Network World recently asked blogger Alan Shimel, co-founder and managing partner of The CISO Group (see his blog here), to host a roundtable discussion with representatives from three sectors of the security community: a practitioner, an analyst and a vendor. The wide-ranging conversation touched on everything from the state of threats today to the failure of risk management, the need to share information and a massive attack suffered by the user.
SHIMEL: Hi everyone, this is Alan Shimel, co-founder and managing partner of The CISO Group, and welcome to a Network World Roundtable on Security. The topic of our roundtable is "See it, Protect it, Control it: Advanced Security Intelligence to Outsmart Attackers." We're lucky to be joined by a fantastic group of folks today: Kevin Kerr, the chief information security officer, or CISO, at Oak Ridge National Laboratory, one of the leading research labs in the world; Richard Stiennon, a former Gartner analyst and now the chief analyst at IT-Harvest; and Adam O'Donnell, Sourcefire's chief architect from the company's Cloud Division.
[ FREE DOWNLOAD: 68 great ideas for running a security department ]
GIVEAWAYS: Free security tools out there for the asking
Kevin, you're in the front lines of this war we're waging against cybersecurity attackers, so I'm going to start with you. Have you seen a sea change recently in the kinds of attacks, the kinds of methods attackers are using?
KERR: I think so. They used to knock on your front door or come through the window or over the wall. Nowadays they're relying more on social engineering to try to get someone who's inside the fortress to let them in, whether through phishing or malware or something like that. So they're trying harder to avoid detection in the hopes that they can get one little foothold and, once they're in, then it's fun time for them.
SHIMEL: But the security industry hasn't been sitting on its hands. Adam, how has the industry responded?
O'DONNELL: The game has definitely become far more challenging, not only because attackers now have a profit motive, but because nation-states are involved and willing to break into a system at any cost. In some ways the industry's technologies have become equivalent to a seatbelt, something you absolutely have to have to help be able to protect you, but they're not going to be able to safeguard every situation you get into. In order to address the more challenging threats, both nation-state attackers or from a committed individual or group trying to get into a network, we need to start using technologies that can be modified for your specific environment, something that gives you control over the threats that your specific network is seeing and also gives you visibility into what may have come in in the recent past. [also see: "What is an 'advanced persistent threat,' anyway?"]
SHIMEL: Richard, you're in the catbird's seat here in that you speak to people like Kevin on the one hand, and on the other hand speak to suppliers like Adam. What is your take? Have we passed into a new era of threats that demand a new era of solutions, or are we dealing with a lot of hype here?
STIENNON: Actually, no, I think we're under-hyped. I was just at a meeting where someone voiced the opinion that the security industry is broken, that it doesn't address the new threats. And I had to object and say, no, it was just built for something different. Back in the early days of mainframes, the primary purpose of security was protecting data from users that had access to it and we had pretty good security against targeted attacks. Then we went through an era of random attacks, hackers looking for anything to attack just for the fun of it, which built into a great industry for countering viruses. And then we had attackers using the network and we came up with an industry to counter worms.
But things have changed dramatically in the last three or four years, as targeted attacks recognize the value of certain pieces of information, whether it be a data store of credit card information or design information for the F-35 Joint Strike Fighter. And the attackers, as Kevin pointed out, have realized that the easiest way in is through one of these open doors that's not guarded.
So yes, we're in a completely new realm, but the industry is responding. The cutting-edge vendors I see are starting to be information managers. When they catch an attack against one client they quickly anonymize it and pull it into their cloud so the rest of their customers can look for similar indicators, whether it is as simple as an IP address or the type of malware used or the source domain of the emails. And that's the big difference here. We're starting to recognize these threat actors.
SHIMEL: Regarding the idea that the security industry is broken, that's something I've heard as well. It's this pessimism about not only the security industry but the security profession, almost that we're shoveling sand against the tide here. Kevin, you're out there where the ocean meets the sand, do you feel that sense of pessimism?
KERR: Yes and no. I'm a realist. If someone says they can protect me 100%, they're either ignorant or lying. You need a multitude of things to protect yourselves. When we were attacked last year it was a phish that came in. We got about 750 phishes. We had about 50-some-odd people see them and one person who clicked, and that one system was not running appropriately at the time and the malicious perpetrator got a foothold on their box, was able to grab credentials, and then started to move across our network. So they weren't even using malware when they broke in last year, they were using authorized credentials and a zero day to walk in. And it was because of that we didn't initially see what was going on. It was later detection in the network that led us to the realization that something wasn't right. At that point it was a game of cat and mouse or, as we like to say, Whac-A-Mole, as we tried to keep up with them. When we realized we couldn't keep up tit-for-tat, we decided to disconnect from the network to prevent them from exfiltrating data. [Also see: "Advanced persistent threats force IT to rethink security priorities"]
SHIMEL: Disconnecting from the network certainly isn't a long-term solution. Adam, what can Kevin do short of disconnecting?
O'DONNELL: Depending upon the asset you're trying to protect, disconnecting from the network can be a reasonable solution for a specific instance. If you are protecting the nation's nuclear assets, it makes sense. But obviously not everyone can go about that. If Kevin had tools on hand that allowed him to say, "OK, this attack happened, can I identify every single place this person went, every single system the person touched, and scope the problem?" And then respond within that scope, he might have been able to react without having to take the network offline. Tools that gave visibility into what the attacker did after the attack happened would be critical for that situation.