This article was going to be a report on a session from the recent Technology in Government conference held in Canberra. The title of the session promised a great deal – “The Next Five Years of Security Threats”. And the synopsis suggested we’d hear about what opportunities will disruptive technologies provide hackers, best practice to mitigate emerging threats and whether governments can share data securely?
However, the session highlighted something that’s been patently clear to anyone trying to impartially cover what’s been happening in the security business.
When the rubber hits the road, many security vendors and other so-called experts fall back to the familiar methods that we’ve employed for almost two decades that no longer work.
The three panelists were Nathan Steiner, Head of Systems Engineering ANZ for Veeam Software, Rob Sherwood, Chief Technology Officer at Big Switch Networks, and Rupert Taylor-Price, Chief Executive Officer of Vault Systems.
Each panelist was given a few minutes to address the audience of about 50 during the event’s Secure Government stream.
Taylor-Price opened the discussion noting “If you have good hygiene around your organisation or your agency, it is very hard for attackers who will then choose easier targets”.
He added that an adversary with lots of money could compromise you regardless of your defences.
Importantly, Taylor-Price mentioned that internal threats must be considered whether they come from intentional actions or through accidental security breaches.
But after his five minutes or so, Taylor-Price didn’t address the topic of the next five years of threats other than to say it’s very hard to detect threats.
Still, there were two more speakers and I remained hopeful of hearing something new.
Sherwood received the microphone from Taylor-Price and opened with “The biggest barrier to security is network complexity. You can have all the data you want but if you don’t understand what your systems are doing then it’s very hard to make sense of that data”.
He then went on to tell the room about what his company does to overcome that problem. But nothing about the next five years of threats.
The third speaker, Steiner from Veeam Software, told the room his company attacked the problem from a data management and data protection perspective. The good news that he mentioned looking at how this could be used over the next five years. But he then fell back to a similar line to Sherwood, talking about knowing how systems work and how they use data.
It would be easy to pick on the three speakers and the moderator of the discussion, the CEO of Internet Australia Laurie Patton. But having attended dozens of security event and speaking to many experts over the last few years, it’s clear to me the security industry is locked into a reactionary mindset.
We see a threat and issue a remedy for it.
A couple of weeks ago, researchers released tools for circumventing the effects of ransomware attacks. Don’t get me wrong – this is a good thing.
But where’s the research that actually stops ransomware from working? Or stops it from even getting to the computer?
During the 2014 RSA Conference in San Francisco, the idea of threat intelligence – putting together data feeds so we can predict or stifle cyberattacks before they cause damage received a lot of attention.
But a look at how it’s being applied today sees the effort mainly focussed on detecting attacks after they have occurred in order to mitigate damage. The SEIM industry, as important as it is, is predicated on something anomalous already being inside the network.
We are still no closer to stopping attacks from reaching the permiter, much less preventing breaches. We need to move from the “You’re hacked – get over it” mindset into a long-term posture.
This session was meant to address “The Next Five Years of Security Threats”. It didn’t. Even when I asked the panel for some pointers to what was coming in the future, they were unable to effectively answer.
It would be easy to point the finger at the three panellists and the moderator. But their inability to see beyond today’s problems and challenges is endemic to the security industry. The ability to see beyond the now is something that the industry is sorely lacking at the moment.