MIAMI—Defense may win football championships, but it gets steamrolled in computer security arenas.

“A dollar of offense beats a dollar of defense,” said Nate Fick, CEO of Endgame Inc., on Thursday during his keynote address at Infiltrate Conference.

Fick’s talk in front of an audience of exploit engineers and offensive security specialists painted a grim picture of 15 years of defensive failures by a multibillion dollar security industry still suffering massive breaches and shocking data theft.

A former Marine with command responsibilities post-September 11 in Afghanistan and Iraq, Fick drew parallels from each of his domains of experience.

“Security is suffering systemic failures for two reasons: Offense is structurally dominant; and second, defenders are too often bureaucrats with a compliance mindset. Attackers are much more aggressive, creative and nimble.”

Fick, a security executive since 2012, said defenders—both in the public and private sectors—are suffering for a number of reasons. On the public side in particular, difficulties in attributing attacks pose response challenges. It’s also difficult to justify security expenditures in the private sector given the stress most experience in demonstrating ROI, and that security in most IT shops, is seen solely as a cost center. Finally, he said, there’s a talent imbalance.

“It’s much more fun to be a pirate, than to join the Coast Guard,” he said.

On the private side, defenders are also done in by a market in the throes of a bubble where 1,500 vendors compete for the same dollars, fail to offer complete products and instead are out to get acquired; at its most recent peak, Fick said, companies are being bought for 12x their most recent revenue, well above normal 4x to 6x ranges.

“Winter isn’t coming, it’s already here,” Fick said of the bubble. He anticipates two years characterized by tighter early-stage funding for security companies, a large degree of consolidation in the midmarket, and continued success for companies that have products and services that work.

“The average Fortune 500 company has 60 security vendors; complexity is the enemy of security,” Fick said. “The market responded to this uncoordinated orgy by overfunding, and now you have 1,500 security companies competing with undifferentiated products and messaging.”

As a result, adversaries can respond quicker and find rapid successes, while the industry flounders using failed tactics. Fick pointed out as an example that for too long the military was trying fight symmetric battles against asymmetrical adversaries; IT security similarly suffers. The military, he said, found a way out of that rabbit hole by, for one, diversifying its skill sets. It decentralized decision-making, and expanded the circle of talent it embraced to move beyond traditional battlefield-style of war.

The solution, he said, lies in computer security specialists to not only embrace diversity to improve problem solving, but also that companies should bring offensive capabilities into defending networks. Fick did not advocate hacking back—which is illegal as he pointed out—but instead adopt an approach where everything is thought through from the adversary’s point of view. “Think like the adversary; turn the map around,” as he put it. Stealth concepts should also be brought to detection, he said, pointing to hardening infrastructure and software image and signature diversity as two examples.

“Bring an offensive approach to enterprise defense. Most are not doing it,” he said. “Bring stealth concepts to detection. If a defense can be seen, it can be bypassed.

“Hardening tools can save you when steal fails,” he said. “Signature diversity too. Large industry players ignore this; if you’re running one signature, all it takes is for an attacker to find that one and burn them all down. Adversaries avoid surfaces like water, and flow to gaps. Signature diversity is a necessary component for any defensive posture relies on stealth.”

Categories: Government, Hacks, Web Security

Comments (5)

  1. Anonymous
    1

    Correct me if I am wrong, isn’t hardening and signature diversity still defense? Unless you really dial back and attack the hacker network…it really does not involve any offense. Taking down a hacker network with state’s power – that’s offense, again, not something individual company should practice.

  2. Fred
    2

    Totally agree. Many corporate cultures don’t get it. As a trained hacker, I can see holes in a security program which many security departments will not recognize even after the issues are pointed out. It always takes a large breach before changes happen and sometime not even then.

  3. InSecure
    3

    The root of the problem is in determining the ROI on defensive spending. Were we not hacked because we were lucky or because we have enough defensive personnel, technology, and processes?

  4. Bleh
    4

    Yet another CEO peddling their products telling us we’re doing it wrong. Would love to see a CEO of a security company talk about something OTHER than what they’re selling.

  5. Yep
    5

    A couple of these comments worry me. I can validate what this guy is saying on a daily basis. Every red team operator who reads this is nodding his/her head right now. The fact is that (IMO) most defenders don’t think like offenders. From my vantage, I continually see one team focusing on firewalls, HIDS/HIPS, an expensive NPS suite, and log aggregation while the other dreams up ways of exploiting individuals, creating complex exploits using a handful of dispersed benign observations, implementing the latest bleeding-edge exploits, and concocting elaborate shell games of mis-direction.

    In reality, they are two different worlds and two different mindsets. What Fick is advocating could simply mean using offensive analysts to perform hunt activities or to engineer the indicators of compromise (IoCs). We can question his motives as a businessman or we can recognize that maybe he’s echoing what every offensive operator in the field knows and that he’s simply trying to capitalize on a realistic niche that he’s identified.

    My $0.02

Comments are closed.