Recently, a writer from a B2B technical publication, who occasionally uses me for comments on the industry, emailed me a question about the epidemic of security breaches. She wanted to know if better network security could have prevented or mitigated many of them. I thought about my response a long time and then sent the following:
You would laugh if I told you the details of how most organizations are breached. It’s almost always the same, mundane attack: a user gets phished, malware is installed and credentials are stolen. That’s how RSA was breached, Target, etc., … Not very sexy and the whole APT business is a misdirection, security vendors making you think they’re better at their jobs than they actually are. Sometimes the malware is interesting, like with Stuxnet. But RSA was pwned with Poison Ivy, a common RAT. If security products worked really well, it should have been caught immediately.
Then there’s application security. Just try finding a good appsec person or a developer who understands secure coding practices. You’d have better luck trying to solve the paradox of Schrodinger’s Cat.
The problem is simple and complicated. Pardon the colloquialism, but the chickens have come home to roost. In no other part of the IT industry can you get away with selling products that work no better than 50% of the time and continue to make buckets of money. If I sold you a switch that only passed half of your network frames, you wouldn’t continue to buy products from me. That’s not the case in the security industry. Many of the solutions are hype; pure and simple. The truth is there’s no magic bullet, but most vendors will try to convince you that they have one and senior management is happy to drink that Kool Aid because they’re desperate. The C-level doesn’t want their organization to end up in the news, the subject of the latest hacking scandal. They don’t want to hear how hard the work of security is, how much effort it really takes to fix the infrastructure.
Building a good security program is tough and although there are lots of researchers out there trying to grab media attention with the latest sexy hack, the unsung heroes are the defenders. The goal is omniscience, but that requires extensive visibility into your infrastructure (which few have) and constant vigilance (which few can afford). Most organizations don’t have the budget for in-house SOCs, so they outsource to an MSSP. MSSPs excel at mediocrity, but it’s not really their fault. How are you going to get excellence from a service that’s been commodified to make it attractive to the lowest common denominator? Without a good understanding of the organization, there’s no context and the service will always fall short.
Am I surprised that Target got pwned, even though they had just deployed 1.6 million dollars in FireEye equipment, which actually detected the malware? Not really. Their analysts in Bangalore ignored the alerts because they thought they were false positives. They didn’t escalate for further investigation, because many of us start to tune out the constant noise of security products that are generally only right 50% of the time, which is no better than chance. Basically, I could have a monkey randomly deciding whether or not to pass packets and that would probably be just as successful as many signature-based, blacklisting controls. People have criticized Target saying they should have installed FireEye in-line to automatically block the traffic. But I’ve worked with IPS/BDS and the business often won’t tolerate downtime due to false positives. The biggest challenge for information security professionals is convincing everyone else that the less risky default state of a system is to fail-closed instead of fail-open.
The Bloomberg story got it mostly right when they talked about how Target blew it. But here’s the dirty truth: we’re all Target. It’s a textbook example of everything that goes wrong with security in every organization every single day. And some days it makes me want to ditch it all and become a Pilates teacher.
Note: I actually sent this out prior to the Home Depot breach story hitting the news.
Today’s post pic is from TechPageOne.