When it comes to what security professionals need to do to protect their organizations not much has changed in a couple of decades, though perimeters have all but dissolved and the timeframe for taking action has become more compressed, according to members of a Tuesday panel at SC Congress in Chicago.
Companies must still patch vulnerabilities, but instead of having weeks, security pros have days or less. “The time we used to have to patch has almost evaporated,” said Richard Rushing, chief information security officer (CISO) at Motorola Mobility. “If I told you have 24 hours to [patch something] that gives the bad guys a lot of time to hurt you.”
To expedite the protection offered by patches, Jeffrey Ingalsbe, CISO at Flexible Plan Investments, said it might be time to consider an “unpatch” strategy, putting patches in place without testing them and having a plan to remove the patches if they have a negative impact on users.
And the complexity of the computing landscape has changed and broadened, too, with a new car using more lines of code than a new 787 airliner, Rushing said. But while “complexity has increased, we continue to patch in the same way,” he added.
Many organizations are still using a security model from a decade ago. “Ten years ago, at mature organizations everything was managed well because there were boundaries,” said Ingalsbe. But that model got stressed over time. “In five years it changed,” he said, noting that the flexibility that mobile devices brought to the workplace eroded the perimeter and challenged CISOs.
“I think the whole idea of the perimeter is gone; the perimeter you used to have is mostly dissolved,” added Rushing. And along with it went the comfortable timeframe that companies had to test patches and then deploy them.
Today, the “things” that hang off the internet and corporate networks make patching an iffy proposition. Ingalsbe pointed to smart phones, noting that while iPhones are patched within days, Androids take far more time, if the vulnerabilities get patched at all. “Android patches are determined by the carrier (and to some extent the user); there's not push, no nagging reminders” like the ones that come from Apple, he added.
To expedite the protection offered by patches, Ingalsbe said it might be time to consider an “unpatch” strategy, putting patches in place without testing them and having a plan to remove the patches if they have a negative impact on users.
And, information security pros need to understand “what it is we're protecting,” he said. “Threat detection is meaningless if I don't understand the target.”