Information security can be a noisy place. As a career security guy I have experienced software development, IT security in a very large enterprise, vulnerability research and exploitation, and now an enterprise software vendor. These experiences have given me a deep understanding of the attacker, the typical enterprise, and software development.
For IT professionals frustrated with today's noisy market, my sympathies. I do not envy those making purchasing decisions without the benefit of a deep security background to dissect marketing claims.
The following four principles will help us to stay grounded in this market. Using these as ‘true north,' will enable people to slice through the confusion, fear and uncertainty in a noisy market.
PRINCIPLE ONE: Compromise is inevitable Enterprise networks are chaotic beasts of complexity. Even if we patch all the vulnerabilities, there are dozens of other attack vectors. Unpatchable 0-day vulnerabilities are very real.
Users will always click the wrong thing. Vulnerabilities at a DNS provider or ISP will give an attacker man-in-the-middle access. (And every free wifi your users attach to is a different provider) Use SSL certificates to mitigate that risk? You're depending on the security of every root CA provider in the world; they get compromised too. The list goes on and on and the risks change daily.
NOTE ONE: In the U.S., this principle is generally accepted as true – but only recently. I think we hit an inflection point around 2014; prior to then I would spend half my briefing time convincing the audience of this truth. Today, that is wasted effort. Many audiences may still need attention to this truth.
COROLLARY ONE: As a result, security in the enterprise is no longer a noun; it's becoming a verb. It's not a thing to buy, it's a thing to do. This is new. Historically security has been the realm of IT and network architects. It was a solution purchased from a vendor, considered a box in the network-architecture diagram similar to a router, proxy or switch. However, when we recognise that compromise is inevitable, we are forced to build operational procedures to manage it.
COROLLARY TWO: Not every organisation can afford to operationalise security. Managed security services are going to grow significantly in the coming years as Corollary One becomes generally accepted. We are in the renaissance era of the managed SOC.
PRINCIPLE TWO: Default-allow endpoint protection products will fail The layman's explanation is simple: when a system is allow-by-default, we must be able to detect bad things. In the case of malware, the bad things are controlled by the attacker and infinitely variable. It is impossible to build any system that detects all possible bad things from a set of infinite possibilities.
By contrast, when a system is deny-by-default, we must be able to detect good things. Good things are controlled by the system administrators and comprise a finite set of possibilities. It is possible to build a system that detects good from the finite set of expected possibilities. This is why the application control market exists and why leading technology has been successful – it provides the best possible protection available.
NOTE TWO: Information security has learned this lesson before. When the first firewalls were deployed at network perimeters, they were used to block known-bad traffic. We soon learned the attackers could quickly move to new IPs and ports, leading to whack-a-mole games. As a result, best practices shifted to a policy of default-deny at the network. We are playing the same whack-a-mole game on our endpoints today that we played on the firewalls in the late 90s.
COROLLARY THREE: When endpoint malware protection products fail, what happens next? What procedures do an operations team have to detect and respond to the malware that gets missed? The best practice is traditional forensics – memory or disk imaging – but those procedures take significant time (and cost) for both acquisition and analysis. Analysis of a single host takes at least hours, possibly days to weeks – too expensive for an enterprise SOC investigating new, real incidents every day. This is why the EDR segment exists and certain technology has been successful.
Principle Three: Principle one, Principle two and their corollaries are fundamental truths These ideas are not marketing spin, they are not fear-mongering, they are not opinion. They are rooted in the simple realities of computing and networking. Further, the ideas are not new. They are not newly developed theories that have recently emerged. The U.S. Dept of Defense, led by the Air Force, recognised these principles 15 years ago and started investing heavily in operationalising information security. Awareness was not limited to DoD. Bruce Schneier's book Secrets - Lies was published in 2000 and included these principles in the first edition. Kirk Bailey, now CISO at the University of Washington, was using the term ‘assumption of breach' in 2002 to describe his security management philosophy. These principles have been driving the transformation of information security since at least 2002.
Principle Four: Collectively, we are still learning Principles one and two
Security is undergoing a transformation worldwide. There is still a wide variety of opinions and perspectives, each coloured by their own experiences. Many opinions will be in the traditional IT mindset of architecture, governance, compliance and controls – a security sub-culture that has dominated information security personnel for many years. The more advanced opinions will prioritise the threat and attacker behaviour over compliance and governance.
The industry is seeking alternatives to traditional AV but, in some cases, resisting the change required to operationalise their security programs. There is a market segment of solution-seekers that continues to cling to the false hope they can continue security as a noun, as a solution they buy, set and forget. Such a platform is easy enough for today's solution-seekers, but without compromising the security principles that will keep it durable as they grow to understand Principles One and Two.
Some may read this and disagree. So they should reflect on their experiences and their industry's risk tolerance. Operationalising security is inevitable. I have been actively seeking counter opinions for many years and have not yet discovered any sufficiently supported to change my position. Meanwhile, there is growing support of experts who similarly believe it is the only way we can improve security efficacy.
Those who agree, I encourage to share their perspective. The longer we continue to cling to the false hope that we can fix security by simply deploying a magic product, the longer we will put off building the combination of products, people and processes required to address any complex problem. The industry needs leadership to help shape our future.