Infosec is "fundamentally broken". That was the bold claim today from Amit Yoran, the president of RSA and former cyber-security director at the US Department of Homeland Security.
He was speaking this morning at RSA Middle East in Abu Dhabi, a place, he said, where "if it isn't gold, it isn't welcome".
Infosec is an industry that wastes billions of dollars on firewalls and policing network perimeters, things that “make us feel safe” but don't address real problems.
Look at the major breaches of recent memory, said Yoran, and you will find companies that were attacked despite using next-generation firewalls and high-level software that, for all their cost and promise, allowed massive, embarrassing and harmful breaches.
“Today's threats are from aggressive professional actors,” said Yoran before proceeding to dump on that “glorious and useless money pit, we call the SIEM.”
Security Information and Event Management is widely used for cyber-security data management even though aggressive professional actors clearly have little time for it. It's responsible, according to Yoran, for detecting advanced threat breaches less than one percent of the time, and yet, somehow the SIEM market is growing.
It's indicative of an industry asleep at the wheel, and if nothing is done, warned Yoran, “it's going to get worse".
And with that, Yoran presented four points to, at least in part, ameliorate this unfortunate situation.
First, advanced protections fail, he said: “Don't make the mistake of thinking that an anti-malware solution is a strategy.” You can put as many walls up as you want, but sooner or later an adversary is going to find a way around, under or over them.
Second, we need pervasive and true vulnerability awareness, all the way from the network to the endpoint and into the cloud. “You wouldn't do brain surgery in the dark,” Yoran reminded the audience.
Don't act first, think first, he said. The single biggest mistake of any cyber-security team after breach is to try and clean up their system before understanding the extent of the breach.
Third, as attackers get more determined, more creative and pick their targets more carefully, identity and authentication is going to get even more important. Malware, while still big, was the primary attack vector in less than half of recorded cases. Instead, attackers steal access credentials and just “walk right in”.
Yoran issued the grave reminder that your most important user accounts are to be the least trusted: “Don't make the mistake of trusting the actions of the trusted” because they're the ones mostly likely to be attacked.
Finally, you have to establish where your crown jewels are, your most important data, and then defend them “with everything you've got”.
As he started, so he finished. Yoran concluded with yet another bold claim for himself and the RSA: “We're on a very aggressive path to change a paradigm that the security industry has been on for decades” – and the problem is not technology, but mindset.
While most are “sailing on the same maps even though the terrain has changed,” the RSA, Yoran told the crowd “have sailed off the map”.