SecurityBrief Australia logo
Australia's leading source of cybersecurity and cyber-attack news
Story image

Four cyber security principles that withstand the test of time

Thu 6 Jul 2017
FYI, this story is more than a year old

Information security can be a noisy place. As a career security guy I have experienced software development, IT security in a very large enterprise, vulnerability research and exploitation, and now an enterprise software vendor.  These experiences have given me a deep understanding of the attacker, the typical enterprise, and software development.

For IT professionals frustrated with today’s noisy market, my sympathies.  I do not envy those making purchasing decisions without the benefit of a deep security background to dissect marketing claims.

The following four principles will help us to stay grounded in this market.  Using these as ‘true north,’ will enable people to slice through the confusion, fear and uncertainty in a noisy market.

PRINCIPLE ONE: Compromise is inevitable  Enterprise networks are chaotic beasts of complexity. Even if we patch all the vulnerabilities, there are dozens of other attack vectors. Unpatchable 0-day vulnerabilities are very real. 

Users will always click the wrong thing.  Vulnerabilities at a DNS provider or ISP will give an attacker man-in-the-middle access. (And every free wifi your users attach to is a different provider) Use SSL certificates to mitigate that risk? You’re depending on the security of every root CA provider in the world; they get compromised too. The list goes on and on and the risks change daily.

NOTE ONE: In the U.S., this principle is generally accepted as true – but only recently. I think we hit an inflection point around 2014; prior to then I would spend half my briefing time convincing the audience of this truth. Today, that is wasted effort. Many audiences may still need attention to this truth.

COROLLARY ONE: As a result, security in the enterprise is no longer a noun; it’s becoming a verb. It’s not a thing to buy, it’s a thing to do. This is new. Historically security has been the realm of IT and network architects. It was a solution purchased from a vendor, considered a box in the network-architecture diagram similar to a router, proxy or switch. However, when we recognise that compromise is inevitable, we are forced to build operational procedures to manage it.

COROLLARY TWO: Not every organisation can afford to operationalise security. Managed security services are going to grow significantly in the coming years as Corollary One becomes generally accepted. We are in the renaissance era of the managed SOC.

PRINCIPLE TWO: Default-allow endpoint protection products will fail The layman’s explanation is simple: when a system is allow-by-default, we must be able to detect bad things. In the case of malware, the bad things are controlled by the attacker and infinitely variable. It is impossible to build any system that detects all possible bad things from a set of infinite possibilities.

By contrast, when a system is deny-by-default, we must be able to detect good things. Good things are controlled by the system administrators and comprise a finite set of possibilities. It is possible to build a system that detects good from the finite set of expected possibilities. This is why the application control market exists and why leading technology has been successful – it provides the best possible protection available.

NOTE TWO: Information security has learned this lesson before. When the first firewalls were deployed at network perimeters, they were used to block known-bad traffic. We soon learned the attackers could quickly move to new IPs and ports, leading to whack-a-mole games. As a result, best practices shifted to a policy of default-deny at the network. We are playing the same whack-a-mole game on our endpoints today that we played on the firewalls in the late 90s.

COROLLARY THREE: When endpoint malware protection products fail, what happens next? What procedures do an operations team have to detect and respond to the malware that gets missed? The best practice is traditional forensics – memory or disk imaging – but those procedures take significant time (and cost) for both acquisition and analysis. Analysis of a single host takes at least hours, possibly days to weeks – too expensive for an enterprise SOC investigating new, real incidents every day. This is why the EDR segment exists and certain technology has been successful.

Principle Three: Principle one, Principle two and their corollaries are fundamental truths  These ideas are not marketing spin, they are not fear-mongering, they are not opinion. They are rooted in the simple realities of computing and networking. Further, the ideas are not new. They are not newly developed theories that have recently emerged. The U.S. Dept of Defense, led by the Air Force, recognised these principles 15 years ago and started investing heavily in operationalising information security. Awareness was not limited to DoD. Bruce Schneier’s book Secrets & Lies was published in 2000 and included these principles in the first edition. Kirk Bailey, now CISO at the University of Washington, was using the term ‘assumption of breach’ in 2002 to describe his security management philosophy. These principles have been driving the transformation of information security since at least 2002.  

Principle Four: Collectively, we are still learning Principles one and two

Security is undergoing a transformation worldwide. There is still a wide variety of opinions and perspectives, each coloured by their own experiences. Many opinions will be in the traditional IT mindset of architecture, governance, compliance and controls – a security sub-culture that has dominated information security personnel for many years. The more advanced opinions will prioritise the threat and attacker behaviour over compliance and governance.

The industry is seeking alternatives to traditional AV but, in some cases, resisting the change required to operationalise their security programs. There is a market segment of solution-seekers that continues to cling to the false hope they can continue security as a noun, as a solution they buy, set and forget.  Such a platform is easy enough for today’s solution-seekers, but without compromising the security principles that will keep it durable as they grow to understand Principles One and Two.

In closing

Some may read this and disagree. So they should reflect on their experiences and their industry’s risk tolerance.  Operationalising security is inevitable.  I have been actively seeking counter opinions for many years and have not yet discovered any sufficiently supported to change my position.  Meanwhile, there is growing support of experts who similarly believe it is the only way we can improve security efficacy.

Those who agree, I encourage to share their perspective.  The longer we continue to cling to the false hope that we can fix security by simply deploying a magic product, the longer we will put off building the combination of products, people and processes required to address any complex problem.  The industry needs leadership to help shape our future.

Article by Jeffrey Guy, Carbon Black.

Related stories
Top stories
Story image
Cybersecurity
Cybersecurity prompts upgrade for 1.3 billion electricity meters
ABI Research finds Advanced Metering Infrastructure (AMI) and cybersecurity concerns are prompting the upgrade of 1.3 billion electricity meters by 2027.
Story image
Training
Trojan cyber attacks hitting SMBs harder than ever - Kaspersky
In 2022 the number of Trojan-PSW detections increased by almost a quarter compared to the same period in 2021 to reach 4,003,323.
Story image
Cybersecurity
Comcast to use ThreatQuotient for cybersecurity operations
Comcast, the parent company of NBC Universal and SKY Group, has chosen ThreatQ Platform and ThreatQ Investigations to meet their cybersecurity needs.
Story image
New Relic
New Relic launches vulnerability management platform
New Relic has introduced New Relic Vulnerability Management to help organisations find and address security risks faster and with greater precision.
Story image
Amazon Web Services / AWS
RedShield leverages AWS to scale cybersecurity services
"Working with AWS gives RedShield the ability to mitigate significant application layer DDoS attacks, helping leaders adopt best practices and security architectures."
Story image
Nozomi Networks
Nozomi Networks, Siemens reveal software integration
Nozomi Networks and Siemens have extended their partnership by embedding Nozomi Networks’ software into the Siemens Scalance LPE local processing engine.
Story image
Cybersecurity
Hard numbers: Why ambiguity in cybersecurity no longer adds up
As cybersecurity costs and risks continue to escalate, CEOs continue to struggle with what their investment in cyber protection buys. Getting rid of ambiguity becomes necessary.
Story image
Supply chain
Jetstack promotes better security with supply chain toolkit
The web-based resource is designed to help organisations evaluate and plan the crucial steps they need to establish effective software supply chain security.
Story image
Ransomware
Cybersecurity starts with education
In 2021, 80% of Australian organisations responding to the Sophos State of Ransomware study reported being hit by ransomware. 
Story image
Ransomware
Ingram Micro Cloud adds Bitdefender solutions to marketplace
Ingram Micro Cloud has announced the expanded availability of Bitdefender solutions on the Ingram Micro Cloud Marketplace.
Story image
VPN
The most common online scams in Australia
No one is safe from online scammers, and many of these scammers have capitalised on the pandemic, using this confusing time to attack more people than ever.
Story image
Sift
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
Employment
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Artificial Intelligence
Updates from Google Workspace set to ease hybrid working troubles
Google Workspace has announced a variety of new features which will utilise Google AI capabilities to help make hybrid working situations more efficient and effective.
Story image
Digital Transformation
How to modernise legacy apps without compromising security
At a time when digital transformation has become central to business, even the most important applications come with a ‘use-by’ date.
Story image
Remote Working
Successful digital transformation in the hybrid work era is about embracing shifting goalposts
As organisations embraced remote working, many discovered they lacked the infrastructure needed to support history’s first global load test of remote work capabilities.
Story image
Cybersecurity
Infoblox's State of Security Report spotlights Australian remote work hazards
Attackers exploit weak WiFi, remote endpoints, and the cloud, costing 50% of organisations over $1.3 million in breach damages.
Story image
Cybersecurity
BlackBerry offers Kaspersky replacement cybersecurity for the channel
BlackBerry advises that users of Kaspersky software in Australia and New Zealand undertake a rigorous risk analysis of their current security posture.
Story image
Qualys
Qualys updates Cloud Platform solution with rapid remediation
The new update is designed to enable organisations to fix asset misconfigurations, patch OS and third-party applications, and deploy custom software.
Story image
ChildFund
ChildFund launches new campaign to protect children online
ChildFund says WEB Safe & Wise aims to protect children from sexual exploitation and abuse online while also empowering them to become digitally savvy. 
Story image
Phishing
KnowBe4 celebrates reaching 50,000 customers worldwide
KnowBe4 has reached the milestone of 50,000 customers, adding nearly 2,500 in the first quarter of 2022 alone.
Story image
Vectra AI
Understanding the weight on security leader’s shoulders, and how to shift it
Millions of dollars of government funding and internal budgets are being funnelled into cybersecurity to build resilience against sophisticated threats, indicating how serious this issue has become.
Story image
Cybersecurity
A10 Networks finds over 15 million DDoS weapons in 2021
A10 Networks notes that in the 2H 2021 reporting period, its security research team tracked more than 15.4 million Distributed Denial-of-Service (DDoS) weapons.
Story image
Silver Peak
The path to an adaptive, modern network
Managing and securing the network looks different than it did just two years ago—especially given that most of these networks are made up of multi-generations of infrastructure stitched together over time.
Story image
Remote Working
Australia’s remote workers face connectivity and security issues
SOTI's new report finds better video conferencing technology and improved security measures are top concerns for remote workers in Australia.
Story image
BeyondTrust
BeyondTrust integrates Password Safe solution with SailPoint
BeyondTrust has announced the integration of BeyondTrust Password Safe with SailPoint identity security offerings.
Story image
Cybersecurity
Noname Security partners with Netpoleon to target API issues
Specialist API security firm Noname Security has appointed Netpoleon as its distributor in Australia and New Zealand.
Story image
Cybersecurity
More than 40% of banks worried about cloud security - report
Publicis Sapient's new report finds security and the lack of cloud skills and internal understanding of business benefits are big obstacles for banks moving to the cloud.
Story image
trust
9/10 Aussies to stop spending if personal data compromised
"Based on the patterns we are seeing among Australian consumers, it is evident that trust in a brand is exceptionally important."
Story image
Cybersecurity
Video: 10 Minute IT Jams - An update from IronNet
Michael Ehrlich joins us today to discuss the history of IronNet and the crucial role the company plays in the cyber defence space.
Story image
SaaS
Absolute Software expands Secure Access product offering
Absolute Software is enhancing its Secure Access product portfolio, enabling minimised risk exposure and optimised user experiences in the hybrid working environment.
Story image
Apricorn
Data backup plans inadequate, data still at risk - study
The Apricorn 2022 Global IT Security Survey revealed that while the majority organisations have data backup plans in place, data for many are at risk.
Story image
Data Protection
Barracuda launches new capabilities for API Protection
"Every business needs this type of critical protection against API vulnerabilities and automated bot attacks," Barracuda says.
Story image
Ivanti
Ivanti and Lookout bring zero trust security to hybrid work
Ivanti and Lookout have joined forces to help organisations accelerate cloud adoption and mature their zero trust security posture in the everywhere workplace.
Story image
Ransomware
A third of companies paying ransom don’t recover data - report
Veeam's report finds 76% of businesses who are victims of cyberattacks paid the ransom to recover data, but a third were still unable to get their information back.
Story image
Artificial Intelligence
How to ensure ethical deployment of AI implementations
The increase in automation and machine technology such as AI and machine learning has unlocked a whole new level of scale and service to organisations. 
Story image
Migration
Let’s clear the cloud visibility haze with app awareness
Increasingly, organisations are heading for the cloud, initiating new born-in-the-cloud architectures and migrating existing applications via ‘lift and shift’ or refactoring.
Story image
Application Security
What are the DDoS attack trend predictions for 2022?
Mitigation and recovery are vital to ensuring brand reputation remains solid in the face of a Distributed Denial of Service (DDoS) attack and that business growth and innovation can continue.
Story image
Cybersecurity
The 'A-B-C' of effective application security
Software applications have been a key tool for businesses for decades, but the way they are designed and operated has changed during the past few years.
Story image
Cloud Security
Aqua Security createa unified scanner for cloud native security
“By integrating more cloud native scanning targets into Trivy, such as Kubernetes, we are simplifying cloud native security."
Story image
Artificial Intelligence
AI-based email security platform Abnormal Security valued at $4B
"A new breed of cybersecurity solutions that leverage AI is required to change the game and stop the rising threat of sophisticated and targeted email attacks."
Story image
Cybersecurity
Managed service providers: effective scoping to avoid costly vendor pitfalls
Managed security services are outsourced services focusing on the security and resilience of business networks.
Story image
SaaS
Rubrik Security Cloud marks 'next frontier' in cybersecurity
"The next frontier in cybersecurity pairs the investments in infrastructure security with data security giving companies security from the point of data."
Story image
Workato
Workato unveils enhancements to enterprise automation platform
"The extra layer of protection with EKM, zero-logging, and hourly key rotation gives customers a lot more visibility and control over more sensitive data."