That's a very different threat than something you're going to see if you are running a single server with no credit card data. Now, does that mean that you're never going to face the kind of attack that someone like Oak Ridge or a large government entity would face? Absolutely not. But it does mean that if you are an Oak Ridge or a Lockheed Martin or Nasdaq people are going to bring their A game and you need to have really well-trained people, as well as top-notch technologies they can use to respond to the threat.
STIENNON: I agree. There's some security from obscurity if you really have nothing worth stealing. The trouble is you can't conclude that. I'm starting to see people succumbing to attacks where they're just a channel to the real target, say a bank in Australia being attacked when the attackers are ultimately after the bank's mining resource clients. Adam mentioned Nadsdaq. So Nasdaq's Director's Desk website was injected with malware and Nasdaq wasn't the target. It was the users of the Director's Desk.
So that's the trouble with concluding that, "Hey, we don't have anything so we're not going to see this level of attack." And then the response is, there's no way a law office can afford to get the processes in place that a Lockheed or a major research lab should be building. But there will be service providers that will start offering that, and ultimately we're going to see tools that reach all the way down to the home office.
KERR: Going back to the question about the need to share information, I think we definitely need to be interconnected, and I think the cloud's a good place to share information. After all, we're all interconnected in one way or another. We share data with outside entities to process our purchase orders and they send us files and things, so if they get infected that's a back door into us. We've seen various entities have trust relationships between corporations, and that's a tunnel from one to another. One of the first things we did before we came back online was disable every single trust relationship we had with everybody, so 1) we didn't hurt them, because the last thing I want to do is to be blamed for infecting somebody else, and 2) I didn't want anybody else coming into me that I couldn't see through a trust relationship. So we need to be interconnected and share this information in the cloud. I think that's the way we need to be going.
O'DONNELL: We believe that data sharing among our products is essential and everything that we've been announcing with the FireAMP technology, as well as the IDS/IPS technology, is heavily leveraged to sharing data between those two products. Sharing outside of organizations and sharing across different technologies is something that will take many, many years because people are concerned that by identifying threats they've been exposed to, they may be giving additional information back to an attacker. So you need to have technologies that allow people to address a threat without sharing it, but still share the data if they choose to. Otherwise you'll hear the people saying, "Well, if I install this product and it mandates sharing, I can't use the product, because I can't actually tell the public what threat I'm experiencing, but I still need to have some mechanism of combating it."
SHIMEL: Agreed. Now let me switch gears a bit. In the security industry we have a tendency to go for the shiny new trinket and the latest and greatest. Richard, you're a dean of this industry, is that a good thing, a bad thing or a non thing?
STIENNON: Definitely don't go buy the shiny new technology and then figure out how to use it. Start with understanding the threats. Actually a bigger issue is the move away from so-called risk management procedures, which are all based on identifying assets, determining their vulnerabilities and then stack ranking them. You're never going to get that done, right, you'll still be doing that 10 years from now. It is better to start recognizing the threats and then build up defenses against each particular threat. For the most part the tools are there, but a lot of them are from very young companies.
SHIMEL: Fantastic. Kevin, you can only talk about what you're allowed to talk about, but how does an organization like Oak Ridge Laboratory go about evaluating security solutions, how do you look at an up-and-comer versus well-established companies for new kinds of solutions?
KERR: One thing we like is the openness of being able to look at what they're doing behind the curtains. If you come to me with a magic box and says it can do X, Y and Z and you're not willing to show me how it works, you're not going to get much further. I don't need to know all the secret sauce, obviously, but I want to know why it's doing what it's doing and, not only that, if it can be integrated with the tools I have.
I'm going to be the first to admit that we have some wonderful shelfware here that we bought and stuck on our network because I didn't have enough resources or didn't have enough money to buy services, it's never been fully implemented for the capability it offers. We're actually in the process of downsizing some of our tools and trying to end up with two or three that provide a wider swath of visibility into our network, because my objective is to see as much as I can with the tools we have, baseline things, and then allow my experts to be able to drill down based on the wider swath.
SHIMEL: OK guys, we're coming up on the end here. Any final advice to share?
STIENNON: My advice is to throw out your current risk management regime and start over by looking at the three common threat vectors: We've got the hactivists (with Anonymous being one of the most obvious examples), we've got cybercriminals and we've got nation-states. Then strive to understand the methodologies and the targets that each of those will go after, and then look at your current defense regime and see if it's anywhere close to being ready to counter those.
And learn lessons from people like Kevin who have lived through this. Because if you have not seen the types of attack that Kevin has experienced, you're in deep, deep trouble, because you are experiencing them.