From the beginning of time, mankind has been afraid of the dark. Evolution has hardwired us to be afraid of it. Without being able to see our surroundings, we don't know if the sounds we hear and the shadows we see are a danger or not.
When trying to defend a digital infrastructure today, we need to know which 'bumps in the night' matter, and which we can we ignore, says Amit Yoran, RSA president, speaking at the ongoing RSA Conference 2015 in San Francisco.
"We sit at a critical inflection point. Consider this; the technology that we are charged with protecting has accelerated our civilisation to previously unimagined heights. Speed of communication that rivals the mind, and pushes the boundaries of our imagination. And they are advancing at breathless speed."
He says things that even just a few years ago we considered to be human tasks are being mastered by computers. "Creative writing, emotional expression and driving cars are but a few examples of these. Even seemingly uniquely human tasks are being mastered by machines - we're taking a backseat to technology."
Dark Ages
Yoran says it is highly likely in the next few years technology will be capable of accelerating its own development. "It will control its own destiny, the results of which we cannot predict."
"We are completely reliant on computers for every aspect of our professional and personal lives. We also stand at the Dark Ages of information security. 2014 was the year of the mega-breach. Things are getting worse, not better. 2015 will be the year of the super-mega breach. The largest enterprises with the most sophisticated tools haven't been able to prevent the bad guys from getting in."
He says 2014 was another reminder we are losing this contest. "Adversaries are outgunning the industry and are winning by every possible measure. We can neither secure nor trust our environments.
"In security, we haven't been able to find what we're looking for," he explains. "The perimeter mind-set is still with us and we are clinging to old ideas. Signature-based intrusion prevention and anti-malware are not effective, and don't begin to protect against today's advanced threats. These tools are incapable of detecting the threats that matter to us the most. It is a case of virtually blind telemetry. In fact, the last Verizon data breach report revealed that less than 1% of attacks were prevented using SIEM [security information and event management] systems."
We are going to be dealing with these challenges for a long time to come, adds Yoran. "The barbarians are already inside the gates - in fact, they have already raided the liquor cabinet."
He says the industry's mind-set needs to change. "The reality is, although the industry has been saying this for years, our actions don't reflect it. We say we know the perimeter is dead, the adversary is inside - but we are not changing the way we operate."
The first step, says Yoran, is to stop believing that advanced protections work. "Even if they do work much of the time, they will fail also. Every intrusion we read about on a daily basis is a result of a well-resourced, creative and focused adversary, who will be able to get into your environment.
"They enjoy limitless bounty, with impunity. We are even seeing analytics-resistant malware that evades sandboxes. No matter how high our walls, they will get in."
Next, he says, is to adopt a pervasive level of visibility from endpoint to network to cloud. "Many threats are stealthy, even virtually undetectable. We need pervasive and true visibility into our enterprise environments, which is what SIEM was meant to be, but isn't. You cannot do security without continuous, full packet capture, and compromise assessment visibility. You need to know which systems are communicating with which, why and how, and ultimately the content itself."
He says these are foundational requirements for any modern security programme. "We must be able to knit together different aspects of an attack, otherwise we don't have a hope."
The single greatest mistake made by security teams is underscoring incidents and rushing to clean up without understanding the campaign, says Yoran. "This teaches adversaries which techniques you are aware of, and which ones they can use to attack you. We need to go further than what's available today."
External threat intelligence
Thirdly, in a world with no perimeters and fewer anchor points, authentication and identity matter more, not less, he says. "Malware is the vector for attack in less than half of cases reported by the Verizon Breach Report. In most cases, attackers used stolen credentials and walked in through the front door. Even tech savvy people can fall victim to sophisticated social engineering."
Next, he says, we need to make use of external threat intelligence. "There are amazing sources of threat intelligence from vendors and organisations. "We must leverage this intelligence for increased speed and agility, operationalise it into our environments, tailor it to meet our needs and align it with our assets."
"Finally, understand what is important and what matters most to your organisation," says Yoran. "Asset categorisation is absolutely critical, as it helps to ensure limited resources are deployed for maximum impact. Defend what is important."
He says these types of approaches do work. "We are catching adversaries red-handed. I'm not saying we have all the answers, and we are faced with resource challenges, skill-set limitations and legal obstacles. However, we are changing the mind-set. As an industry we are on a journey that will continue to advance for years to come."
Share