The solution to security breaches? Kill the human middleware
Time to turn security model inside out, conference hears
Versus16 It's a computer security truism that human beings are the biggest network threat. Sysadmins have always assumed that means users, but it may be time to take a long, hard look in the mirror.
At the Versus conference in San Francisco on Thursday – a conference that its organizers say they set up to challenge the security status quo – a number of speakers argued that it's time to turn the traditional security model inside out – and that means pulling out more humans.
"The perimeter is dying," exclaimed chief commercial officer of Illumio, Alan Cohen. The traditional model of a corporate network that is carefully protected from intruders by security staff is being blown to pieces by the explosion in cloud computing and extremely fast networks. "We run our computing wherever we want – the traditional boundaries have gone away."
Worse, he argued, corporate security comprises layers of technology built on top of one another, some going back decades. "These layers are not well related to one another," he notes, giving an example of one client who has no fewer than 7.5 million security rules covering their network. As each new layer of security is added, more rules are created. "Every day we add more security and that simply creates more rules and so more ways in."
If you assume that just five per cent of those rules have errors in them – thanks to the "human middleware" who developed them – that client is looking at 375,000 potential errors and hence entry points into their system.
The answer is to step away from the idea of security as preventing anything from entering and look at monitoring what is going on inside your network to look for anything unusual. And that means automating security, and letting your machines protect themselves in much the same way that your body's immune system works.
Dev, no dev
Unsurprisingly, this is what Illumio's product does – it allows you to tag applications and machines in a variety of ways – dev, test, production, live; location; and type – web server, etc – and then the system watches all the interactions between your machines, flagging anything that looks unusual or breaks with high-level policies written on top of it (like dev machines only talking to other dev machines).
Cohen told us later than one client he had – a large bank – was amazed to find that in its environment of 125,000 servers there were 3,000 dev servers that were talking directly to production servers. That's something that even the most hard-working sysadmin is going to be hard pressed to discover.
Continuing on in this theme of turning the security model inside out, a number of other speakers including the CSO of Okta David Baker, the CEO of Vera – the conference organizer – Ajay Arora, and the CEO of New Context, Daniel Riedel, all spoke about how the assumption for the future needed to be that your systems will be hacked and your data taken, rather than continuing to spend more and more time and money trying to prevent any entry.
"You need to assume a breach," argued Baker, and work from the inside out. Arora agreed: "Every approach to security has also been very reactive – it has to become proactive."
There are numerous advantages that come from that approach, but it will require a big shift in both mindset and resources, all agreed.
"Cybersecurity is an economy," said Riedel. "We need to make it more expensive – or cost inefficient – for people to attack us." He also argued that there needs to be much more sharing of security breaches between organizations so the information and knowledge is spread, making it much harder for malicious actors or hackers to use the same approach over and over again.
Arora posited the idea of making it technologically possible to prevent stolen data from being used by others. If you take the assumption that people will get at your valuable data – and in recent years the number of huge breaches from every industry shows that this is rapidly becoming a new normal – then designing systems to make that data effectively useless is the logical route to protecting your company and your users.
All the speakers also agreed that figuring out new ways to provide attribution for attacks was going to be a critical aspect to work on. The recent high-profile hacks of the Democratic Party's email servers and the inability to pin the attack squarely on the Russian government was one example, discussed in some depth. Or the Sony hack and – possibly – North Korea.
Without attribution, it becomes harder to apply pressure and pin people down, and to recognize patterns.
Highlighting the issue of both the need for a new approach to security and the resistance to change, Arora gave a personal example for the recent DNC hack. When at a Democratic event much earlier in the election season, the political party was handing out updated information on USB sticks. Asked about that approach by a reporter, Arora said – and was then quoted in a news report – that it was "borderline stupidity to give them out to people, or for people to even think of using them." He added that no one in the tech industry was "dumb enough to do this anymore."
None other than the DNC director of communications was unimpressed with this, telling all staff that Arora's comments were the dumb ones and assuring everyone that the DNS had excellent cybersecurity.
How did Arora find out about the DNS comms director's view of his comments? He read the all-staff email on Wikileaks. ®