The security industry has spent a lot of time over the past 30 years thinking of imaginative ways to put lipstick on today’s cybersecurity pig.
We are more distributed and mobile than ever. Yet the security industry remains unevolved, putting on the same show––playing their all-time favorites like “On-Device Security” and their mega-hit “Gateway Security.” Gateway security is an especially nuanced piece with broad range. There’s the firewall, intrusion prevention, VPN gateway, the proxy, URL and content filters, and the component that binds them––SIEM. And that’s the consolidated version of a lengthier and more complicated original score.
Computers have changed and continue to change dramatically in front of our eyes. Clouds, SaaS, mobile devices, and the big daddy of them all, IoT, are contorting traditional security models and tools in ways never intended; that is, until something breaks.
Let’s Get Medieval On Security
The king builds a castle (the network), puts a moat and drawbridge around it (gateway security), and posts sentries at the gate with special instructions (security policy).
Need to operate outside the castle? If you have the strength (compute resources) and are wealthy enough to afford it (budget), you can put on custom armor (on-device security) and head out as a knight (remote user). Being a knight is exhausting though. Yes, you are well protected, but it burns a lot of energy (security team resources).
However, commoners have to assume risk and live in a state of constant vulnerability. Clouds and IoT have driven the vast majority of our functions and users to operate “outside the castle.” In fact, the business of the king’s court is now distributed. Commoners live and work remotely, never needing to step foot in the castle.
There are even scenarios where some commoners operate and service other kingdoms near and far. When the court subjects are remote and distributed, the king has two options: insist on keeping the castle, moat, and drawbridge or adapt. So far the security industry has bitterly resisted adapting. Why? Tradition? Lack of alternatives? It’s what they know? Or is it a combination of these?
Gateway security still has its uses; however, the gateway security model is long in the tooth and its use cases are diminishing by the week. And on-device security has been an expensive, ineffective, and unsustainable failure. How can you package up an entire data center’s worth of security functions in a $5 sensor with the compute resources of a Timex watch?
What the cloud started, IoTs have finished. In the past, compute functions were network-centric, now it is distributed all over (even mobile). And we like it. Initially, CISOs tried to control users by saying no to cloud and SaaS. Users wouldn’t have it. They shrugged, walked away, and did it anyway. There was no putting that toothpaste back in the tube once they got a taste of a cloud and SaaS.
Computers and technology has been democratized; however, the way we secure is still medieval.
Any Reason Other Than Security
We have offered hackers the overwhelming advantage, all the while spending billions and billions on security. Vendors continue to monetize on medieval security tools ill-suited to the new dominant compute model. How does this make sense?
There are a few reasons:
First, it’s what people know and have bought into. There are 30+ years of approaches and methods, tools and technologies, and processes and performance indicators developed around medieval security. It has become muscle memory for many who spent years honing their skills around these approaches.
Just imagine if suddenly, through magical circumstances, the rule of thumb became NOT to apply pressure to bleeding wounds. The countless developed methods, processes, tools, and even tangential functions (like billing) would be impacted. The result would be chaos! Arguably, security is experiencing a mild form of chaos now.
Second, there are a lot of vendor-centric security professionals who know and understand security through the prism of a particular vendor. This is not meant to be derogatory, as these professionals are the backbone of the security industry. However, many are not security operators; they are security product managers.
In most instances, along with functional and integration capabilities, security is but one of multiple features that security tools sport. Many security professionals are really, really good at keeping the lights on and packets flowing––and rely on the product do its security stuff.
Some vendors are so big and influential that more security professionals than we like to admit are exclusively committed to their tools. These professionals have done the economic calculus and built their careers around a single brand, strictly based on market opportunity. Many evolve when vendors say it’s time to evolve for job-prospect purposes. And the evolution of certain security professionals is curiously bound to the vendor’s business strategy. This is an arrangement that benefits the vendor and the professional––just not security.
This brings me to the third point: the business of security vs. security of business.
It takes many years for new and emerging approaches or technologies to become mainstream. Large, influential vendors are focused on squeezing every last bit of economic value from their existing technology investments, while small innovative companies just don’t have the market megaphone. And pay-to-play analyst firms confuse matters further by offering tilted and skewed recommendations.
Cyber Hare vs. Security Turtle
Hackers are cutting-edge. They are imaginative. They formulate crazy ideas meant to break the rules. The security industry counters with security professionals who are compelled to be conservative––to a fault.
Hackers don’t care about function and performance, whereas organizations prioritize both over security. Hackers can experiment and fail countless times, forging their own path along the way, while organizations identify gaps by virtue of emerging product categories. Often, it takes anywhere between three to five years, depending on the organization, to implement new product categories for an emerging threat type. At that point, the threat is not so “emerging” anymore!
Moreover, organizations befuddle themselves by implementing a process, a very organized one at that, developed to assure failure. This includes assessing requirements, assigning budgets, talking to Gartner to see who paid them most, evaluating several brands, selecting a technology, negotiating legal, purchasing, implementation, integration, administration, management, monitoring, and troubleshooting. Where is the agility?
Aside from the security functions the product offers, nothing in the process above even comes close to security operations.
What does this mean? It means that hackers have a significant upper hand. This upper hand is so overwhelmingly one-sided that it has evolved from having the ability to impact business, to the ability to devastate economies and undermine democracies.
Cyber – The Longest War
Today, everyone talks about the war in Afghanistan as our longest-running conflict. In the near future, this distinction will easily be awarded to the global cyber-war. Every day, much like other security professionals, I see this war from our operations center. I see Russia, China, North Korea, Iran, and even some allies wage war against our infrastructure. If not by name (IP Address), then by reputation (APT).
If we have learned anything from the Afghani and Iraqi conflicts, it’s that success does not always require a standing army. Special operations have radically shifted the methods of war. Not only is this cheaper and faster, but also more effective to achieve many missions around the world. Today, the SpecOps model is being employed in the Syrian conflict
Maybe we should learn from the military and apply seismic shifts to our security approach. Here’s how:
First, let’s eliminate products from the equation. Building one-off security using tools that are ill-fitted to address the emerging distributed and mobile computer model is security suicide. Products are always out of date and security teams burn valuable resources performing technology refreshes, as well as managing and troubleshooting products rather than operating security.
Security as a utility is a much more effective approach. It is simpler and much faster to sign up and turn on than to buy and build out! Make implementation easy and let the development, upgrades, updates, and keeping the lights on be someone else’s problem. The time your team is not spending on babysitting products can be put to better use operating security.
Second, fight hackers with (ethical) hackers. Build or train security teams of operators––not product administrators. Make your team critical thinkers who focus on “how to break things” rather than the mundane “keeping the lights on” tasks. Not all hackers are foul-tempered, tattoo-laced twenty-something rock stars with an ego. There are many agreeable, thoughtful, and reliable ethical hackers who can serve in foundational roles on your team. Most importantly, empower them and involve them from the beginning at the application design, development, and roll-out phases.
The traditional medieval security model is not failing; it has already failed spectacularly. Arguably, it was never successful in achieving any of the objectives for which organizations have paid billions of dollars. The product management approach to security is like trying to change the wheels while the car is doing a 100 mph. You won’t be able to do it and you WILL get hurt along the way.
About the Author:
Babak Pasdar is an ethical hacker and a globally-recognized expert in Cyber-Security, the Cloud, and Crypto-currency. He has a reputation for developing innovative approaches and methodologies for the industry’s most complex security problems. Throughout his career, Pasdar has founded multiple groundbreaking Cyber-Security firms, developed large-scale infrastructures for some of the most well-known global companies, and identified critical threats to national security. Before Acreto, Pasdar brought the first proxy-in-the-cloud platform to market, even before the word “cloud” was coined. Named one of New York’s Top Ten Startup Founders over 40, he built and exited two Cyber-Security technology companies, igxglobal and Bat Blue Networks.
Disclaimer: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of EC-Council.