Overcoming America's lost decade of IT security
Overcoming America's lost decade of IT security
Let's be honest, the information security industry has lost tremendous ground over the last decade.
In spite of the new offerings from the same vendors every year, the security products that are the mainstay of enterprise IT environments are relatively unchanged since the late 1990s: anti-virus engines on the desktop, intrusion detection systems on the network, and firewalls and gateway filtering at the border.
While, we've seen incremental improvements to these technologies over the last decade, the threat as long since moved on, making these the equivalent of a Commodore 64 – quaint, but not industrial strength. Think about this: Information security is a $12 billion-a-year industry. That's a lot of money being spent on an industry that has utterly failed in its mission to keep networks secure against very low-cost and low effort attacks.
The one space in security we have seen significant emphasis, investment, and innovation is in post-mortem analysis. This investment reflects a now widely-held belief that prevention is a failed strategy – that the best we can do is forensically analyze the train wreck that is our networks today.
There are both incredible technologies to forensically reconstruct network events that lead to intrusions, as well as forensic analysis tools to microscopically reverse engineer successful exploits. While examining the train wreck in detail is fascinating, and essential to understand what you lost and how bad it is for you, it doesn't do much to recover the lost data, nor to prevent the attack from succeeding.
Perhaps an illustrative metaphor is the automotive industry in the 1970s, when seat belts were optional and not widely used. There were spectacular crashes and lots of blood on the street – kind of like the information security landscape today. The automotive industry could have decided to put more horsepower in the engine while not paying attention to better safety engineering. They could have said “not my problem” and counted on medical science to produce better lifesaving and emergency response systems to try and rescue the lives of those injured in car accidents.
Instead, states passed laws to make seat belts mandatory, and automobile manufacturers began to seriously take engineering safety into the design of cars. Safety engineering evolved and is now a primary automotive design priority – airbags, air curtains, anti-lock brakes, crumple zones, and more recently, collision avoidance systems.
The security industry must do the same. It needs to focus on engineering networks, systems, and software to be secure by design and resilient to attacks. We should not wait until the government mandates security, because it is unlikely to get the legislation right in a very dynamic space. Instead we should be motivated to design secure networks and systems because that's what our customers are ultimately paying us for.
On the public policy side, we've become enamored with the sharing of exploit data. Sharing between public and private sector is incredibly important. In fact, the lack of sharing is one of the primary reasons why innovation stopped in the security industry after 2000.
Essentially the federal agencies and large firms that were getting hit by sophisticated threats either classified the exploits, in the case of the feds, or were too embarrassed to share the information, in the case of the large firms.
As a result, the commercial security industry continues to release tools that were once effective against 20th century threats, but no longer because they aren't privy to the exploits the feds are seeing and classifying. Now, the feds all sing from the same sheet about sharing signatures of exploits or "intrusion sets," mostly with the defense industrial base.
But to really change the industry, the feds need to declassify this information, and put it out in the public domain. If they do, markets will react, change will happen, and the security industry will begin to develop products that can address the threat.
The fallacy in their sharing approach is that sharing signatures – the so-called “special sauce” – does little to stop the next attack for which no signature has yet been created. And as most of the security industry knows, the adversary trivially changes the signatures of its exploits. So rather than encouraging the industry to change its methods, instead, the U.S. government is embracing the 20th century approach to detecting attacks based on known signatures.
This worked last century, but not anymore.
Finally, we can't finish a discussion on the Lost Decade without mentioning the Compliance Hawk. The Compliance Hawk is that guy who secures his network by checkbox lists. It's the guy who believes that he's 80 percent secure when, in actuality, he's 80 percent patched. It's the guy who measures what percent he's compliant rather than on the percentage reduction in security incidents. It's the guy who thinks his job is done when he's hit all of his compliance metrics.
Now in truth, it isn't entirely this guy's fault. He just fell victim to an industry that told him that if he follows the compliance regime, his job is safe.
Compliance isn't all bad. The truth about compliance regimes is they ensure a minimum floor of network hygiene. The problem arose when the floor became the ceiling, and compliance got confused with security.
Unfortunately, the compliance industry created a huge sucking vortex of dollars that swept aside any budget for innovation and actual network security.
Instead, with compliance, we got busy work and job security for managers. Compliance is one of the root causes for The Lost Decade in Security. It's time to put compliance in its proper place – network hygiene not network security.
Turning the tide
Fortunately, awareness of the problem is growing.
We must work together as we cannot afford another Lost Decade. We need to invest heavily in innovating in security and, more importantly, in deploying 21st century technology to address this problem.
We need to shift from a purely reactive strategy – sending ambulances and first responders to the scene of the train wreck on our networks – to proactively engineering our networks to be resilient to attacks.
We need the will and vision to solve this problem. For the government, this means shortening the IT acquisition cycle on the same order as adversary innovation.
For industry, this means placing strategic investment on cybersecurity – we can no longer treat security as an afterthought only after your network gets publicly pwnd. The investment and strategy in cybersecurity needs to be commensurate with the value of the data on corporate networks, as well as the brand and reputational damage that results if the network is not properly secured. Continuing to invest in failed strategies is unlikely to change the game.
Innovation needs to be a core part of the cyber strategy for the 21st century threat.