Organizations have to pressure IT security pros and the security industry to prove their solutions are effective in the face of seemingly unstoppable cyber attacks, says the head of one of the world’s biggest security vendors.
Amit Yoran, president of RSA, issued the call at the outset of his company’s annual security conference in San Francisco, where it is expected that dozens of vendors will announce new products.
But Yoran not only suggested organizations cast a jaundiced eye at this week’s press releases, he also called on the industry to overhaul itself.
“Challenge yourself and challenge us vendors,” he urged in a keynote speech. Ask “does this (new product) really help? Or is this another castle wall that will inevitably be breached?”
“Our industry has adopted a defensive mindset that mimics the dark ages,” he complained, with strategies of digging deeper moats and higher castle walls around enterprises.
“Beyond this irrational obsession with perimeters, the security profession follows an equally absurd path to detecting these advanced threats,” he said, monitoring traffic with signature- based detection and anti-malware. But, he pointed out, these solutions can only warn about threats they know about.
“Many security professionals base their security programs on the futile aggregation of this virtually blind telemetry, from intrusion detection systems, AV platforms and firewall logs, implementing that glorious and increasingly useless money pit known as SIEM (security information and event management),” he said.
(According to last year’s Verizon Data Breach report, less than one per cent of threats were successfully caught by SIMS systems, he pointed out).
“The single most common and most catastrophic mistake made by security teams today is under-scoping an incident and rushing to clean up a compromised system without really understanding the true scope or broader campaign,” Yoran also said.
Last year was dubbed by some the year of the mega breach — with breaches at Home Depot and Sony — and this year may be “the year of the super mega breach.”
“The largest enterprises with the most sophisticated next generation security tools weren’t able to stop miscreants from breaking in and making off with millions of dollars, personal information and sensitive secrets, not to mention damaging reputations,” he pointed out.
But he said, security pros and the industry can do five things for success:
–“Stop believing advanced protections work.” Sometimes they do, sometimes they don’t. So ask vendors if their solutions really are effective;
–Adopt deep and pervasive network visibility from endpoint to the cloud to have any hope of seeing and understanding attacks. Without it, “you’re only pretending to do security.” It will make SIEM what it’s supposed to be, he added.
–End authentication and identity vulnerabilities, including having too many admin accounts. Many attacks rely on stolen credentials;
–Leverage external threat intelligence, either from vendors or private industry associations. “And for God’s sake do away with PDF and email sharing of intelligence and response co-0rdination. We’ve seen attackers specifically compromise mail servers to eavesdrop on communications between the sysop and network defenders. Ouch.” ;
–Understand what matters most in your organization to prioritize limited resources.
The record breaches of 2014 were “yet another reminder we’re losing this contest” with attackers,” he said. “The adversaries are outmaneovering the industry, they’re outgunning the industry, they’re winning by every possible measure.”
But, he concluded, for the security industry “this is not a technology problem — this is a mindset problem.”
“It’s time for a new sense of exploration, awareness and understanding. It’s time for security to escape our dark ages and purse our own age of enlightenment.”