I have always believed that security – both physical and digital – is a self-correcting system.
No one wants to invest any more into security than they need to. Locks, passwords, firewalls, well-armed ninja – they all take money, time, and effort we’d rather spend getting our jobs done, with our families, or on personal pursuits. Only the security geeks and the paranoid actually enjoy spending on security. So the world only invests the minimum needed to keep things (mostly) humming.
Then, when things get really bad, the balance shifts and security moves back up the list. Not forever, not necessarily in the right order, and not usually to the top, but far enough that the system corrects itself enough to get back to business as usual. Or, far more frequently, until people perceive that the system has corrected itself – even if the cancer at the center merely moves or hides.
Security never wins or loses – it merely moves up or down relative to an arbitrary line we call ‘acceptable’. Usually just below, and sometimes far below. We never fail as a whole – but sometimes we don’t succeed as well as we should in that moment.
Over the past year we have gotten increasing visibility into a rash of breaches and incidents that have actually been going on for at least 5 years. From RSA and Comodo, to Epsilon, Nasdaq, and WikiLeaks. Everyone – from major governments, to trading platforms, to banks, to security companies, to grandma – has made the press. Google, Facebook, NASA, and HBGary Federal. We are besieged from China, Eastern Europe, and Anonymous mid-life men pretending to be teenage girls on 4chan.
So we need to ask ourselves: Now what?
The essential question we as security professionals need to ask is: is the quantum dot on the wave function of security deviating far enough from acceptable that we can institute the next round of changes? We know we can do more, and security professionals always believe we should do more, but does the world want us to do more?
Will they let us? Because this is not a decision we ever get to make ourselves.
The first big wave in modern IT security hit with LOVELETTER, Code Red, and Slammer. Forget the occasional website defacement – it was mass malware, and the resulting large-scale email and web outages, that drove our multi-billion-dollar addiction to firewalls and antivirus. Up and down the ride we started.
The last time we were in a similar position was right around the time many of the current trends originated. Thanks to California SB1386, ChoicePoint became the first company to disclose a major breach back in 2005. This was followed by a rash of organizations suddenly losing laptops and backup tapes, and the occasional major breach credited to Albert Gonzales. PCI deadlines hit, HIPAA made a big splash (in vendor presentations), and the defense industry started quietly realizing they might be in a wee bit of trouble as those in the know noticed things like plans for top secret weapons and components leaking out. And there were many annual predictions that this year we’d see the big SCADA hack.
The combined result was a more than incremental improvement in security. And a more than incremental increase in the capabilities of the bad guys.
Never underestimate the work ethic of someone too lazy to get a legitimate job.
In the midst of the current public rash of incidents, we have also seen far more than an incremental increase in the cost and complexity of the tools we use – not that they necessarily deliver commensurate value. And everyone still rotates user passwords every 90 days, without one iota of proof that any of the current breaches would have been stymied if someone had added another ! to the end of their kid’s birthday. 89 days ago.
Are we deep into the next valley? Have things swung so far from acceptable that it will shift the market and our focus?
My gut suspicion is that we are close, but the present is unevenly distributed — never mind the future.
Reader interactions
6 Replies to “FireStarter: Now What?”
I really like the tools and spaces we have to handle security questions and detection and prevention. I know we collectively rag on them a lot, but I try not to because I do actually like them as they are. But some of our tools as just god-awful bloated and unwieldy to a point where they’re clumsy and result in clumsi-fied analysts
My gut is in line with yours, if we aren’t in the next valley we are pretty close. However, I’ll raise your firestarter with another firestarter
“And everyone still rotates user passwords every…”
You had to go there, didn’t ya?! 🙂 Anyway, that’s a fire in and of itself!
“Are we deviating far enough from acceptable to get the next round of changes?” Hmm…are we possibly in a position where the last round of changes will be seen as not helping as expected? I don’t agree with that, but it might be interesting if we end up with a lashback effect where the damned security team can’t give “we’re good, sir” answers without qualifying statements. (Why, hello there risk, welcome to IT!) Nor can PCI, when really pinned down to ask.
I would hope that we’re at a point where the shift will not necessarily be a technological one, but rather a shift in the staff support, both from a SOC analyst level but also in guidance/leadership levels. I think our security technology will always lag behind general technology just a bit. But I more and more just feel that we don’t have enough people keeping security tech in line, making decisions based on what is presented, and handling situations. IT artchitecture and software still grows without regard to security input. We can’t keep tacking junk on after the fact, just because that’s how duties are divvied in an organization. “Oh, netops will do it.” “Oh, devs will do it.” “Oh, security will do it.” <-need more: “We will do it.” IPv6 is going to be a nightmare to security if the network team just does it… If I really had my nipples twisted to give an answer in the technology field, I might squeak out something about being far more data-centric, data-tracking, data-tagging. It still seems hard to answer the question of when did someone do something with what? If the OSs can’t do this, then the “new” middle layer of apps/webs needs to keep doing it. Business could probably use lessons from the medical field with their HIPAA requirements and patient records. I really like the tools and spaces we have to handle security questions and detection and prevention. I know we collectively rag on them a lot, but I try not to because I do actually like them as they are. But some of our tools as just god-awful bloated and unwieldy to a point where they’re clumsy and result in clumsi-fied analysts. Security spends more time doing user/operations crap than actual security crap because of it. We have log gatherers, netflow dissectors, event analysis tool, packet capturing abilities, malware analysis debuggers, endpoint security solutions, encryption, etc. We have so many technological tools at our disposal, but all of them overwhelm our security numbers and our security aptitude; we learn how to use tools more than we learn how to be agile and work in between the cracks with surgical efficiency. slash rant…
I agree with P…most security people have lousy technical skills and are worse executives or managers. “Never underestimate the work ethic of someone too lazy to get a legitimate job.” Actually these days this is their job. i.e Skimming, click fraud, spamming, and hacking….
My 3 cents….
My gut is in line with yours, if we aren’t in the next valley we are pretty close. However, I’ll raise your firestarter with another firestarter 🙂
You state: “We know we can do more, and security professionals always believe we should do more, but does the world want us to do more?”
I would argue that most security professional truly do not know how to do more other than look for the next wizbang security appliance. The difference with this valley is that there are relatively no wizbang security technologies that will mitigate this problem.
True change will require the security profession to look inward toward more business risk mitigation, threat detection, rapid response, and far more data driven decisioning rather than continuing to look outward for someone else or thing to solve the problem.
My two cents 🙂
I remember Code Red and Slammer with some fondness. We didnt get nailed by them, not because we had the latest whizzbang tech, but because we didnt. I didnt get budget for cool tools back then so it was a case of doing the basics well. Defining least privilege, implementing it and doing routine build compliance checks to make sure it stayed that way. The sysadmins hated me, right up till they were the only ones not rebuilding all their systems. Now its easier to get budget, the FUD is flying thick with TLA’s, and security is higher (slightly) priority as the regulator wields a bigger stick. Sometimes i wonder if im getting all “magpie” and i keep going back and grounding myself in the basics. Its hardly palatable polemic to say that, and I’m not, by any stretch of the imagination, a luddite, but sometimes its the uncool that works. Maybe its not doing “more” we need to worry about, but doing what we were always doing, only better.