2014 will likely be marked as the year that the warnings from the past decade about Cyber threats were finally realized. Granted, not all of those warnings have come true, yet - but this year will go down as the worst yet for costly Cyber breaches. That begs an important question - why are we becoming less secure as time is passing - and why haven't the billions of dollars invested in Cyber Security worked?
This is a complex topic, so it will probably help to provide some high level context. We'll start with some definitions:
- Security Architecture - the practice of actively designing security into complex systems or environments.
- Intrusion Detection - the backbone for most perimeter-focused security solutions; focus is detection / prevention of breaches.
- Threat / Vulnerability Management - the practice of tracking and adapting to specific threat vectors (attack signatures, exploits etc.)
- Security Controls - usually standards-based system & process framework for assessing, securing and auditing security status.
- Social Engineering - the practice of using non-technical persuasion or other techniques to gain information in order to access secure environments.
Now, let's ask the question again. Target, Chase, Sony Pictures - why is this year the year of massive security breaches? What went wrong?
There are 5 top reasons that this is happening; I'll introduce them together and then explore each one in detail later.
- It is easier to Cyber Attack than to Cyber Defend and likely always will be.
- Cyber Security is not viewed from a holistic perspective in most organizations today - this includes many military organizations.
- There is no one magic bullet technique or technology that can secure an organization - yet we spend a lot of our time looking for one or thinking we have one.
- Just as we secure one aspect of the enterprise, 3 new ones pop up that aren't secure - and in many cases each of these offer attack routes back through the areas we thought were secure.
- Cyber Security represents an intersection between (human) behavior and information patterns. We haven't yet resolved either of these issues separately yet and we definitely aren't close to dealing with how they intersect.
a representation of pattern identification in Cyber Attacks
So, who am I to discuss such matters? I'm not a recognized Cyber Security expert that's true. I'm just an IT Architect. But, I'm an Architect who has had the privilege of working on some fascinating Security related projects over the years; my first ones were in 1998 and 1999. In 1998, I worked on a research project for the AF to help develop a next generation Intrusion Detection system - we called it the Secure Adaptive Network Environment (SANE). As you can tell, it is was perimeter and data center focused. The second project was much more ambitious, I was brought in as a security architect (from the AF perspective) for the first iteration for GCSS-AF, which was and still is a large data center consolidation, application hosting initiative (now much of it is Cloud-based). Both of these projects helped (for me anyway) to illustrate a number of the key problems that would be associated with Cyber Security for the coming decades (although back then we didn't call it Cyber Security yet). Some of those observations included:
- The notion that the landscape was going to get ever more complex
- The need for unified access control (directory services as well as application logins etc)
- The need for various levels network security (which was in fact already deployed in the DoD) as well as encryption across public networks
- I saw how easy it was for dedicated enthusiasts to breach most systems they set their sights on (sat in on a few of the first 'hackathons')
- I saw that static or reactive security was the standard operating approach behind most perimeter based security approaches and it was never going to work
- I saw that we in the business we spending way too much time focusing on the products that were supposed to make us secure rather than understanding or controlling the holistic processes necessary for real security.
- And then there is all that log data - which was only going to grow and grow until it would become unmanageable.
- It was obvious that Cyber Space would become another 'field of battle' alongside air, ground, water and space. There would be both state-sponsored and free-enterprise focused organized cyber cadres. These groups have had nearly 20 years to mature in 2014 - the future of Cyber Security was not individual hacker like Neo (from the Matrix) but Cyber crime syndicates and armies.
Ten years after these initial security projects, things were developing pretty much the way I had anticipated. If anything, things may have developed slower than I had anticipated - in terms of the numbers or severity of the breaches happening in 2008 / 2009, but the trajectory was definitely on track. I thought the time was ripe for moving to the next stage of Cyber defense, but remarkably, I found quite a lot of resistance to the notion of taking a holistic view of Cyber Security, so I moved on to other my productive arenas.
Example of a Cyber (Defense) Collaboration approach across organizations
Holistic Cyber Security is of course where things have to go and the answer to what's missing. Let's look at each of the five issues I identified above in more depth:
- It's easier to attack: Why should this be the case? Well, the tools that Hackers, Crackers or rogue Cyber syndicates or armies use are less expensive and less complex to use than the tools we use to defend assets. A hacker can get started with almost no investment while each component of a let's say a perimeter defense architecture may cost millions and take months to implement. Worse than that though is that attackers work as a collaborative community - which means they can collectively share information on how to defeat that new defensive technology and eventually we end up playing a reactive role - fixing vulnerabilities only after they surface. This situation is unlikely to change under current defensive paradigms.
- Piecemeal Security: That's the opposite of holistic isn't it? Think about this. Every IT capability in a modern organization represents a potential threat to security. Whether we're talking about a Cloud, a mobile app, an edge device that needs to be secured, data in motion, applications (web based or otherwise), files and documents, email, portals etc.,etc.,etc. And usually all of these things are not managed by the same groups within an organization and often many of these things aren't considered as part of the security landscape at all. Most of the focus for Cyber Security in today's enterprise is still hovering around the perimeter and network. While this part of the picture is important - it is not the whole picture and never was; not in 1998, not in 2008 and certainly not now. On a recent 60 Minutes report, a famous security expert mentioned an even more telling aspect of this problem - even at the perimeter there is now so much information being generated there is no way to discern what are the real threats. We'll talk about that more in a minute.
- There is no magic bullet: This is a bad habit shared by other aspects of IT, but for Cyber Security this thinking is particularly problematic. In the late 90's and early 2000's the magic bullet was Intrusion Detection and Firewalls. Then there was PKI and host of other encryption protocols and products and of course anti-virus software has become more and more pervasive since the late 90's. Even the notion of security standards or controls has been viewed as a magic bullet, but the fact is whether it is processes, standards or products - all of these elements represent 'part' of a larger picture. That larger picture needs to begin with deliberate Security Architecture on an enterprise scale.
- Cyber Security is Dynamic: Yet most security organizations and products aren't. We understood that all the back in 1998, which is why we began building community contribution of exploits into Intrusion Detection products. Collaboration on the defensive side is there, but it still isn't as effective as the collaboration on the attacking side; mainly because the job of the defenders is many times more complex. Becoming dynamic is no small task - it requires a paradigm shift in thinking for most organizations and thusfar it is very rare to see it in practice.
- Cyber Security is Information & People: A proactive approach to security requires the defenders think like those who might attack them and predict or identify weakness. It requires the ability to discern or predict patterns in the ever growing sets of data (just as was highlighted on 60 minutes). This simply has not happened yet. Despite some progress with Security Controls and Vulnerability / Threat Management, we are still largely operating in a reactive mode. We don't have a good handle on stopping insider attacks or understanding threat behaviors.
In some ways, we've been lucky so far that the Cyber attacks have been primarily focused on stealing information or financial data, rather than attacks on systems dedicated to infrastructure. While many of those systems are somewhat more secure by design, they are not as secure as we might think (just as the breaches this year have called into question the efficacy of security associated with PCI standards and finance-related systems). We are becoming more Cyber Insecure because we are not as adaptive as our opponents and because we still refuse to recognize the full scope of the challenge. In many cases, we are spending perhaps exactly as much as we need to - but we're not spending it the right way or in the right context. We're paying for piecemeal security and unfortunately that's what exactly we're getting.
copyright 2014, Stephen Lahanas
0 comments:
Post a Comment