Earlier this month, during the RSA Conference in Europe, Amit Yoran President of RSA and former cybersecurity director at the U.S. Department of Homeland Security proclaimed, “Infosec is fundamentally broken.”
“Infosec is an industry that wastes billions of dollars on firewalls and policing network perimeters, things that ‘make us feel safe’ but don’t address real problems,” Yoran said. “Look at the major breaches of recent memory and you will find companies that were attacked despite using next-generation firewalls and high-level software that, for all their cost and promise, allowed massive, embarrassing and harmful breaches.”
Is it true? Certainly, data breaches continue to be in the headlines despite more than an estimated $70 billion in annual cybersecurity spending.
Why does this keep happening?
During a presentation at the Churchill club recently, the leaders from Symantec, Fortinet, Intel Security and Palo Alto Networks (all part of the Cyber Threat Alliance) were asked this very question, and attributed it to a variety of factors:
• Underinvestment in security until recently, when security has finally become a board level conversation
• Highly-automated, persistent adversaries taking advantage of the decreasing cost of compute power.
• Increased usage of a 50-year old Internet (with legacy) architecture while being protected by security solutions that don’t understand applications and content
In fact, Symantec CEO Michael Brown said this: “We have never spent as much on cybersecurity but we still spend a 10th of what attacks cost us”. In May 2015, in an interview with CNBC, he expounded on this, “The security industry is clearly trying to respond to an ever increasing number of attacks and severity of attacks, but until companies are actually spending even more, we’re creating a gap in terms of what companies need to be spending to protect themselves,” Brown said during an interview on Worldwide Exchange.
Yes, it appears relentless persistent attacks and advances in hacking techniques against a backdrop of underinvestment in security departments are all creating the perfect storm. But is spending more really the answer?
How about working smarter, or having a different paradigm?
Know Thy Enemy And You Will Win A Hundred Battles
It was Sun Tzu who said “Know your enemy and know yourself, you need not fear the result of a hundred battles”.
How can we work smarter by understanding our attackers and learning from them? We know the good guys have to get it right all the time to avoid being hacked. The bad guys only have to find one hole. The advantage appears to be on their side, unless we move from just understanding our environments to understanding our adversaries.
Security attacks come from living, breathing opponents that exhibit specific characteristics. They are thinking outside the box, using sophisticated breach methods and taking advantage of a very collaborative ecosystem. Traditional security solutions are point solutions that deliver very specific defenses while attackers use a blend of techniques.
Perhaps it’s time to supplement all our security defenses with a hacker-centric security paradigm. No, I’m not talking about hacking back at adversaries, I’m talking about proactively hacking with ourselves (and infrastructure) as the target. Organizations don’t need to understand our environments as much as they need to understand how adversaries view them. How will an adversary assess and attack us and our infrastructure?
This move towards a hacker-centric security paradigm is already taking place in the cybersecurity world. We have companies offering bug bounty programs for successfully finding flaws in product/systems, we also have ethical hackers that perform these tasks for security organizations. But these efforts are tied to the human element.
In order to truly optimize our efforts, and support evolving risks from new users, endpoints and applications, we need to execute breach methods like a virtual hacker and automate this process. Without the ability to automate and continuously validate hacker breach methods, we cannot possibly keep up with the increasing efficiencies that attackers are enjoying. More importantly, just like an actual attacker, proactive, offensive security should execute all the various steps of the kill chain, while existing (point) security solutions are in place, to provide a complete picture of an organization’s cybersecurity posture.
With this paradigm shift, just like continuous integration in the software development world, we will be able to proactively find holes in our environment, quantify our security risks and understand which security systems are working as expected before we are actually attacked.
