BOSTON – While some industry groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and cross-industry groups such as the Advanced Cyber Security Center (ACSC) facilitate the exchange of threat information, for the most part organizations are still hamstrung by legal constraints and other business factors that prevent an adequate flow of actionable information.
Yet more than ever, enterprises and government agencies need adequate data on attacks in order to have any hope of keeping up in the rat race that is today’s threat landscape. The inherent weaknesses in signature-based tools have been exposed by attackers who are more nimble than those defending corporate networks as they are currently architected. Intelligence, experts said Thursday at the ACSC Annual Conference, must be the backbone of policy and new security technology.
“Attackers have better sharing networks,” said Tom Heiser, president of RSA Security. “The complexity of the privacy laws we must follow as well as legal liabilities are tying our hands. We must find a way to increase our sharing and the visibility of networks while still protecting the privacy of our citizens.”
With groups such as ACSC, which hosts bi-weekly Cyber Tuesday meetings where representatives from 30 of its member organizations meet inside a secure room at the Federal Reserve Bank to exchange threat intelligence, there are efforts under way to facilitate this exchange without a mandate from government for example. And as more boards of directors ask harder questions about information security and threats to the overall business, it’s imperative that executives have an answer and best practices to implement that cut across all industries.
“We need vertical and horizontal sharing,” Heiser said. “And researchers need to share too. Too often, their efforts are still stove-piped.”
Another meme bandied about Thursday’s event was the need for all aspects of the business to be well versed in information security and risks to the business.
“The heads of infrastructure, development, IT architects all have to be fluent in security,” said State Street chief information officer Chris Perretta. “I can’t defer in board meetings to others in security any longer. Risk factors and measurements are really important. Boards are deciding they want to us to quantify our risk posture and who weighs in on that beyond the technology organization. What is the business skill set required to build a 5-9s infrastructure and figure out how to build applications assuming bad guys are in the network within a prescriptive regulatory environment where investments are limited? That’s the challenge we have going forward.”
Yet there has been a resurgence of late in venture capital money being pumped into information security. A number of companies, including Qualys and Palo Alto, have gone public in 2012, while innovative technologies are being rewarded with VC money.
“It’s no longer about keeping things out,” said Maria Cirino, cofounder and managing director of VC firm .406 Ventures. “We have to recognize attackers are on the inside and understand what measures we must take to contain them and maintain a level of availability and security to keep you in business and compliant.”
Cirino suggested that software vendors, especially those such as Microsoft and Adobe with a dominant market share and presence on endpoints, be considered critical infrastructure and held to a higher standard with regard to security.
“We’re talking about building security in. Well, it’s incredible to me that the biggest software companies in the world—Microsoft and Adobe—why they’re not considered providers of critical infrastructure,” she said. “Why is there no requirement for those companies to demonstrate any security built into that software? It’s astonishing. I know we’re all afraid of regulation and want to keep regulation away, but in recognition that software is powering every aspect of our infrastructure, there should be a baseline expectation of security.”
Cirino called for large customers to pressure such vendors for enhanced security built into the development lifecycle of their software. She suggested a set of standards developed by industry leaders similar to what Visa and MasterCard did with the Payment Card Industry Data Security Standard.
“PCI was driven by Visa and MasterCard to address problems that started cropping up; cybercriminals realized 8-10 years ago that little merchants had lousy security infrastructures,” Cirino said. “State Street has a lot of money and security. Joe’s Delicatessen doesn’t have that capability. Visa and MasterCard did not wait for regulation. If you want to do business with us, you have to subscribe to our standard. That reduced the problems Visa and MasterCard were seeing and having to pay for by a tremendous amount.”
In the meantime, security organizations need to continue to take baby steps toward better information sharing of threat intelligence, build that into detection tools, and continue to develop their security acumen organization-wide.
“Many customers recognize the need to change strategies,” RSA’s Heiser said. “They have to accept the bad guys are in the network. Period. That has been fought for some time, but that’s a fact of life. The inevitable infrastructure compromise, however, doesn’t necessarily lead to an information compromise. Companies have to move beyond the kneejerk reaction that all breaches are catastrophic and that some loss and damage is acceptable.”