Is security really stuck in the Dark Ages?

Amit Yoran’s colleagues didn’t agree with everything the RSA President said at his keynote last month. But most say he got the essentials right – things are bad and getting worse, and the industry needs a new mindset

1 2 Page 2
Page 2 of 2

Ron Gula, CEO of Tenable Network Security, says while he agrees that, “most organizations operate, support customers and do business in the environment Amit describes,” it is hard to claim with certainty what the state of security really is.

ron gula

Ron Gula, CEO of Tenable Network Security

“It could be much worse than Amit describes, but it could also be much better,” he said.

He said breaches, while they are an increasing fact of life, are no longer the most important challenge for the industry. “Hacking data alone isn’t getting a huge response from the public,” he said. “The next level we are moving to is real cyber warfare or cyber terrorism.”

And Gary McGraw, CTO of Cigital, said Yoran was “stating the obvious” when he said the adversaries are winning, but was missing the more important point – that too many systems don’t even have a good perimeter to defend. “Perimeter security only works if you have a perimeter,” he said, “and that starts with building things that don’t suck. He’s got the cart before the horse, and the cart is in a different state.”



Gary McGraw, CTO, Cigital


In his keynote, Yoran said a major reason the security industry needs a new “map” is because, “we can neither secure nor trust the pervasive, complex, and diverse endpoint participants in any large and distributed computing environment, let alone the transports and protocols through which they interact.”

His colleagues say that while they agree endpoint protection is a problem, they think a blanket statement like that is overly broad.

“Yes, the PC endpoint is lost indeed,” Chuvakin said “But strangely enough, a mobile endpoint is a bright area – despite all the whining about Android malware, iOS and Android are relatively unscathed.”

And Gula said it doesn’t apply to all business sectors. “Manufacturer of ATMs who run their own network, write their own code, etc., would completely disagree,” he said. “ISPs that carry their customer’s data would disagree as well.”

There were also mixed views on Yoran’s five recommendations (see sidebar) for the industry to “reprogram itself for success.” Two of them are to, “stop believing that advanced protections work,” and to, “adopt a deep and pervasive level of visibility everywhere, from the endpoint, to the network to the cloud – what SIEM (Security Information and Event Management) isn’t, but was meant to be.”

Chuvakin said that just because something is not 100% effective doesn’t mean it doesn’t work.

“Try this for size,” he said. “A bulletproof vest does not work, since you can be shot in the head or burned or shot with an armor piercing bullet. Nobody thinks like that.”

But he and others agree with the need for more visibility. Pirc said that, “what you can’t see will in fact hurt you in the long run,” he said. “That’s why you need visibility throughout your entire infrastructure.”

Sudhakar notes, however, that saying visibility and achieving it are two different things. “A big part of the problem is that while we have a handle on known threats, we do not have a good handle on unknown or hidden threats,” he said.

And McGraw said visibility, while a good thing, doesn’t matter that much if systems lack security by design. “You should do that, but build good stuff first,” he said, likening it to tracking termites in a house built of wood. “You can spend your time with a whole army tracking termites, or you can change your building material from wood to steel,” he said.

But, he said, “the good news is that RSA already has a robust software security approach. It’s being run by Eric Baize, and he’s doing a great job.”

Gula and others say the industry is moving in the right direction, through compliance with regulatory regimes like SOX (Sarbanes-Oxley Act) and PCI DSS (Payment Card Industry Data Security Standard) that, “require least use of privilege, no admin accounts, etc. – these are directed against insiders. Also, there is a move by many organizations with cloud assets to have centralized authentication, such as single sign-on, which is also a large deterrent and form of detection of insiders,” he said.

But they also offered a few additional suggestions for what Yoran said should be the goal – a new “Age of Enlightenment” in security.

Chuvakin said that good visibility should be supported by, “effective security incident planning.”

According to Sudhakar, organizations should be using, “behavioral analytics and machine learning to uncover hidden threats and vulnerabilities.”

He added that since IT security people are hard to find and retain, organizations should, “automate to the maximum degree possible so that you can do more with less. Automation can also change the internal dynamic, as IT security staff can become threat hunters instead of being the hunted.”

Kraus also said planning is important. In war, he said, “does the U.S. simply give soldiers guns and point them to the battlefield? Or, is it more likely that they train their soldiers and appoint leaders to drive the battle to a successful outcome?”

Overall, as tough as the message was, it was welcome. Yoran said this week that while he had been uncertain about what the response to his keynote would be, “I was actually a bit surprised by seemingly unanimous support from colleagues and even competitors. Many people have come up to me or tweeted since that I said what needed to be said, and that they hoped that the speech served as a catalyst for necessary and significant change in the industry’s mindset.”

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
8 pitfalls that undermine security program success