SAN FRANCISCO–You don’t need to look too hard or talk to too many people at the RSA Conference here this week to realize that there is one subtle but persistent signal amid all of the noise: security is failing.It’s not news that things are broken. They’ve been broken for a while now, and not just sort of broken. Really, really broken. The best companies with the smartest security people can’t protect their data. Government agencies with huge budgets and massive resources get owned early and often. The volume of attacks continues to increase and the attackers continue to win and win and win.
Not only are we losing, we are losing on an unprecedented scale.
There seems to be an air of resignation hanging over many of the talks and keynotes and hallway conversations at the conference. The frustration of people who have spent a decade or more working on security is clear. The approaches that have been espoused for years just aren’t working and some CSOs and others in the industry are wondering whether there’s any change or improvement on the horizon.
The attitude among many in the industry now is that the time has come for a shift in thinking: Start with the assumption that your network will be compromised and then build your defenses from there. Acting as though penetrations are an anomaly and not the norm is just not getting it done.
“In the world of targeted threats, if you have secrets or intellectual property, you’re a target. We need to shift the mindset to think that if the attackers are persistent enough, they’re going to succeed,” said Jeff Jones, director of Trustworthy Computing at Microsoft. “If you assume they’re going to succeed, you want to detect it as soon as possible. You want to start thinking about partitioning things in a more strategic way. We need to design things with containment in mind.”
That line of thinking is one that some CSOs and practitioners have adopted in the last couple of years as they’ve struggled to deal with epic flood of malware and directed attacks that seem to compound with each passing year. How difficult has it become? One former Fortune 50 CSO said that he doesn’t know a single one of his peers whose company hadn’t had a major compromise in the last couple of years.
The shift in thinking that Jones described doesn’t just involve designing networks and defenses in different ways, it also requires that people spend more time thinking about the ways that attackers are continuing to succeed and what can be learned from those attacks. Attackers are learning and adapting, and countering their tactics requires the same. But dealing with the daily slew of attacks doesn’t often leave much time for the kind of analysis and data gathering that can require.
And even when the analysis is done, the resulting conclusions typically aren’t shared with the community at large, which means other organizations can’t benefit from it and end up falling victim to the same attacks. The data-driven approach is gathering momentum, but there is still a shortage of good information available. That may be about to change, though, as more people reach the tipping point and discover they can’t win the game on their own.
“What we really need is to get more smart people thinking about the problems that we haven’t solved yet,” Jones said.
