It had to be a bit of a jolt for more than 500 exhibitors and thousands of attendees at RSA Conference 2015 last month, all pushing, promoting and inspecting the latest and greatest in digital security technology: The theme of RSA President Amit Yoran’s opening keynote was that they are all stuck in the Dark Ages.
To make the point “visually,” Yoran even spent his first minute or so on stage speaking in pitch darkness, “stumbling around,” backed by the sound of an ominous, moaning wind.
This, he insisted, was an apt metaphor, “for anyone trying to protect and defend a digital infrastructure today. Every alert that pops up is like a bump in the night,” he said. “Often we don't have enough context to realize which ones really matter and which ones we can ignore.”
It is easy to make the case statistically. The Identity Theft Resource Center reported in January that there were 738 data breaches in 2014, up 25% from the prior year.
Or, as Yoran put it, 2014 was, “yet another year of the breach. Or, have we agreed to call it the year of the mega breach? That might connote that things are getting worse, not better,” he said, adding sardonically that 2015 is likely to become, “the year of the super-mega breach. At this pace we are soon going to run out of adjectives.”
That, he contended, is because the defensive mindset of Internet security today is “fundamentally broken … (and) very much mimics the Dark Ages. We’re simply building taller castle walls and digging deeper moats.”
All of which may have sounded a bit insulting to hundreds of vendors and experts who have been saying for years that “the perimeter is dead.” Or, that, “it’s not a question of if you’ve been breached, but when.” Or, that intruders are quite likely inside your organization right now, and that a stronger perimeter will do nothing to eliminate them.
Indeed, many of them were there promoting solutions to detect and respond to insider threats.
But Yoran insisted that the rhetoric is not matched by actions. “We say we know the perimeter is dead, we say we know the adversary is on the inside, but we aren't changing how we operate,” he said.
In an email interview this week, Yoran acknowledged that the industry is beginning to move in the direction of monitoring and response, but said, “today’s reality” is that, “by every measure, a vast, supermajority of security expenditures focus on prevention.”
Citing his military training at West Point, he said in his keynote that the security industry is trying to use “maps” that no longer apply to the current threat landscape.
The result, he said, is that attackers, “are winning by every possible measure.”
His colleagues in the industry may not agree with all of that, but most think he got the essentials right. John Pirc, chief strategy officer at Bricata, said he “totally agrees” that the perimeter mindset is still too prevalent. “Security needs to move deeper within the network. The need is for visibility in the data center rather than on premise or the cloud,” he said.
Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals, is another. “Sadly, he is mostly correct regarding many companies that are still in the ‘prevent the attack,’ or ‘don't let them in’ mentality,” he said, even though the, “more mature and enlightened have known for years, if not decades, that the attackers will occasionally break in and that you will need to be prepared.”
Chuvakin said virtually every security pro has been, “taught the prevention/detection/response mantra, but at many places the spend is mostly on prevention, and preventative technology gets the attention.”
Muddu Sudhakar, CEO of Caspida, said he agrees that adversaries are winning, noting that, “the FBI Cyber Division head commented last week that while they used to learn about a large-scale breach every two to three weeks, it is now every two to three days.”
But he said context is important. “The bad guys only have to succeed once, while defending data has to succeed 100% of the time,” he said.
Rob Kraus, director of security research and strategy at Solutionary, also said context matters. He said simply declaring that the “good guys” are losing neglects the ebb and flow of the battle.
“As advances are made by the good guys, the enemy will re-evaluate and re-deploy capabilities in a way that can circumvent their attack or defensive postures. The challenge with the cyberworld focus is that the battle moves much more quickly, and is even more multi-dimensional.”
But he agrees with Yoran that there is still too much reliance on defending perimeters. “Many organizations are still locked into the concept that the castle walls will protect the bad guys from getting in,” he said. “Most are not thinking about those who climbed over or tunneled under those walls.