Dr Eric Cole, founder and CEO of US security consultancy Secure Anchor, speaks exclusively to Dan Raywood about the key issues facing his clients – and why the security industry needs to put its words into practice.
Eric Cole spent nearly 20 years working in the industry for a number of security vendors before he founded his consultancy, Secure Anchor, so he was well-placed to speak of the insider threat at a recent meeting convened by the Centre for the Protection of National Infrastructure.
Cole says that if he asks clients, either before or after a breach, what their most critical data is and where it is located, he is often met with blank faces. So the concept of data classification is really about data discovery and knowing what servers are in your network, what they contain and where your data is, where it's going and how you can control who has access to it.
“Most systems were originally built for functionality, and then when breaches occurred, when issues happened, they started going in and adding security on afterwards,” he explains. “The problem is that security can't be added on, it's got to be embedded. The good news is that most of our clients do that, as most are typically under a five- to seven-year technology refresh, so in the past two to three years they have upgraded their equipment. So they have really good equipment, the infrastructure is not outdated.”
He admits, though, that in some organisations, networks were designed and built solely for functionality. “It was never tuned in to figure for security,” he adds.
Cole reckons that a lot of security comes down to fundamental principles of ‘knowledge is power', and that if you don't know how your systems are connected, you won't be able to protect them. In particular, he emphasises that more attention needs to be paid to outbound traffic, as many people are unaware of where their data flows to.
One of Cole's favourite client exercises is to take a map of the world and place stars where the company has offices and show where their outbound traffic goes. He elaborates: “I go to the executives and I present that to them. Before I can say anything, they ask: ‘Why is 15 per cent of our traffic going to China? We don't do business there.'
“It's an amazing thing because I can sit there and tell them all day long that they are compromised, and they don't believe me. But when I show them the actual data in a form they can understand, it clicks, and that's why one of my key mottos with security is ‘let data drive decisions, not emotions'.
“I have got more business and more money with that chart than anything else, because you can't argue with it and the executives realise that they have a problem and are then willing to go in and address it.”
Data flows can show where data is stored and if it is in the cloud. Is that a safer option? Cole laments the fact that security people tend to hate the cloud and are even terrified of it. Data, he claims, is often much safer in the cloud than on a company's network, as the cloud providers have configuration management, patching and lockdown, and they know what is on their network, which they monitor closely: “Most of our clients have no clue what's on their network, no configuration management, no patching, nothing. So it always makes me laugh when these security people say ‘no' to cloud, and I say: ‘You would be so much safer in the cloud.'”
He continues: “Let's look at a simple thing: in 2012, how many Fortune 1,000 companies got breached? It's almost in the upper-80s. How many cloud providers got breached? I don't think any did, so look at the data.
“Now, I'm not saying that it's not going to happen, but cloud providers' whole business is configuration management, change control and monitoring – that's what they live and die by. By contrast, most companies are not in a data centre business, they don't do any of those things, and therefore they are much more vulnerable.”
As well as running Secure Anchor, Cole is also a senior fellow of the SANS Institute, for which a key area, he says, is presenting security to the board “in a usable form”. The problem, he explains, is that when executives ask their security staff for reassurance, the latter willingly provide this with a mere “everything is fine” response; only when a breach occurs do those executives then ask for proper metrics, “to show that we really are improving and focusing on the right areas”.
Critical controls were built to be metrics-driven, he states. “So what happens is that security now switches from putting out fires to defining what those metrics should be in terms of asset inventory, configuration management, root cause issues and how IT can implement them, auditors validate them and executives understand them,” Cole says. “Now, all of a sudden, you have a security programme that can actually be managed.”
Cole admits that getting this across to the board remains a challenge, because many executives believe that a breach simply won't happen to them and that any money spent will effectively be wasted; yet when something does go wrong, they demand a quick solution.
Boldly suggesting that “every organisation, no matter the size, will be compromised”, Cole believes that the important point is the speed at which organisations detect and then respond to threats, bearing in mind that there is no such thing as total prevention. “One of the big models we push is prevention, [and it] is ideal, but protection is a must. You must prevent what you can, but really focus most of your energy on timely detection,” he adds.
On the Bit9 attack that was reported at the start of this year, which research suggested actually occurred in mid-2012, Cole says it is always unfortunate when a compromised company does not have the chance – or is unwilling – to give its side of the story before news of an intrusion gets out, because the knock-on reputational damage can be huge.
“The biggest problem we have with our clients is that a lot of them don't have detailed logs, they don't have security incident event management [SIEM] solutions, so they don't know what happened; they don't know what security they have,” he says. “A great example is a client that had two million personally identifiable information records, and they got breached. We went in and they only had basic log management, and the only thing the log showed was that 1,000 records had been accessed – and they didn't have the detailed technology to show which ones.
“We knew for a fact that only 1,000 records got compromised, but they had to disclose two million because, by law, if you can't prove which ones were breached, you've got to assume they all were. To put that in monetary language, if they had been able to disclose a breach of 1,000 records, it probably would have cost them maybe $1 million in terms of reputational damage; because they had to disclose two million, the cost was almost $25 million worth of damage.”
He adds that “a good log management solution is only going to cost about $800,000 to $1 million”, and would have given the client in question the ability to detect and then stop its breach.
According to Cole, SIEM vendors have sold their technology as a solution to all problems, when it should properly be used as a source for evidence of an attack, or an insider threat; with so much data created, he says, any other application of the technology amounts to looking for the needle in the haystack.
However, rather than concurring that SIEM is a dead technology, he argues that businesses should actually invest more time in it; the two biggest issues his consultancy sees with its clients, Cole says, are a lack of data classification and a lack of log management.
He explains: “If you look at the fundamental premise that data needs to leave your organisation and that advanced threats are going to try to extract it off your network – if you had basic data classification (public data can leave, private can't) then, all of a sudden, you start to get more visibility. Your data classification and log management could work together in a powerful fashion.”
One of the major talking points of recent conferences has been information sharing, with government and agency representatives alike addressing this issue; furthermore, those from the private sector and computer emergency response teams have highlighted the concept as potentially beneficial to the work of those responsible for dealing with internal and external threats.
What does Cole think about all this? He says information sharing is “absolutely achievable” and, despite the perception that it doesn't currently happen in any significant way, governments and the private sector both already provide a lot of information on cyber attacks.
“The challenge is the fine balance between giving information out to help others, and giving information out to help the adversary,” he adds. “The trick is to break down the attack vectors; you have a couple of pieces – how the attacker got in, what they did and the impact of the compromise. The last two are the most sensitive parts, but the first isn't really that sensitive, and that's the value. So, can we just share how the attacker got in, to help other clients to secure the enterprise?
“If you don't start sharing, and you don't start working together, that's going to be a weakness that the adversary is going to exploit. The US government is fully aware of that, and is aggressively trying to extend the olive branch and say: ‘I know we can't directly tell you what to do, because you're commercial and privately held, but why don't we give you some things to help you, give you some data, and show you that we can work together.'”
Cole agrees with the proposition that governments should lead by example, adding that not all aspects of information sharing will be successful, that it will rely to some extent on trial and error, and that not everyone will be helped.
He says: “Actions speak louder than words. So it's great and I'm excited, and I hear everyone saying ‘information sharing, information sharing', so let's start doing it. We are not going to get it right [first time], and we will adjust it on the fly, but you've at least got to start doing it. The one concern I have is that we tend to talk about things for a while, and don't actually do anything about it.”
Cole admits that sometimes information sharing is made more complicated than it needs to be. In some cases, it requires nothing more than opening up an email, typing in your name and adding a snippet of some packet traces that didn't send.
There is talk of setting up a multi-million-dollar specialised infrastructure in the US with secure access, requiring companies to go through a six-month clarification project to get on board.
Cole believes this is a good idea, but can see problems. “Yes, having an infrastructure and a tracking system might help, but why can't we just keep it simple, why can't we just create some mailing lists, create some basic meetings once a month where we have open conversations?” he asks. “I don't think we need to make it as complicated as people want; you just need to get the people together and have somebody to start talking.”