/zcaler-threatlabz-2024-vpn-risk-report\/\">Cybersecurity Insiders 2024 VPN Risk Report<\/a>\u201d found that 56% of enterprises had experienced over the course of the previous year at least one cyberattack that targeted unpatched VPN vulnerabilities. The report also found that 91% of the 647 IT and security experts it surveyed \u201cexpressed concerns about VPNs compromising their IT security environment, with recent breaches illustrating the risks of maintaining outdated or unpatched VPN infrastructures.\u201d<\/p>\n<p>Ballarin says it\u2019s not so much that the VPN is worthless but that the days when security could rely on it to a significant degree are over. \u201cIt\u2019s more that you have to implement complementary solutions to the existing ones,\u201d he adds.<\/p>\n<p>Ballarin and others recommend defense in depth, saying organizations must have multifactor authentication, certificate-based authentication and a <a href=\"https:\/\/www.csoonline.com\/article\/564201\/what-is-zero-trust-a-model-for-more-effective-security.html\">zero-trust<\/a> strategy in place of or in addition to VPNs (which some still need for accessing legacy apps).<\/p>\n<h2 class=\"wp-block-heading\">4. On-prem SIEMs<\/h2>\n<p>A security information and event management (SIEM) system, which is tasked with recognizing and addressing potential security threats and vulnerabilities before they cause problems, is a foundational security tech.<\/p>\n<p>But George Gerchow, faculty at IANS Research as well as interim CISO and Head of Trust at MongoDB, said on-prem SIEMs have got to go.<\/p>\n<p>He says they have too many alerts \u2014 driving up alert fatigue instead of helping to alleviate it. And they\u2019re not cloud aware, he says, which forces organizations to either move and store vast amounts of data (at an expense) or forgo using all of the data needed to ensure security of cloud deployments.<\/p>\n<p>\u201cIf I have to pay an exorbitant amount of money for logs, then I\u2019m picking and choosing which ones mean the most and taking a big gamble with security,\u201d he explains. \u201cI might not have the right logs when an incident hits, and I might not have those logs because of the costs.\u201d<\/p>\n<p>Gerchow acknowledges that many companies keep on-prem SIEMs because they don\u2019t want to put sensitive log data in the cloud, but he says he still thinks the time for on-prem SIEMs has passed.<\/p>\n<h2 class=\"wp-block-heading\">5. Conventional firewalls<\/h2>\n<p>The firewall is one of the earliest cybersecurity technologies out there, dating back to the 1980s. The first versions were packet filters embedded in routers meant to stop traffic based on predefined rules typically centered around source and destination IP addresses, port numbers and the protocols used.<\/p>\n<p>The firewall, of course, has evolved since then. While some versions are equipped for today\u2019s complex digital environment, CISOs say simple firewalls and outdated web application firewalls, (WAFs) aren\u2019t up to the task anymore.<\/p>\n<p>\u201cFirewalls aren\u2019t going away, but it\u2019s the end of the traditional hardware asset. You still need a firewall but there\u2019s a movement away from a heavy-duty hardware asset to digital,\u201d says Stephanie Hagopian, who, as vice president of physical and cybersecurity solutions at tech sales and advisory firm CDW, leads a team of consultants advising CISOs.<\/p>\n<p>Hagopian says CISOs typically upgrade to more modern firewalls as part of their refresh cycles when they shed legacy and on-prem hardware for cloud and other modern digital tech. \u201cIt\u2019s not just flip-the-switch,\u201d she adds. \u201cYou have to configure the new firewall and get out the old hardware, and the team has to learn to manage the new technology. It\u2019s an effort for an organization, but as hardware is refreshed, it\u2019s forcing them to make that change.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Cybersecurity leaders can choose from an ever-expanding list of digital tools to help them ward off attacks and, based on market projections, they\u2019re implementing plenty of those options. Gartner predicts a 15% increase in cybersecurity spending for 2025, with global expenditures expected to reach $212 billion in the upcoming year. The research and consulting firm [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1511,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1510","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1510"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1510"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1510\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1511"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}