Today's Approach to Security is Broken

Over the last month I've attended four international events that have had a focus on security. And there's one data point that ought to have every CSO, CISO and CIO out there worried. Despite more money than ever being spent on security – and the amount is increasing – the amount of money being lost as a result of security breaches is rising at an even greater rate.

Look back over the last few months. We've had revelations of massive surveillance by the NSA through the information obtained and disseminated by Edward Snowden. Later in the year, we were shocked at the Thanksgiving Day breaches that hit Target, Neiman Marcus and others resulting in over 100 million customer records being lost.

By the time the RSA Conference started in February, bringing together security experts from around the world, we learned that Apple's SSL software was not only flawed but had most likely been open for around six months, making millions of people susceptible to man in the middle attacks.

This month, it was Heartbleed – another SSL flaw that is incredibly widespread and will take months, perhaps years, before all the compromised systems are fixed. There are even rumours that this flaw – which was in the world for two years before it was detected – was being used by agencies to monitor user activity.

Why the history lesson? Albert Einstein said insanity was "doing the same thing over and over again and expecting different results".

For the last twenty years we have been doing the same things. But over the last few years, the world has changed. We are no longer combatting digital vandals and disgruntled individuals. The cybercrime business is exactly that – a business.

The gangs involved in cybercrime are coordinated. They have markets where information, such as exploits and personal data are exchanged, for a fee. There are job boards and career paths for the people involved. Despite the illegality of all this – it is seen by many as a legitimate career option in some parts of the world.

Contrast this with the reactions of most of the world. Most of the effort goes to identifying potential threats and then buying point solutions to address the threats. The different providers of those solutions rarely, if ever, collaborate. There's still a focus on signature-based solutions although that is slowly changing.

In the past, our approach has been similar to how the military fought border attacks. They'd create a barrier and then, when there was an incursion, they'd deploy troops to catch to invaders and repair and reinforce the breach point.

But what we've seen over recent years is that the borders we've sought to build no longer exist. For IT professionals the advent of increased mobility and BYOD has changed the boundaries. Virtualisation has resulted in the proliferation of systems so that applications now span dozens of servers rather than a single processor instance. Critical systems are no longer in data centres but distributed all over the world through third parties delivering cloud services.

We rely on encryption for our storage and communications. End point protection is problematic because of the proliferation of different devices, each with its own operating system and different risk profile.
In other words – we are no longer fighting a border war. We are fighting insurgents who hiding in tunnels and crossing our borders through areas we didn’t even know were accessible. They are attacking end points – civilians if you want to take the military analogy a little further – that we never had to protect from vulnerabilities we never knew existed.

What can you do?

If you're a CSO or CISO then you need to start thinking like an insurer or banker rather than a military strategist.

You can no longer defeat the insurgents by fighting them one at a time. Point solutions, regardless of their individual efficacy, are no longer a valid strategy. That's not to say they aren’t necessary. But they are only part of a strategy. Security cannot be bought in a box.

Businesses that understand security in the modern context know that they need to break the cycle. We know that throwing more money at security doesn’t work – the number of significant breaches and losses tells us that. It means taking a risk-based approach.

Security is not an additional component in your systems design. It needs to be foundational. That means, in many cases, rebuilding existing systems not to address existing security concerns but to better manage the inevitable security issues.

The flaw that is now known as Heartbleed came from a flaw in a trusted piece of software. Although it was flawed it's also a model for how security can work. A codebase such as OpenSSL could be used universally in applications requiring security. However, it would require the software industry to cooperate and collaborate. It would mean companies accepting shared responsibility for a secure codebase that ensures data and credentials are securely stored and transmitted.

The age of passwords has to be declared over. We need better ways to identify individuals and to manage their access to systems. Biometrics, once considered a possible silver bullet, is no longer viable. Fingerprint scanners have been hacked and facial recognition is flawed.

That means a new way of managing identity and permissions needs to built into the fabric of our systems.

Operating systems – from server to end-point – need to be re-architected. Microsoft made huge leaps and bounds when they launched their Trustworthy Computing initiative in 2002. At the time, Windows was a significant threat surface. But they realigned their efforts and arrested the rot. It proves that it is possible to re-architect systems to make them more secure.

It also means more effort and planning needs to be made in dealing with breaches. Monitoring what happens inside systems needs to be prioritised so that unexpected activities are detected. This is the crux of the emerging threat intelligence field and we are only at the start of that journey.

All of this is going to be hard. And it's going to be expensive. But doing what we are doing today is not working. Repeating the same actions and expecting different outcomes isn’t just insane. It will ultimately cost us even more as the bad guys continue to exploit weaknesses and the gap between what we spend and what we lose continues to widen.