CANCUN—One of the more difficult aspects of defending a network or system is trying to keep up with the new tactics and techniques that attackers use. They modify their techniques constantly, and security teams must do they same or they won’t survive. Evolve or die has become the rule.
Of course, that’s far easier said than done, especially when considerations such as budgets, business imperatives and national borders come into play. But for enterprise security teams, adapting and evolving and understanding the methods that modern attackers use quickly has become a business imperative in its own right. Chris Hoff, vice president and CTO of the security business at Juniper Networks, compares the current situation to that of a mixed-martial arts fighter who needs to be proficient in multiple disciplines.
“Fighters can’t afford to focus on just one thing, because they’re fighting many different adversaries. Adapting and evolving are really, really important in security just as in fighting and in nature,” Hoff said during his keynote speech at the Kaspersky Lab Security Analyst Summit here Monday.
One idea that has been forwarded in recent years to help with this problem is active defense. That has become a loaded term, to say the least, as it often is associated with hacking back or going after attackers. But, Hoff pointed out, that’s a misunderstanding of the range of options in active defense. The concept can include any number of things, from simply tracking the attackers targeting your network, to using high-interaction honeypots, to planting Web bugs and beacons in documents to the nuclear option of hacking back.
” If you look at the range of intrusion response, the force can be benign or aggressive,” Hoff said. “It’s kind of like a Rubik’s cube There’ no one definition. Depending on the skill of the attacker, we can use different levels of force in the response. But threat models matter. If you’re going to hack back, you better be ready for battle.”
The idea of cyberwar often gets associated with high-profile attacks, such as the one on Sony Pictures, especially when foreign governments are suspected of being involved. But Hoff said comparing security and any kind of war is generally a poor idea.
“The use of the word war gets thrown together with anything having to do with cyber,” he said. “Conflating everything with war means your only analogs are what you see in the war manual. Those aren’t our only options. It’s a slippery slope.
“”We can’t keep conflating the issues of surveillance, espionage, terrorism and vandalism with war. We have to make headway here with attribution. The problem is we’ve given up as an industry and rolled over and said it’s not if but when you’re going to be breached and all you can do is clean up after the breach and hope for the best. That to me is unacceptable. We can’t afford that as a species or as an industry.”
