There are many gaps in ICT security today. Security is broken, because everything we're currently doing in security needs to be revisited.
The biggest security risks today are associated with the way most organisations think about security management and conduct security operations.
So says Eddie Schwartz, CISO of RSA, who says that by changing their approaches, CISOs can take effective action against the multitude of new, advanced security threats.
Many organisations have out-of-date security in place, and the focus on security investments is also flawed. Many businesses spend too much on preventative security technologies, hoping they will be protected and will not be breached.
The recent past has clearly illustrated that this approach is inadequate in the face of advanced threats and sophisticated adversaries, such as nation states, organised crime, hacktivists and suchlike.
“Think of all the recent high-profile attacks. Over and above those, most companies have been breached, they just don't know it.”
Schwartz believes the models in place today lead to a situation where the defender is constantly playing catch-up. This causes a situation where the adversary can go for offence in depth, he says.
Security must be risk-based, contextual and agile. If you don't think differently about security, you will fail.
RSA's Eddie Schwartz
Perimeter security can be easily bypassed, or attackers can focus on client-side attacks, making it nearly impossible for companies to have completely secure environments. This leads to the question of which environments can be secured, he adds.
In the past, the approach was to keep on buying new products - firewall, DLP and similar - and just keep adding. “Criminals know the capabilities of these solutions. They can be bypassed. The mindless approach to invest in things to make it go away was not working,” explains Schwartz.
Adding to this, attack vectors such as spear-phishing and drive-by attacks could not be prevented, as the end-user could not be effectively protected.
These days, prevention is inadequate. The goal is to prevent or limit unauthorised connections in and out of the network. In reality, adversaries make use of allowed paths.
“We have been trained to do things in a certain way. Separating bad from good is increasingly difficult. We need to understand what bad looks like and look for similarities, and understand what good looks like and look for meaningful differences.”
He says focusing on the adversary first is critical. “Where is the threat coming from? Hacktivists? Nation states? Petty criminals? Organised crime? Insiders? Terrorists and vigilantes? A good threat model should be adversary first and adversary-based.
He believes security is now a big data problem. These days, leading organisations focus on managing advanced threats by capturing and analysing enormous volumes of information, thus achieving more situational awareness.
Schwartz says that, over and above the analysis of a company's data, there needs to be sharing and collaboration. “These elements together drive an intelligence-driven approach to ICT security.”
However, he says more needs to be done by the security industry to give security practitioners the tools they need to identify and remove threats more quickly. “RSA and others in both the public and private sectors are working to reduce legal barriers so we can give the IT security industry the structures it needs to share information.”
Discovering what are the most important material assets, and who the adversary is, is the foundation for good security. Move towards intelligence-driven security operations. “The worst-case scenario is that the attacker is already in the network. In some cases, there is no ability to control the adversary. The goal is to get an end-to-end understanding of the kill chain.”
This isn't always easy, he says. “How do you get visibility of things you don't manage? This is where agility comes in. Openness is critical, how to get to the actionable information? Organising the big data, analytics and governance, and external collaboration is critical. This will require a whole new skills set in your team; this needs 'big picture' thinking.”
Ultimately, he says, to achieve victory takes a different mindset. “Prevention is impossible, bearing in mind the reallocation of resources that would be needed. Focus on the adversary first and the most important material assets. Security is a big data problem; you need to have more data, better analytics and be focusing on intelligence-driven operations.”
Share