What happens when spending increases 24% but the problem that spending was supposed to solve increases 38%? Usually, someone get’s fired.
As an industry, cyber-security is failing.
My favorite conference keynote quote of all time comes from Art Coviello, now retired Chairman and CEO of RSA: “The security industry “state of the union” is precarious and its not a pretty picture”. That was two year ago and it was as up-beat as he got.
In spite of the fact that according to analysts, industry spending on cyber-security will more than double by 2020, breaches continue to outpace the investment, and pure-play solution companies are being gobbled up by the big players or left by the roadside to die.
A single illustrative example of this is the recent news that Symantec’s firewall product is well, bogus. Multiple critical vulnerabilities were discovered just last month, including many that required no user interaction at all. In certain Windows cases, the operating system kernel itself had been infected with malicious code as a direct result of the Symantec protection.
And, because Symantec uses the same core engine across their entire product line, all Symantec and Norton branded antivirus products were (and are) affected by these vulnerabilities. Many of these products cannot be automatically updated, so once again it falls to the hapless systems administrators to manage a patching and update nightmare, just to protect the leading anti-virus protectors from being infected themselves. Ouch.
OVER THE LAST 3 MONTHS IN THE U.S. WE HAVE HAD 622 BREACHES RESULTING IN 27,639,088 RECORDS STOLEN.
AND THOSE ARE JUST THE ONES REPORTED.
It is way past time that we accept the fact that intrusions into our corporate networks are now an inevitable part of everyday business, just like payroll taxes, legal contracts, liability insurance and regulatory compliance. There is no longer any point in pretending that this stuff will never happen to you or only happens to large, complex businesses with really valuable assets. It happens to everybody.
The statistics above include Burke Mountain Resort in Vermont, 4 Depts. of Fish and Game, Orleans Medical Center, Social Blade, University of New Mexico, Factory RV Surplus, Eddie Bauer, Autism Home Support Services, John Gonzalez Dentist Office, Seven-Elevens, Internet Chess Club, DNC, NSA, Kimpton Hotels, and USA Field Hockey.
Factory RV Surplus??? Yep.
You get the idea.
Our traditional approach to security has failed. Perimeters around networks have become useless, threat actors are smarter, faster and better than ever, and the rush to market with new products has created a technological innovation hockey stick that challenges all of our conventional security defenses.
Our focus should be on the network and the pathways we have created that soften the landscape around the networks. Our compulsion to accommodate BYOD has created expanded attack surfaces resulting in a dramatic increase in self-inflicted risk. We are literally asking to be hacked. It’s like a pitcher serving up his best fastball and challenging the hitter. Here, buddy, hit this one!
According to the Verizon 2015 Data Breach Investigations Report, mobile devices (smartphones and tablets) are IT security’s weakest link, and over 60% of companies experienced an increase in mobile threats over the past year. The facts are that 95% of reported breaches in 2015 were the result of a hacked mobile device.
If 88% of Information Security professionals think that BYOD makes a successful advanced malware attack more likely, why do we pay them and then ignore their advice?
The common threads in most of the recent cyber-attacks are a lack of knowledge about what we have in our computing environments, how many endpoints we have in our IT infrastructure and the inability to detect and identify vulnerabilities and invaders.
If we are ever able to rise above our state of denial and accept that we will be hacked, we will then have to shift our thinking about cyber-security defense. We need to move from a protect and defend mindset to a detect and respond mindset or even if we begin a cyber-security program in earnest, we will never be able to address the issue before a breach occurs.
Prevention-based technologies were designed for the Pleistocene era (pre-2012), when networks were less complex and delivered minimal functionality. It was an era when the end-points were desktops and workstations and networks were designed to simply manage the transport of stateless information packets. Anti-virus program are one of the relics of this era and have no place in modern cyber-security schemes. Bad guys see them, chuckle and then blow them off.
So long as we continue to ignore the threat or pretend it doesn’t exist and then follow that up with our grandparents’ thinking, we will be doomed to continue on the present course. A course that is guaranteed to lead to more failures, more breaches and an imploding cyber-security industry.
But, there are solutions and yes, the industry has moved toward software and detection systems that are pretty smart and pretty capable of leveraging algorithmic data into hypotheses and conclusions about hypotheses. The best products are focused on the network and the endpoints and use extended behavioral analytics in pretty clever ways to detect and isolate anomalistic activity both user-driven and on the network as well.
The trick now then is to adopt these solutions, build a cyber-security team to sort through the false positives, begin to make determinations about real threats versus suspicious incidents and then deal with all of it accordingly. This is a lot easier to do than it might appear. If you can’t or won’t build it yourself, then outsource it. But, you have to commit. If not, you branch back to the paragraph about guaranteeing more failures, breaches and implosions.
If you do commit however, we begin to vector toward a place in the not too distant future where we can actually get out in front of the bad guys and start picking them off while in attack mode before they breach the walls and run amok across our networks and into the hearts of our CEOs.
As a community, we have a responsibility to push the agenda and encourage ourselves and our customers to tell the truth. And, not just to themselves about risk and probabilities but also about the efficacies of these security products that are no longer useful and in fact can be detrimental to mounting an effective cyber-security defense.
If we don’t succeed, we must own the outcome. It’s on all of us.