Change is the only constant – and can be a threat or an opportunity, but the information security community has no choice but to embrace it and decide what we want to do with it delegates were told at the RSA keynote Escaping Security's Dark Ages on Tuesday.
The theme of change began with an opening showbiz production of a re-worked cyber-security version of David Bowie's hit, Changes, sung by Glee's Jane Lynch, and while it may have sounded up-beat, RSA President Amit Yoran's opening keynote switched the mood as he described the industry as stumbling about in the ‘dark ages' with 2014, year of the ‘mega-breach' about to be followed by 2015, year of the ‘super-mega breach', and our adversaries winning by every possible measure. Meanwhile all mankind stands at a critical inflection point as technology accelerates and what were thought inherently human tasks are undertaken by machines, propelling civilization into the information age. And we can neither secure nor trust any large computer environment.
Yoran added that our taller walls and deeper moats hadn't worked and while the industry had claimed to understand that the perimeter approach was no longer solving our problem our mindset had not changed, and nor had our actions. SIEM (Security information and event management) was described by Yoran as; “Gloriously useless – less than one percent of APTs were spotted by SIEM systems. We're not changing how we operate.”
Yoran went on to describe the actions necessary –
1) Stop believing our advanced protections will work – they will fail and the focussed adversary will get in.
2) Pervasive visibility everywhere is needed in the enterprise environment – intruders are stealthy and evade detection and bypass our defences so we need to know exactly what is happening and understand the scope of the threat. Under-scoping of incidents and rushing to clear up compromises without fully understanding the scope of the attack was described as the single biggest error, tipping off the adversary as to what is known about them. The need is to go further than what is available today.
3) Identity and authentication are increasingly important, not less. Verizon stats were quoted, where 95 percent of intrusions used stolen credentials – with the oft repeated quote: “Who needs zero days when you've got ‘stupid'.” Hence the call was for avoiding abuse of identity – including not trusting the most trusted users as those accounts were most subject to attack.
4) Utilise external threat intelligence – from companies and organisations – and operationalise the intelligence into your environment and tailor it to your organisation's needs. And don't send such intelligence by email.
5) Prioritise your limited resources to achieve maximum impact. Audit what is critical and focus on your key accounts, data, apps.
The overall call was to change the paradigm, acknowledge that we have, ”sailed off the map” of known territory and the world has changed; it's not a technology problem, we have to change our mindset, our map is wrong.
Later that morning the theme of ‘change' continued during the ‘Security on the Offensive' session with Christopher D Young, senior VP Intel Security Group, who described how we are in a trust crisis making it difficult for us to adopt change, while our industry has gone from a back office IT function to a critical Oval Office security issue.
To explain the nature of change needed he introduced Billy Beane, general manager and shareholder in Oakland Athletics baseball team, whose transformation to winners via a new approach to statistical analysis of players was charted in the book and film Moneyball. Beane explained how the transformation required challenging entrenched thinking, letting unbiased eyes from outside into the thought process, and taking emotion out of decision making and instead relying on the data – then putting it into practice. Challenging the status quo, taking risks, constantly challenging the starting platform of received wisdom – and accepting that even then you won't get it right 100 percent of the time were among lessons learned.
Young suggested that in the security context, that would mean looking for insights, and not just more data, let your systems deal with 98 percent of alerts and hunt down the two percent that you really care about. Change the way you use SIEM tools and treat them like intelligence, not all of which is acted on – putting the data into context to concentrate on what you really care about.