Information security is at an uncomfortable place in its history, according to Amit Yoran, president of RSA, the security division of EMC.
“No one wants to tell the board that the path forward is unclear,” he told the opening session of the first RSA Conference in Abu Dhabi.
Reiterating the main points of his keynote at RSA Conference 2015 in San Francisco in April, Yoran said the information industry is, at its core, fundamentally broken.
“Billions of dollars are spent on utterly ineffective technologies – technologies that can’t keep us protected from today’s advanced threat actors. The firewalls, intrusion detection systems and antivirus technologies that the security industry has relied on for decades provide little more than a false sense of security,” he said.
Yoran said these technologies are focused on protecting perimeters based on signatures or some form of advanced knowledge of what an attack looks like.
“But if you look at every single major breach recorded over the past few years, every single victim was already using next-generation firewalls, intrusion protection systems, anti-malware sandboxing technology.
“The dirty little secret in our industry is that all the vendor claims in the world can’t keep you from being victim to a significant breach,” he said.
In response to increasingly sophisticated threats, Yoran said the security industry has simply advocated aggregating “virtually blind telemetry” from their protective technologies into a “glorious and useless money-pit” called the security information event management system (Siem).
The firewalls, intrusion detection systems and antivirus technologies the security industry has relied on for decades provide little more than a false sense of security Amit Yoran, RSA
It did not come as a surprise to many people in the industry, he said, when Verizon’s data breach investigations report revealed that Siem systems identified advanced threat breaches less than 1% of the time.
“And yet, according to Gartner, the Siem market is growing at 11% because security buyers are focused on threat detection and response. It just doesn’t make any sense. Many in our industry are asleep at the wheel,” said Yoran.
“Today’s reality is that the sophisticated bad guys are already inside our environments, while employees are using their own devices, going across carrier networks and accessing enterprise applications, services and data,” he said.
Four principles of security
While, to many, the path forward may seem unclear given this reality, Yoran believes that progress can be made by following four principles.
“First, stop believing that ‘advanced protections’ work. Surely they do, but they absolutely fail also. Don’t believe the marketing hype from the vendor community. We are seeing analytics-resistant malware that evades detection by sandboxes and other advanced systems,” he said.
Yoran said organisations should not make the mistake of believing an anti-malware system is a strategy for dealing with advanced threats. “No matter how high or smart the walls are, sophisticated and professional adversaries will find a way over, under, around and through,” he said.
According to Yoran, any organisation that has not detected a significant breach in recent months is either exceptionally lucky or might be missing something, and should ask themselves what they are doing to accelerate their detection and response capabilities.
Second, he said organisations should adopt a deep and pervasive level of visibility into their environments. “We need visibility everywhere, from the endpoint to the network and into the cloud, if we are to have any hope of detecting these advanced threats.
“You need to know which systems are communicating with which, how, why, the frequency and volume of their communications, their length and, ultimately, the content of the communication itself. You need to know exactly what is happening in the environment to answer the difficult questions.
“These are core, fundamental building blocks for any modern security programme, and if you don’t have that level of visibility, you are only pretending to do security,” said Yoran.
Third, he said that in a perimeter-less world, authentication and good identity governance matter more than ever before.
“According to Verizon’s 2015 data breach investigations report, malware was the primary attack vector in less than half of the advanced threat breaches,” he said.
No matter how high or smart the walls are, sophisticated and professional adversaries will find a way over, under, around and through Amit Yoran, RSA
The report also revealed that the web application attacks were the most popular method used in data breaches and that 95% of the time attackers used stolen credentials. “They simply walked right in,” said Yoran.
Attackers also capitalised on user mistakes in stealing credentials, but even security professionals can fall victim to targeted phishing attacks, he said.
“The reality is that we are no longer dealing with simple exploits or zero-day malware. We are dealing with well-resourced and focused adversaries that are going after specific organisational objectives, and in some point in the kill chain of every single one of these campaigns, the abuse of identities is a stepping-stone that advanced threat actors use to impose their will,” said Yoran.
“Strong authentication and identity governance practices, coupled with visibility and behavioural analytics can identify attacks earlier in the kill chain, and mean the difference between successful response and unmitigated disaster,” he said.
Fourth, Yoran said organisations need to know what matters and what is mission critical to the business. “I know that this categorisation of assets isn’t the sexy part of security, but it is absolutely critical in helping deploy and prioritise limited security resources to ensure they have the greatest possible impact,” he said.
A proactive approach to security
According to Yoran, these four principles are the path forward. “We have seen the huge difference it makes where organisations have adopted this proactive approach to security,” he said.
Some companies, for example, are creating teams of “hunters” armed with the right visibility tools to find the adversaries that are already in their environment.
“They are rapidly detecting and understanding the attacks which have been running around in their networks for months, frequently right under the noses of their intrusion detection systems and Siem platforms.
“With these ideas and agile mindsets, we are seeing teams even catch attackers red-handed and be able to disrupt the exfiltration of sensitive data from their environments,” he said.
RSA is not claiming to have all the answers, said Yoran, but it is on a “very aggressive” path to changing a paradigm under which the security industry has operated for decades.
“What I am describing is not a technology problem. We have technology today that provides true visibility, there are multiple, capable methods of providing strong authentication and governing identity much more tightly, and we have systems that can help us actively manage and understand our digital and business risks.
“This is not a technology problem, it is a mindset problem,” he said.