Best defense? Start by admitting hackers will get in anyway.
IT security is caught between a rock and a hard place: If defenders do little to protect their networks, the bad guys will get in easily. If they spend to improve their defenses, the bad guys will become more innovative and get in anyway.
“In today’s reality, computers are indefensible,” Amit Yoran, head of RSA’s security management and compliance business unit, said at the FOSE conference in Washington. Given a motivated attacker, “they will get in.”
“If you work in any place that is interesting, you are compromised,” said Richard Bejtlich, chief security officer of Mandiant.
FISMA guide updated to reflect APT, mobile threats
Light at the end of the continuous-monitoring tunnel
In a security landscape that ranges from merely gloomy to very gloomy, “there is no shame in that,” Bejtlich said. The only shame is doing nothing about it. He said that as many as 80 percent of victims learn about compromises from outside parties.
There is a growing trend for that notification to come from agencies such as the FBI, he said. “That has been a huge motivator for organizations that thought it wasn’t happening to them.”
IT security professionals need to spend their money more wisely, the two said April 4 during a discussion on modern targeted cyberattacks.
“I think there is plenty more effort that can be put into security,” Bejtlich said. If done right, that effort can raise the bar for attackers and improve the chances that organizations can repulse or survive sophisticated, targeted attacks.
In the wake of a string of high-profile breaches involving prominent companies and federal agencies over the past year or more, there has been an acceptance that it is a matter of when' and not if an enterprise will be compromised. The growing attack surface created by the complex interaction of hardware platforms, operating systems and applications has made systems increasingly vulnerable. Attacks are focusing on specific organizations and individuals, and when direct attacks fail, the bad guys are targeting third parties to flank their defenses.
A recent example was last year’s breach at RSA, the security division of EMC. That attack was made through another company that was compromised, and information about SecurID tokens stolen from RSA was then used in an attack against defense contractor Lockheed Martin. The security incident is being replaced by the campaign, Yoran and Bejtlich said.
At the same time, much of IT security remains signature-based and perimeter-oriented, which has been easily circumvented.
Speaking at another session on the need for better monitoring and detection, Q1 Labs CSO Chris Poulin said 80 percent of IT security problems are well known and can be fixed with 20 percent of the IT security budget. But the remaining problems usually cannot be cleaned up with the remaining 80 percent of the budget.
The solution is to create a contested space in which defenders detect compromises in a timely way and correct or mitigate them quickly. Better visibility and real-time monitoring, combined with patch and configuration management and perimeter defenses, can raise the bar for attackers to the point that it no longer is cost-effective for them to mount successful campaigns against valuable targets.
The best tool for this type of defense is collaboration and information sharing to increase visibility and awareness, Bejtlich said. There are plenty of existing forums in which relationships can be created and cultivated to enable the exchange of information. This can be done with little financial investment, but to be effective it requires an investment in time and attention, he said.
“It can work, but only if it is true collaboration and you don’t just lurk in a list,” he said.