Information Security Risks Becoming a Failed State
Current events are depressing. President Obama, on the television last night, let us all know he has approved US airstrikes in Syria – an indication of the deepening struggle of both the Syrian and Iraqi governments attempting to maintain some semblance of control. The situation in Ukraine is on a knife’s edge as well for much of the same reasons. These are indicators that we may be witnessing the last gasps of failing states in those regions, but while that news is bad, in the midst of constant updates on the instability in Ukraine, Syria and Iraq are news reports of major data breaches, most recently JP Morgan and Home Depot. I fear that much like the situation with the aforementioned regional political conflicts, an analogous story can be told about the current state of information security.
The unfunny punchline to the case I’m about to lay out is that information security professionals are so overwhelmed that they simply cannot even employ the most fundamental processes to keep up with the barrage of daily attacks against the systems they are trusted to protect. As a result, a defeated attitude among veteran professionals is pervasive. Not only that, but the situation is expected to get worse and while vendors promise solutions, and organization’s make public proclamations about the importance of security, the bad guys are winning with increasing frequency.
I don’t want to spend too much time detailing the litany of recent attacks and the lack of capture and prosecution of perpetrators – we all know these stories. Rather I think it is instructive to highlight some of the most glaring examples of where we are failing with regards to protecting our systems and why the very expensive tools the security vendors sell us aren’t up to the challenges we are confronting.
The Cry of “We can’t keep up” is So Loud It’s Deafening
At HP Protect in Washington, DC this week I heard over and over again from attendees and presenters that security functions just don’t have enough resources to properly monitor their systems for breaches. This is old news and reflects a complaint that probably dates back to the very first information security professional, but we’ve reached a point were apparently most are stretched so thin that they don’t even bother to monitor incoming traffic in a serious way anymore. Sure we have applications and appliances that can automate much of the work, but the marginal incidents that require a human to assess are simply being ignored. The thought process is that incoming traffic is not where the real damage happens, it is in the outbound calls where the sensitive data is leaked or the call to a command center is made, so if you can stop the bad actors from getting out then that is sufficient. That’s risky – It’s like backing yourself to the edge of a cliff and only then standing your ground.
Given that posture on monitoring traffic it is not surprising that most security professionals accept that they likely have been, and currently are, victims of an undetected breach. They know that there is malware on machines somewhere on their network, and most recognize they won’t likely ever find all of it. As one person explained to me, “I’m OK with a thief breaking in and stealing loose change, just as long as they don’t kidnap my kids.” That is the current reality and I actually think that is a reasonable way to looking at things. The problem is that the situation is getting worse. To extend that analogy: This year it may be pocket change, next year it will be the silverware, then an occasional TV, and onward in an ever increasing spiral. I don’t see any indication we are not rapidly heading in that direction.
If that isn’t bad enough, I was surprised by the number of people who admitted to not implementing even the most basic of checks such as checking protocols against ports. Port 80 and 443 need to be open but if connections are using those ports for traffic other then HTTP then that is suspicious and at a minimum it warrants further investigation, if not an all out block. Unfortunately, even though this type of check could be handled through some rather simple security appliance configurations, we inexplicably don’t do this. In addition we also don’t have a habit of checking for calls to dynamic DNS servers – a necessary part in many attacks. These are basic things that we need to be doing and are a relatively easy link on a kill chain.
Finally, I was surprised by the number of people who don’t even subscribe to threat intelligence feeds. I understand these feeds present an overwhelming number of data points to consider (IPs, DNS names, URLs, MD5s, etc. by the boat-load) but complete ignorance isn’t a viable strategy either. Something is better than nothing and regardless of how well you implement the information from a feed, anything that will help you detect threats better and faster than you could otherwise is a good thing.
Now, I understand I am generalizing here but I do believe the majority of security departments are guilty of what I’m outlining. I also understand that security professionals are often over-worked – it is not like we’re sitting around ignoring the error reports streaming in – so this is not meant as an indictment. The reason we are in this situation is simple: Security is under-resourced to meet the challenges of rapidly expanding threats. The “boots-on-the-ground” information security professional isn’t the problem, they just happen to be the ones absorbing the blows from decisions made elsewhere. However, we need to recognize this situation is untenable. Continuing to do things they way they are currently being done is a recipe for disaster.
On a positive note, I saw some pretty fantastic products this week. The blossoming business of security intelligence is offering some pretty amazing things. My favorite from HP Protect was Secure Islands. This company offers a product which keeps unstructured data secure through a combination of server software and services that run on the users’ local devices (including network disconnected laptops, tablets and smartphones). First, securing unstructured data is a huge problem and Secure Island’s solution appears fairly comprehensive. More importantly though, I really like their model with a central server and agents sitting at the end-points – I’ll discuss more on why I like this model in a moment but first let me reiterate something I’ve said in the past.
Information security needs to break out of the habit of executing on an endless stream of tactical tasks, (e.g. updating services, running scans, reviewing policies, training users, etc.) and spend some time learning the business of the business. Information security is really nothing more than the practice of securing data but if we have reached a point where breaches are expected and we admit we can no longer secure all of our data, we need to focus our efforts on protecting the right data. To do that we need to develop a deeper understanding of the business. What are the businesses’ strategies and objectives? What are the different business units doing to meet those objectives and which data is most valuable to those business units in achieving those objectives? What external forces are putting pressure on the organization whether that be competitors, regulations or changing cultural norms?
To develop that deeper understanding means spending time talking to key internal stakeholders, reading industry news and following legal/regulatory trends. This will make information security better at making rapid critical decisions. It also gives these technical roles the opportunity to demonstrate some strategic thinking – a key skill for anyone on the career path to CISO or CIO. This is a cultural shift for many, but improving the ability to make decisions in the face of limited resources is just good business and is certainly something we can all work towards.
A New Class of Tools
In addition to all of the difficulties and hurdles I’ve already covered, there is one huge gap that needs to be filled with no solution I’m aware of. As I mentioned, information security has some wonderful tools at its disposal and when used to their full extent they can provide a tremendous level of security. There is just one problem: these tools rarely scale well. At the end of the day, the architecture of these tools, appliances and applications require them to act as a choke point – everything you want to apply that solution to will need to go through that tool – but you can only throw so much hardware at a solution and for that reason they don’t scale well past a certain point.
In an environment where our interconnectedness (whether that be cloud services, portable devices or dispersed networks) is increasing at an exponential rate we need to stop thinking about protecting our perimeter and start thinking about the broader concept of information flows and how to monitor, organize and protect those. We are moving away from the typical client/server architecture we are used to protecting to a model more akin to an ever changing collection of devices, servers and services participating at random times and in a variety of ways. We recognize the internet and BYOD as current challenges, but we still focus on firewalls, IPS and network monitoring. Where are the solutions that don’t require centralization, creating bottlenecks? We have all sorts of examples of distributed networks (such as the internet itself) but we don’t have security solutions that work well in this kind of model.
That is the next frontier. Someone will develop a solution that maps the environment around it, continuously updating itself, and building some predictive analytics models around those changes to provide a modern intelligent security solution. We have mature cloud infrastructure models; we have models for distributed applications and the databases serving them; and we have plenty of tools to organize and mine massive amounts of data. Why can’t we have a security solution that works in a similar fashion?
The ability to distribute the resources required for protecting our increasingly valuable caches of data, so scaling is no longer an issue would be a huge leap forward. We need a system that can “drink from the firehose.”
The state of security is in dire need of help. Throwing money at the problem always helps but the field is ripe for some new thinking. As a profession we need to encourage ourselves to get more strategic. In the face of an overwhelming stream of information, a clear understanding of business objectives is a critical foundation to a pathway of cutting through the clutter. In addition, we need a different class of tools. Tools that act as a choke point funneling traffic through it can not scale the way we need things to scale. Tools based on a distributed architecture would be much better suited to our current reality.
If I’m overlooking something, either a fundamental problem causing the troubles I see in the information security profession, or tools that can truly scale, or maybe you fundamentally disagree with me altogether, I’d love to hear from you.