Amit Yoran, President of RSA, The Security Division of EMC, kicked off RSA Conference 2016 with an opening keynote that urged the crowd to step back and assess the industry’s challenge from a different perspective.
Yoran said that the problem with security wasn’t a technology one, but one where the adversaries were more creative, patient and persistant. “They are single-minded. They have a target – no prescribed path to get there, no overarching rules, just a target – and a virtually limitless number of pathways to explore.”
To deal with them, Yoran argued that we needed, “To leverage our own smart creatives – our own curious, problem-solving analysts and set them loose to track down and hunt for our opponents.”
“If security is focused on compliance, you’re doing it wrong,” he said, “Embrace the freedom to actively hunt for adversaries, you’ll attract the right team, and in doing so, create the right culture.”
One year ago
According to Peter Nguyen, Director of Technical Services, LightCyber, last year, Yoran said that the security industry had adopted a defensive mindset that mimics the dark ages, “Beyond this irrational obsession with perimeters, the security profession follows an equally absurd path to detecting these advanced threats.”
Since then, Nguyen said that there have been countess breaches, some of them still undiscovered, “Even this week, across the Bay, the University of California at Berkeley was victim of its third significant breach. The unfortunate reality is that not much has changed since last year. “
This could be one reason for Yoran's call for a new perspective on security.
Yoran also called for organizations to focus technology investments on supplementing and enhancing their security teams’ native capabilities to make them smarter, more efficient, and more scalable. And if they couldn’t hire people with the right skills, he called for businesses to groom their own.
“Organizations need to create a culture that embraces the smart creative, the free thinker, and the curious. If your security program is focused first and foremost on compliance, then you are doing it wrong. Embrace the freedom to actively hunt for adversaries, you’ll attract the right team, and in doing so, create the right culture,” he said.
Security failures abound
Yoran said that the general purpose computing paradigm we have been operating under, cannot be secured. “As we continue pushing all of our communication, collaboration, and commerce online, pretending that our preventative technologies like anti-virus, malware sandboxing, firewalls and next generation firewalls, will keep us safe when we know they won’t,” he said.
Additionally Yoran added, passwords and strong multifactor authentication have failed without having the added perspective of fluid, contextual awareness.
Visibility into identities only takes us so far though he said, “We must push our visibility much deeper into our networks, our endpoints, and the cloud. Logs are simply not enough. We need visibility of full packet analysis of our networks combined with an understanding of telemetry from our endpoints to see exactly what is going on.”
Today, less than one percent of enterprises have the ability to detect an active attacker on their network that has circumvented preventative security and is at work exploring a network, trying to find and gain control of or access to valuable assets.
New strategies and solutions are available, and they have proven themselves effective over the past year, but the problem is that they are not well known Nguyen said, “The bigger problem is that security professionals still are deeply locked into the preventative mentality. Perhaps they have succumbed to the marketing spin that renames preventative security technologies as detective?”
“Today it is certainly possible to turn the tables on network attackers and find them before theft or damage occur, Nguyen explained, “but security pros have to be willing to put a little less focus on higher and thicker walls, back off an exclusive focus malware and want to find attackers by their operational activities.”
Not going alone
While critical of any proposed weakening of encryption and suggesting any policy that does is severely misguided, Yoran admitted that the private sector couldn’t do this alone and needed the government to enact policies that helped rather than hindered security.
Yoran called for additional emphasis on talent development and greater alignment between the public and private sectors’ cybersecurity agenda in terms of leadership, transparency and policy development.
Aligning technology to enable the hunters
Yoran called for businesses to need to focus their investments on technologies that enhance rather than replace human creativity and problem solving. “Technologies that automate routine and mundane tasks help,” he said, “Black boxes that just throw off alerts without supporting data or explanations provide the illusion of security.”
With technologies like behavioral attack detection, companies can establish an ongoing profile of known good for users, devices and networks. From there they can detect malicious anomalies. Start with a full view of network traffic and integrate endpoint intelligence to augment these observations. Use machine learning to see connected events that are representative of an attack and can issue a small number of highly accurate, actionable alerts that are already researched. The flood of hundreds or thousands of daily alerts has got to stop. No organization can deal with such numbers. Alerts must be precise to do any good Nguyen said.
Yoran agreed that intelligence also needs to be included as we need to know why something is being flagged. “We need tools that give us the comprehensive visibility we discussed earlier; the perspective to see the whole playing field and when rules are being violated,” Yoran added.
All of this goes against the grain of the last 20 years of security, but it is crucial if the industry wants to change the dynamic and put the attacker at a formidable disadvantage: Nguyen added, “Don’t give up on preventative security, but start to actively embrace new ways of finding and stopping in-progress network attacks.”