Is security really stuck in the Dark Ages?
- 23 May, 2015 00:33
It had to be a bit of a jolt for more than 500 exhibitors and thousands of attendees at RSA Conference 2015 last month, all pushing, promoting and inspecting the latest and greatest in digital security technology: The theme of RSA President Amit Yoran's opening keynote was that they are all stuck in the Dark Ages.
To make the point "visually," Yoran even spent his first minute or so on stage speaking in pitch darkness, "stumbling around", backed by the sound of an ominous, moaning wind.
This, he insisted, was an apt metaphor, "for anyone trying to protect and defend a digital infrastructure today. Every alert that pops up is like a bump in the night," he said. "Often we don't have enough context to realize which ones really matter and which ones we can ignore."
It is easy to make the case statistically. The Identity Theft Resource Center reported in January that there were 738 data breaches in 2014, up 25% from the prior year.
Or, as Yoran put it, 2014 was, "yet another year of the breach. Or, have we agreed to call it the year of the mega breach? That might connote that things are getting worse, not better," he said, adding sardonically that 2015 is likely to become, "the year of the super-mega breach. At this pace we are soon going to run out of adjectives."
That, he contended, is because the defensive mindset of Internet security today is "fundamentally broken ... (and) very much mimics the Dark Ages. We're simply building taller castle walls and digging deeper moats."
All of which may have sounded a bit insulting to hundreds of vendors and experts who have been saying for years that "the perimeter is dead." Or, that, "it's not a question of if you've been breached, but when." Or, that intruders are quite likely inside your organisation right now, and that a stronger perimeter will do nothing to eliminate them.
Indeed, many of them were there promoting solutions to detect and respond to insider threats.
But Yoran insisted that the rhetoric is not matched by actions. "We say we know the perimeter is dead, we say we know the adversary is on the inside, but we aren't changing how we operate," he said.
In an email interview this week, Yoran acknowledged that the industry is beginning to move in the direction of monitoring and response, but said, "today's reality" is that, "by every measure, a vast, supermajority of security expenditures focus on prevention."
Citing his military training at West Point, he said in his keynote that the security industry is trying to use "maps" that no longer apply to the current threat landscape.
The result, he said, is that attackers, "are winning by every possible measure."
His colleagues in the industry may not agree with all of that, but most think he got the essentials right. Chief strategy officer at Bricata, John Pirc, said he "totally agrees" that the perimeter mindset is still too prevalent. "Security needs to move deeper within the network. The need is for visibility in the data center rather than on premise or the cloud," he said.
Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals, is another. "Sadly, he is mostly correct regarding many companies that are still in the 'prevent the attack,' or 'don't let them in' mentality," he said, even though the, "more mature and enlightened have known for years, if not decades, that the attackers will occasionally break in and that you will need to be prepared."
Chuvakin said virtually every security pro has been, "taught the prevention/detection/response mantra, but at many places the spend is mostly on prevention, and preventative technology gets the attention."
Muddu Sudhakar, CEO of Caspida, said he agrees that adversaries are winning, noting that, "the FBI Cyber Division head commented last week that while they used to learn about a large-scale breach every two to three weeks, it is now every two to three days."
But he said context is important. "The bad guys only have to succeed once, while defending data has to succeed 100% of the time," he said.
Rob Kraus, director of security research and strategy at Solutionary, also said context matters. He said simply declaring that the "good guys" are losing neglects the ebb and flow of the battle.
"As advances are made by the good guys, the enemy will re-evaluate and re-deploy capabilities in a way that can circumvent their attack or defensive postures. The challenge with the cyberworld focus is that the battle moves much more quickly, and is even more multi-dimensional."
But he agrees with Yoran that there is still too much reliance on defending perimeters. "Many organizations are still locked into the concept that the castle walls will protect the bad guys from getting in," he said. "Most are not thinking about those who climbed over or tunneled under those walls.
Ron Gula, CEO of Tenable Network Security, says while he agrees that, "most organizations operate, support customers and do business in the environment Amit describes," it is hard to claim with certainty what the state of security really is.
"It could be much worse than Amit describes, but it could also be much better," he said.
He said breaches, while they are an increasing fact of life, are no longer the most important challenge for the industry. "Hacking data alone isn't getting a huge response from the public," he said. "The next level we are moving to is real cyber warfare or cyber terrorism."
And Gary McGraw, CTO of Cigital, said Yoran was "stating the obvious" when he said the adversaries are winning, but was missing the more important point -- that too many systems don't even have a good perimeter to defend. "Perimeter security only works if you have a perimeter," he said, "and that starts with building things that don't suck. He's got the cart before the horse, and the cart is in a different state."
In his keynote, Yoran said a major reason the security industry needs a new "map" is because, "we can neither secure nor trust the pervasive, complex, and diverse endpoint participants in any large and distributed computing environment, let alone the transports and protocols through which they interact."
His colleagues say that while they agree endpoint protection is a problem, they think a blanket statement like that is overly broad.
"Yes, the PC endpoint is lost indeed," Chuvakin said "But strangely enough, a mobile endpoint is a bright area -- despite all the whining about Android malware, iOS and Android are relatively unscathed."
And Gula said it doesn't apply to all business sectors. "Manufacturer of ATMs who run their own network, write their own code, etc., would completely disagree," he said. "ISPs that carry their customer's data would disagree as well."
There were also mixed views on Yoran's five recommendations (see sidebar) for the industry to "reprogram itself for success." Two of them are to, "stop believing that advanced protections work," and to, "adopt a deep and pervasive level of visibility everywhere, from the endpoint, to the network to the cloud -- what SIEM (Security Information and Event Management) isn't, but was meant to be."
Chuvakin said that just because something is not 100% effective doesn't mean it doesn't work.
"Try this for size," he said. "A bulletproof vest does not work, since you can be shot in the head or burned or shot with an armor piercing bullet. Nobody thinks like that."
But he and others agree with the need for more visibility. Pirc said that, "what you can't see will in fact hurt you in the long run," he said. "That's why you need visibility throughout your entire infrastructure."
Sudhakar notes, however, that saying visibility and achieving it are two different things. "A big part of the problem is that while we have a handle on known threats, we do not have a good handle on unknown or hidden threats," he said.
And McGraw said visibility, while a good thing, doesn't matter that much if systems lack security by design. "You should do that, but build good stuff first," he said, likening it to tracking termites in a house built of wood. "You can spend your time with a whole army tracking termites, or you can change your building material from wood to steel," he said.
But, he said, "the good news is that RSA already has a robust software security approach. It's being run by Eric Baize, and he's doing a great job."
Gula and others say the industry is moving in the right direction, through compliance with regulatory regimes like SOX (Sarbanes-Oxley Act) and PCI DSS (Payment Card Industry Data Security Standard) that, "require least use of privilege, no admin accounts, etc. -- these are directed against insiders. Also, there is a move by many organizations with cloud assets to have centralized authentication, such as single sign-on, which is also a large deterrent and form of detection of insiders," he said.
But they also offered a few additional suggestions for what Yoran said should be the goal -- a new "Age of Enlightenment" in security.
Chuvakin said that good visibility should be supported by, "effective security incident planning."
According to Sudhakar, organizations should be using, "behavioral analytics and machine learning to uncover hidden threats and vulnerabilities."
He added that since IT security people are hard to find and retain, organizations should, "automate to the maximum degree possible so that you can do more with less. Automation can also change the internal dynamic, as IT security staff can become threat hunters instead of being the hunted."
Kraus also said planning is important. In war, he said, "does the U.S. simply give soldiers guns and point them to the battlefield? Or, is it more likely that they train their soldiers and appoint leaders to drive the battle to a successful outcome?"
Overall, as tough as the message was, it was welcome. Yoran said this week that while he had been uncertain about what the response to his keynote would be, "I was actually a bit surprised by seemingly unanimous support from colleagues and even competitors. Many people have come up to me or tweeted since that I said what needed to be said, and that they hoped that the speech served as a catalyst for necessary and significant change in the industry's mindset."