Security Industry: One Dimensional, Limited by Experience

If you ask me the President of RSA had the best keynote at the RSA conference in San Francisco:

http://www.rsaconference.com/media/escaping-securitys-dark-ages

I have collected the images from the video link above:

escapingsecuritydarkagesamityoranrsaconference

Talk was titled ” We are Living in Security’s Dark Ages”

There is a lot in the 30 minute video, I recommend that if you are interested in Security definitely listen to it. I do mean listen to it, take notes etc.

 

Here are my takeaways besides the 5 topics he discussed:

1.  Even Advanced Protections fail

2. We need pervasive and true visibility into our environments

3. In a world where the perimeter is insecure, authentication matters more

4. External threat intelligence is important and available use it

5. Prioritize limited resources for maximum impact

Mr. Yoran started with his dark ages theme and said that we think we are looking at maps that are correct but really the terrain is not the same as the maps in our hands. The map has not kept up with changes in terrain.

Just like the early Internet the early maps were primitive, and did not include the American and Australian section of the globe:

Image result for maps dark ages I am adding some helpful analogy aids

slowly the world moved from the Eurocentric to a globecentric view.

 not 100%accurate but getting better.

Until of course today we have satellites and Google Maps.  But even Google Maps has a bit of a lag in what is actually happening.  I am sure we have  all found a situation where an actual address navigation with Google Maps or the other navigation aids have not actually led us to the right location.

In security Mr Yoran states that we are one dimensional, as we are limited by experience and tools or TTP (Tools Techniques and Procedures).

Unfortunately the enterprise environment depends on SIM or SIEM  (Security Information management or Security Information Event Management tools), so when  the SIM does not fully ‘see things’ less than 1% of threats were spotted with SIM.

Mr Yoran claims (with some first hand knowledge)  that there is a disconnect with security teams and what the hackers are actually doing in the networks.  For one the Anti-virus and even Intrusion Prevention Systems are only as good as their definition files and how they are configured. So this “defense-in-depth” is causing. we also tend to clean up compromised systems too quickly.

For one when you clean a system the hackers learn what techniques you found and what techniques they should not use. Next time take time to clean a system, take the time to fully understand the breach and your network.

less than half of breaches were by malware , 95% had stolen credentials.

 

In a world where the perimeter and  desktop can be breached easily to determined attackers, authentication will be even more important.

“Who needs “zero-day” when you have stupid” says Mr. Yoran when referring to mistakes by users and administrators that help hackers rather than stop them.

He also likes a quote by Isaac Asimov “Awareness of a problem is more important than actual problem”.

when we are looking at our maps for terrain that actually changed our problem is that we cling to our old maps.

But he has good news: “We Are on a Journey to full Visibility”

The last words were: ” Our People are calling back to base and saying ‘We have Sailed Off the Map’ what should we do?”

 

Besides making better maps we need to be aware of the problem.

amityoranwehavesailedoffmap2

2 thoughts on “Security Industry: One Dimensional, Limited by Experience”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.