WASHINGTON–Security, like a lot of other things, tends to go in phases. A new attack technique is developed, vendors respond with a new defensive technology and then attackers find a way to defeat it. It has always been that way. And right now, things seem to be in one of those periodic down cycles in which the attackers have the upper hand.
In the past, what’s helped break this cycle is innovation, a new technology or architecture that helps swing things back in the other direction. At least temporarily. Security executives at some of the larger financial institutions and network operators in the world, speaking on a panel here Wednesday, said that the time has come for another such shake-up.
“I think we’re in a security rut right now,” said Ed Amoroso, chief security officer at AT&T, said during the panel discussion at the Billington Cybersecurity Summit.
The problem at hand is that while attackers have been adapting and changing their techniques and methods rapidly over the course of the last couple of years, the defensive community has yet to catch up and make the changes necessary to restore some semblance of order. Attackers, like those behind the newly discovered Icefog attack, have the upper hand in many respects, not the least of which is in having the luxury of time to surveil their targets, learn the lay of the land and find the weak spots they need to get in. Security teams, even well-organized and experienced ones, are at a disadvantage in this equation. Even if an attack is discovered in process, it’s sometimes difficult to tell what’s been taken, how long the attackers had access to the network and which machines have been compromised.
As the maxim goes, the attackers only need to be right once, while the defenders have to be right all the time.
Changing that state of affairs won’t happen overnight and the path to that destination certainly isn’t free of obstacles. It may require changing some of the fundamental processes and systems that have been mainstays of the security infrastructure for decades. Authentication, for example. Considered a foundational technology for as long as computers have been around, authentication may have outlived its usefulness.
“In my world, authentication isn’t a word that we’re using anymore,” said Charles Blauner, global head of information security at Citi, who was part of the Billington panel. “It’s time to move beyond that. For us, we’re thinking in terms of recognition rather than authentication. It’s about having the system say, ‘I recognize you’, and go from there.”
One of the things that’s been touted as a fix for the authentication problem is biometric technology. The thinking goes that requiring a user to employ both a password and something like a fingerprint or iris scan makes it much more difficult for an attacker to impersonate him. However, not all biometrics are created equal, Amoroso said.
“There are two flavors of biometrics. One is flavor A, where you store the fingerprint locally on the device and it’s used there,” he said. “Flavor B, you take biometric and send it out over the wire and it’s stored in a central database. Once it goes over the wire, it can be compromised. And it can’t be changed. So I think flavor A is good, but flavor B needs some work.”
Change comes slowly in security, but it may be time to speed things up.