MIAMI—Defense may win football championships, but it gets steamrolled in computer security arenas.
“A dollar of offense beats a dollar of defense,” said Nate Fick, CEO of Endgame Inc., on Thursday during his keynote address at Infiltrate Conference.
Fick’s talk in front of an audience of exploit engineers and offensive security specialists painted a grim picture of 15 years of defensive failures by a multibillion dollar security industry still suffering massive breaches and shocking data theft.
A former Marine with command responsibilities post-September 11 in Afghanistan and Iraq, Fick drew parallels from each of his domains of experience.
“Security is suffering systemic failures for two reasons: Offense is structurally dominant; and second, defenders are too often bureaucrats with a compliance mindset. Attackers are much more aggressive, creative and nimble.”
Fick, a security executive since 2012, said defenders—both in the public and private sectors—are suffering for a number of reasons. On the public side in particular, difficulties in attributing attacks pose response challenges. It’s also difficult to justify security expenditures in the private sector given the stress most experience in demonstrating ROI, and that security in most IT shops, is seen solely as a cost center. Finally, he said, there’s a talent imbalance.
“It’s much more fun to be a pirate, than to join the Coast Guard,” he said.
On the private side, defenders are also done in by a market in the throes of a bubble where 1,500 vendors compete for the same dollars, fail to offer complete products and instead are out to get acquired; at its most recent peak, Fick said, companies are being bought for 12x their most recent revenue, well above normal 4x to 6x ranges.
“Winter isn’t coming, it’s already here,” Fick said of the bubble. He anticipates two years characterized by tighter early-stage funding for security companies, a large degree of consolidation in the midmarket, and continued success for companies that have products and services that work.
“The average Fortune 500 company has 60 security vendors; complexity is the enemy of security,” Fick said. “The market responded to this uncoordinated orgy by overfunding, and now you have 1,500 security companies competing with undifferentiated products and messaging.”
As a result, adversaries can respond quicker and find rapid successes, while the industry flounders using failed tactics. Fick pointed out as an example that for too long the military was trying fight symmetric battles against asymmetrical adversaries; IT security similarly suffers. The military, he said, found a way out of that rabbit hole by, for one, diversifying its skill sets. It decentralized decision-making, and expanded the circle of talent it embraced to move beyond traditional battlefield-style of war.
The solution, he said, lies in computer security specialists to not only embrace diversity to improve problem solving, but also that companies should bring offensive capabilities into defending networks. Fick did not advocate hacking back—which is illegal as he pointed out—but instead adopt an approach where everything is thought through from the adversary’s point of view. “Think like the adversary; turn the map around,” as he put it. Stealth concepts should also be brought to detection, he said, pointing to hardening infrastructure and software image and signature diversity as two examples.
“Bring an offensive approach to enterprise defense. Most are not doing it,” he said. “Bring stealth concepts to detection. If a defense can be seen, it can be bypassed.
“Hardening tools can save you when steal fails,” he said. “Signature diversity too. Large industry players ignore this; if you’re running one signature, all it takes is for an attacker to find that one and burn them all down. Adversaries avoid surfaces like water, and flow to gaps. Signature diversity is a necessary component for any defensive posture relies on stealth.”