I just got back from another year at the RSA Conference with my colleagues and peers talking about all that is new and upcoming in security. While some continue to debate the time and resources invested in conferences such as these, what cannot be discounted is the value in spending time with, and talking to, other 20+-year veterans of the industry. Though there is never a shortage of information in the security business, what can sometimes be missing is the context. These types of interactions and information exchanges are where new ideas are shaped and where new strategies are formed.
Now, whenever I am on the road attending a conference or for other types of meetings, I always try to multi-task, and meet with as many customers and partners as possible. I like to hear firsthand the issues they are struggling with and where we can provide them with the most value. I mention this because as I was meeting with several customers in advance of RSA, I noticed a pattern emerging among their commentary that carried over into the conference. While they all expressed the sentiment in different ways, they all came to the conclusion that they are tired of constantly “playing defense” with their security by preparing and waiting for the inevitable breach to happen. The prevailing thought was that while hackers are always “a step ahead” of the game, that doesn’t mean that we, as an industry, should just accept it and take a passive approach to our security.
It struck me that while the clear theme of last year’s RSA show was centered on security intelligence and analytics, this year the concept has evolved from simply processing events to detect when an attack is occurring towards the ability to use data to anticipate attacks and avoid them before they happen. As I walked the halls of RSA, attended several of the sessions, and spoke with long-time acquaintances about my observations, most of them concurred that it was time for a new era in security where we take on a more aggressive posture in defending our most critical data.
So what does this mean exactly? Being more aggressive shouldn’t be confused with going on the offensive. I am not of the opinion, nor was anyone I spoke with, that launching any preemptive strikes against would-be hackers is a good idea. It’s about being aware of your security posture. It’s more about not sitting back and hoping you were right when you built your security infrastructure, but rather taking an aggressive approach to testing your security processes and matching wits with those seeking to do harm.
This concept we’ve been encouraging our customers to adopt is thinking more like the attacker. The reason hackers or hacking groups are able to stay ahead of the security teams is that they are constantly scanning and probing defenses to find some type of vulnerability or security loophole that will create an opening for them to exploit. Then, when the security team is busy “playing catch-up” and plugging these holes, they’ve already moved on to the next exposure point.
By allowing the hackers to dictate the rules of engagement, security teams are put in a defensive posture. Security teams that are thinking like an attacker are constantly evaluating networks through the same lens in which the hackers analyze them for vulnerabilities, and this perspective allows them to identify and close exposures more quickly. This is the best way to close the gap between enterprise security and those working to undermine their efforts.
During RSA we heard a lot about the changing landscape of threats and how the hacking community is becoming more sophisticated and better funded every day. So naturally the debate ensued around whether keeping pace and ultimately closing the gap is a question of technology, spend or approach. We’ve already beat the spend issue to death. The reality is that enterprises are already spending to their limit when it comes to security and are looking for ways to spend smarter, not more. While changes and enhancements are certainly needed on the security front, as highlighted by recent high-profile breaches, these changes will need to be initiated through better technology and more innovative approaches.
After having spent a few days speaking with my colleagues in the industry, I feel pretty confident about where we are at in terms of technology. While software development is inevitably flawed, the advancements being made to quickly identify and close vulnerabilities are reasons to be optimistic.
Addressing security more aggressively and working to identify areas of weakness is a more sensible, and ultimately, more effective approach than working to build a “bigger wall” that you hope attackers can’t get through.
I’ll be interested in hearing from our customers and peers at the next big industry gathering to see how this approach is working for them. To borrow a line from a movie many years ago: “to catch a thief you need to think like a thief.”