NEWS ANALYSIS: In a vast room full of security technology companies, there’s little unanimity about ways to improve data security. But top security researchers tell a different story.
Oxon Hill, Md.—It should be no surprise that when you talk to marketing executives for security vendors each one will say that whatever it is their company provides the best way to bolster data security. That is, after all, their job.
That view certainly prevailed at the Gartner Security and Risk Management Summit held in the Gaylord Convention Center just barely outside the Capitol Beltway that encircles Washington, DC.
And as you’d also expect the topic of discussion that came up in every conversation even vaguely related to security is the recent data breach disclosed by Office of Personnel Management, which disclosed June 4 that hackers had made off with millions of personnel records of government employees and other people including contractors with security clearances. Since nobody actually knows any solid details about what happened, speculation ran rampant.
Fortunately, I was able to find some serious security researchers at the event, in this case people who were quietly advising some of those three-letter agencies at the capital we expect are able to keep confidential data from being leaked or stolen. Their views were much different.
“This is why we need a new paradigm,” Jasper Graham said as we talked in his hotel suite far from the crazed goings on at the Gartner event. Graham, who is senior vice president of cyber technologies and analytics for Darktrace and formerly a National Security Agency cyber-security expert, said that the industry needs to abandon the idea that perimeter defense of the enterprise is enough.
“You might be able to keep out 90 percent,” he said, referring to the number of people trying to break into an enterprise network, but he said that the remaining 10 percent are smart and motivated so inevitably they will find a way to get into your network.
Because keeping hackers out of your network is essentially impossible, what enterprises must do is find ways to make their valuable data inaccessible or useless, or preferably, both. This is the reason that hackers were able to penetrate OPM, as well as Target, Sony and Anthem, he said. Those networks, he pointed out, were not segmented and their critical data wasn’t encrypted.
Sadly there are worse problems than just limiting security to perimeter defense. Torsten George, VP of marketing for Agiliance shook his head in dismay as he told me of a company that asserted it didn’t need any sort of cyber-security protection.
“They said they had cyber insurance, and that was enough,” he said. I asked him if that company’s cyber insurance was going to cover the company’s drop in valuation or the firings of the company’s CIO and CSO when the board found out why any hacker was certain to be successful.