Try to dampen your innate cynicism for one second, forget the source of this next comment, and absorb it: “We need resilient defenses.” Dr. Steve King uttered those words at a small security event in Boston last week. Four simple words you’ve heard before that today make so much sense.
King is the deputy director for cyber technology inside the office of the assistant secretary of defense for research and engineering at the Department of Defense. No one likes to hear the government preach about cybersecurity, especially when the Fed’s own house is in disarray. But he spoke elegantly about the need for trust and resiliency in IT systems, and did so in the context of how the military designs systems in an adaptable manner that they remain secure and resilient even on the battlefield. That example applies to all.
“You have to recognize that you will have compromises on a continual basis and that you have to conduct missions regardless of that,” King said. “You have to design and architect infrastructures to enable us to sustain operations despite a degraded environment.”
In the past 15 months, it seems that security operations and management folks have come to grips with the fact that systems, networks and endpoints are owned. You hear it said out loud. You hear it from experts. And you hear it from people at the keyboards every day inside organizations large and small.
Compromises are constant and automated. Cybercriminals are stealing money by the truckload. Political activists are taking banks offline for hours or days at a time. State-sponsored hackers are quietly on networks stealing sensitive manufacturing or military information. Yet it seems security people are stuck on this hamster wheel of patching systems, updating signatures and praying they’re not the next data breach headline.
How do you get off that wheel?
Intelligence is the best weapon in any fight. If you understand what your enemy is capable of, and where they’re weakest, then and only then can you think about your own offensive and defensive strategies. Companies need to understand internal risks and soft spots, such as partners, suppliers, or even new acquisitions. Companies need to understand what peer organizations are doing in security and share data. Most do that in an ad hoc fashion; ideally cross-industry sharing and support groups can take this on in a large way someday.
And stop thinking about compliance as the be-all for security, despite what the execs may be telling you.
“A strong security posture and reporting can lead to strong compliance. The opposite is not the case,” said RSA Security president Tom Heiser. “Some say they’re ISO compliant and stop there, and don’t look in terms of a broader spectrum. I had a CISO tell me the creativity is being grinded out of his security team by constantly going for the checkbox. The burden of meeting compliance requirements is taking practitioners out of the business of intelligently assessing their own risks.”
That’s not resilient security. Most organizations aren’t building resilient systems, and we’re not just pointing fingers at smaller resource-strapped IT teams. The big boys, such as the Department of Energy, are falling on their collective faces too. Results from a recent audit of the DOE’s non-classified systems were published and the news isn’t pretty. Weak access controls, poor change and control management, and bad Web apps all are contributing to a poor state of affairs in one of the largest federal agencies. Worse, a significant number of desktops and network servers were still vulnerable to exploit despite the availability of vendor patches; never mind the number of operating systems still in place that were no longer supported by the vendor.
Clearly the current approach is failing. Not enough merit or money is given toward the incorporation of intelligence into security operations. Too much merit is given to security practices and technologies that are a failure. If you concede that attackers are on your network, there are ways to drive up the costs of attacks and force their hand—this is an economy attackers understand.
“Time can be a defender’s friend,” King of the DoD said. “If you can have your network defended and changing at a speed that makes it difficult for an adversary to do reconnaissance and surveillance and make them go to ground zero again, you can disable many attacks. Everyone has time budgets.”
One CISO, Heiser said, calls this “dwell time.”
“Dwell time is a great descriptor of how long an attacker is in the network,” Heiser said. “The quicker you can find them, the quicker you can kick them out and address what they’ve done. This allows us to apply adaptive controls to address what they’ve done while they’re in there.”
The time of preventative security as the hallmark of security operations is over. Better detection, better offensive capabilities are the way to move forward.
“Companies are taking money out of areas that are commoditized and repurposing those funds to build out higher analytics and security analytics centers,” Heiser said. “You have to get creative there.”