Security is broken. Captain Obvious here. We all know that but it doesn’t really help, does it? I came across a good post by Bobby Dominguez, who I met through Shimmy (but I won’t hold that against Bobby), which talks about rethinking security. To provide the proper context check out this excerpt, which beautifully highlights our futility:
While all good security practitioners employ risk management techniques to protect the enterprise, we still can only get funding as an after-the-fact remediation. When we do get mitigation funding we deploy technologies that reduce impact or the likelihood of an event occurring. But these events are based on existing threats and the threats are evolving faster than point-solutions can be produced.
Wow. That hits me like a kidney punch. You? Basically we aren’t getting it done and the game (as it’s laid out today) is stacked against us. So we need to change the game and Bobby has a few ideas on how to do that. The good news is that much of what he’s saying here are the cornerstones of what Securosis has been preaching for years, and I’ll use our terms to describe Bobby’s points.
- Information-centric security: Yes, focus on what needs to be protected rather than an infrastructure-based security model with appliances layered upon layer… This is the hard path. You get no credit when you still have to layer on those appliances because of compliance mandates. But still, if you want to have any chance, you need to start thinking about protecting the data, not just the devices.
- Trust no one: There is no insider or outsider any more. They are all threats, and must be treated as such. That means embracing things like user activity monitoring and checking for anomalous behavior. And that even applies to you. Separation of duties is a good thing.
- Embrace the commodities: Bobby talks sense about treating mature security technologies as the commodities they are. Why buy premium AV when they all suck (relatively) equally? Things like firewalls and IDS, and a bunch of other stuff, fit into the same category. That doesn’t mean there aren’t some capabilities that break commodity gear out of commodity status (like application aware firewalls), but for the most part focus your spending on technologies that will protect the most valuable stuff – that generally means focusing on the application layer.
- React Faster and Better: Despite Bobby’s rather abstract analogy about treating your network like a human body (so I should ply it with beer and other hallucinogens to make daily existence tolerable, right?), Bobby’s point is that we are already compromised. So focus your antibodies (security defenses) on figuring out where & how you are sick and attacking the infection. Yes, Rich and I are writing about that right now, so you have plenty of context for this concept.
All told, I think Bobby does a good job of underscoring the fact that the status quo is dead, whether you want to believe it or not. There are some things we have to do because of old-line thinking and compliance mandates, but putting those requirements within the context of a different mindset can make a huge difference.