Today's Approach to Security is Broken

Over the last month I've attended four international events that have had a focus on security. And there's one data point that ought to have every CSO, CISO and CIO out there worried. Despite more money than ever being spent on security – and the amount is increasing – the amount of money being lost as a result of security breaches is rising at an even greater rate.

Look back over the last few months. We've had revelations of massive surveillance by the NSA through the information obtained and disseminated by Edward Snowden. Later in the year, we were shocked at the Thanksgiving Day breaches that hit Target, Neiman Marcus and others resulting in over 100 million customer records being lost.

By the time the RSA Conference started in February, bringing together security experts from around the world, we learned that Apple's SSL software was not only flawed but had most likely been open for around six months, making millions of people susceptible to man in the middle attacks.

This month, it was Heartbleed – another SSL flaw that is incredibly widespread and will take months, perhaps years, before all the compromised systems are fixed. There are even rumours that this flaw – which was in the world for two years before it was detected – was being used by agencies to monitor user activity.

Why the history lesson? Albert Einstein said insanity was "doing the same thing over and over again and expecting different results".

For the last twenty years we have been doing the same things. But over the last few years, the world has changed. We are no longer combatting digital vandals and disgruntled individuals. The cybercrime business is exactly that – a business.

The gangs involved in cybercrime are coordinated. They have markets where information, such as exploits and personal data are exchanged, for a fee. There are job boards and career paths for the people involved. Despite the illegality of all this – it is seen by many as a legitimate career option in some parts of the world.

Contrast this with the reactions of most of the world. Most of the effort goes to identifying potential threats and then buying point solutions to address the threats. The different providers of those solutions rarely, if ever, collaborate. There's still a focus on signature-based solutions although that is slowly changing.

In the past, our approach has been similar to how the military fought border attacks. They'd create a barrier and then, when there was an incursion, they'd deploy troops to catch to invaders and repair and reinforce the breach point.

But what we've seen over recent years is that the borders we've sought to build no longer exist. For IT professionals the advent of increased mobility and BYOD has changed the boundaries. Virtualisation has resulted in the proliferation of systems so that applications now span dozens of servers rather than a single processor instance. Critical systems are no longer in data centres but distributed all over the world through third parties delivering cloud services.

We rely on encryption for our storage and communications. End point protection is problematic because of the proliferation of different devices, each with its own operating system and different risk profile.
In other words – we are no longer fighting a border war. We are fighting insurgents who hiding in tunnels and crossing our borders through areas we didn’t even know were accessible. They are attacking end points – civilians if you want to take the military analogy a little further – that we never had to protect from vulnerabilities we never knew existed.

What can you do?

If you're a CSO or CISO then you need to start thinking like an insurer or banker rather than a military strategist.

You can no longer defeat the insurgents by fighting them one at a time. Point solutions, regardless of their individual efficacy, are no longer a valid strategy. That's not to say they aren’t necessary. But they are only part of a strategy. Security cannot be bought in a box.

Businesses that understand security in the modern context know that they need to break the cycle. We know that throwing more money at security doesn’t work – the number of significant breaches and losses tells us that. It means taking a risk-based approach.

Security is not an additional component in your systems design. It needs to be foundational. That means, in many cases, rebuilding existing systems not to address existing security concerns but to better manage the inevitable security issues.

The flaw that is now known as Heartbleed came from a flaw in a trusted piece of software. Although it was flawed it's also a model for how security can work. A codebase such as OpenSSL could be used universally in applications requiring security. However, it would require the software industry to cooperate and collaborate. It would mean companies accepting shared responsibility for a secure codebase that ensures data and credentials are securely stored and transmitted.

Read more: Industry calls for more proportional limits to metadata retention

The age of passwords has to be declared over. We need better ways to identify individuals and to manage their access to systems. Biometrics, once considered a possible silver bullet, is no longer viable. Fingerprint scanners have been hacked and facial recognition is flawed.

That means a new way of managing identity and permissions needs to built into the fabric of our systems.

Operating systems – from server to end-point – need to be re-architected. Microsoft made huge leaps and bounds when they launched their Trustworthy Computing initiative in 2002. At the time, Windows was a significant threat surface. But they realigned their efforts and arrested the rot. It proves that it is possible to re-architect systems to make them more secure.

It also means more effort and planning needs to be made in dealing with breaches. Monitoring what happens inside systems needs to be prioritised so that unexpected activities are detected. This is the crux of the emerging threat intelligence field and we are only at the start of that journey.

All of this is going to be hard. And it's going to be expensive. But doing what we are doing today is not working. Repeating the same actions and expecting different outcomes isn’t just insane. It will ultimately cost us even more as the bad guys continue to exploit weaknesses and the gap between what we spend and what we lose continues to widen.

Join the CSO newsletter!

Error: Please check your email address.

Tags breachOpenSSLsurveillance NSAopinionNeiman MarcusDark readingmobile devicesvirtualisationRSA ConferenceTargetsecuritypasswordslost dataflawsindustryHeartbleedbiometricsmiddle attacksApple SSL softwaretwo-factor authentication

More about AppleCSOMicrosoftNSARSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place