Who doesn't love the beginning of a new year? It offers us all a timely opportunity to step back from the typical daily grind, reflect and plan for the future. Unfortunately, this is also the time of the year that security companies come out of the woodwork with their "predictions" on the state of the security industry in 2016.
Get ready for security vendor ‘X' to bedazzle you with statistics on the onslaught of insecure IoT devices or state-sponsored cyberattacks and global ransomware campaigns geared at holding your digital life hostage. Amidst all of these "sky is falling" prognostications, one could be forgiven for a heightened sense of fear, uncertainty and doubt (FUD) on their prospects for riding out 2016 unscathed and protected from impending doom.
So, I'll resist the temptation to pile on with more self-serving FUD, but rather make a single observation: all of the predictions you are currently bombarded with are not worth the paper they are printed on.
Because the current model of security is a failure that we read about every day. OPM, JPMC, Anthem, Home Depot and the list goes on. Legacy technologies architected to prevent yesterday's threats are the current gold standard of our industry. In my view, the model continues to fail for the following reasons:
Complex Threats Execute Over Time. However, the industry standard of next generation, real-time prevention of all threats does not take this time axis into account. Most next generation, real-time prevention technologies are constrained by a single moment of truth to convict an actor, a file, an executable or an email as malicious. One shot at prevention before the malware finds its way into an organization where it stays unobserved and fortified for a year (or more). A lot can happen over that period of time. Lateral movement, beaconing, exfiltration and theft of proprietary data or worse. In order to to gain ground in this battle, modern security should account for the time axis in a meaningful way.
Point Products Overwhelm Humans. The products that are currently in place produce a staggering amount of alarms that overwhelm already stretched security teams and incident responders. According to FireEye, a typical organization struggles to chase down 500,000 or more alarms on a daily basis. Regardless of the size of your security team, it's highly likely that something important will be overlooked. Overlooking too many items will likely result in the compromise of your organization. Modern security should evaluate every alarm in context as a means of reducing the flood of uninteresting or inaccurate noise and focusing responders on priority events as well as where to look next.
Advanced Humans are in Short Supply. Our industry struggles with attracting and retaining talented security professionals and there is simply not enough talent to go around. Cisco predicts that the shortage of security professionals will continue to accelerate with one million current security job vacancies even as cyber attacks and breaches increase annually. Those security professionals that are on staff are too busy troubleshooting and responding to the myriad of daily alarms to hunt proactively for threats on their network. At best, teams are running in place while trying not to fall too far behind in their daily security marathon. We need to increase the productivity of our teams in a way that allows them to focus on the parts of the network that matter most, and enable them to surface previously unknown security events.
To respond to these challenges, I advocate a different approach and a new model for security that focuses on enabling:
Pervasive Network Visibility: You can't protect what you can't see, yet most organizations simply have no visibility and don't know who or what is on their networks. Smartphones and cloud applications compound this challenge. It's critical for organizations to have an accurate picture of the actors, applications and network traffic flowing across all network segments. The network does not lie and holds the clearest picture of what's happening.
Detection & Continuous Analysis Over Time: Real time detection of threats should always be the goal but what happens when that detection fails? As the future threat landscape changes you should also be able to understand and pinpoint exactly what these changes mean to your organization both now and historically. The ability to reconstruct the state of the network at any time and use this state to detect changes is a critical capability that our security teams need now. If there is a critical zero day exploit that surfaces next week you'd like to be able to understand exactly how it affected your organization six months or a year or more ago as well as now.
Response to Security Events: A significant challenge security teams encounter when investigating a security event is an overall lack of information related to the event itself. The relevant information was not retained because no one knew this information would be needed when it was deleted yesterday, last week, month or year. It's tough to be a data analyst if you lack the data. Without the data you can't even formulate the right questions to ask. Only the largest organizations in the world have the resources to persist and maintain massive data lakes where all information is available for analysis and use. What do others do? They do what they can but this often woefully insufficient. For example, investigating a security event that initially occurred 6 months ago with 2 days or 2 weeks worth of data is going to leave many questions unanswered. To be effective, security teams need to be armed with the data and analytics for time periods that extend beyond the current breach detection window of 200+days. Full fidelity visibility into the network via PCAP and netflow allow for an exact creation of network state at any point in time for forensic investigators or threat hunting teams.
Many organizations don't know where to begin because they are mired in legacy architectures and point products. There are clear challenges associated with the scale of the information that organizations will need to retain and analyze to be successful. In my view, pervasive network visibility combined with a focus on real-time and retrospective detections and access to analytics on demand will allow our security teams to not only put out the daily fires but also start to hunt for and thwart the adversaries preying on our organizations.
And rather than wasting cycles on FUD and colorful prognostications, let's stop admiring the problem and start solving it.
Next blog post