Reflecting upon RSA2013, there is a lingering wanting. Like a meal that fills you up, but leaves you unsatisfied. There is a quiet battle being waged at the big security conferences like RSA, BlackHat, Defcon and such. This is not a battle of exploits or force, but one of attention. It is the battle to dismiss defense as irrelevant.
For a community that routinely uses war imagery and analogies, it is baffling how the information security world gives only passing interest in defending systems and networks. Has the community thrown in the towel on defending networks?
The Quiet Assumption
In a recent blog post, the Gartner analyst Anton Chuvakin posed the question of a “quiet AV assumption.” Chuvakin was noting how many incident responders quietly assume that anti-virus would not detect advanced attacks. While it is true that many advanced attacks can bypass security controls, there is a more disturbing issue at stake here: the growing distrust in the ability of technologies to defend an organization.
In my series of RSA articles, I commented many times that RSA seemed to have more substance this year. RSA organizers clearly made “show me the data” a theme for the speakers. Data was plentiful. Every presentation was filled with charts, tables, numbers, facts, quotes, figures, data, data, data! This is a positive turn for RSA. After years of stoking the fires of fear, RSA calmed down and learned a lesson from Nate Silver – data matters.
But what does all this data mean? One of the core things missing from RSA2013 was a point. The presentations, lectures, keynotes and panels never seemed to coalesce into any kind of call to action. The whole show was starry-eyed gaze into the vast pit of Big Data and APT, with nobody stopping to make sense out of this morass.
What is more disconcerting is that the point of all this data should always be the same – improving defenses against attack. Yet the community seems to have given up on defense, to the point where it does not even know what to do to defend an environment.
I saw this exact issue on stage at RSA2013. In the mobile security seminar, the moderator asked the panel of researchers what they would recommend to defend mobile platforms from attack. The whole panel became immediately awash with panic and exchanged nervous glances. Eventually, one of the panelists muttered something about deploying an MDM solution and relevant policies. Do any of these “experts” have any experience securing mobile platforms? Hacking smartphones might be fun and very interesting, but what is the point if it does not lead to concrete ways to defend them from attack?
Other conferences are not much different, they just have different content. DefCon, CanSec, BlackHat, all follow a similar pattern. They lionize vulnerability researchers, who exhaustively describe the newest and most fascinating attack tactic, while outright ignoring the means to stop these attacks. Moreover, vulnerability researchers rarely possess the skill set to actually secure an enterprise network. Knowing how to break in, is not the same as knowing how to protect.
Selling Sports Cars to Teenagers
The marginalization and distrust of defense is only made worse when the various technology vendors manipulate language to inflate their claims of protection. RSA claims the answers to defend the enterprise lie in “big data.” As if inside every mountain of data there is some secret combination of information that will lead you to the doorstep of an attacker. The big data obsession at RSA2013 is endemic of the deprecated defense problem. RSA themselves is essentially saying “you cannot trust your security technologies to protect you, so you have to go digging through mountains of data to locate the attacks.”
While the core concept behind big data security analytics is sound, the messaging is not. Marginalizing proven defensive technologies, in favor of complex, high-effort emerging technologies casts the wrong message to information security practitioners.
One of the concepts we use in our consulting practice is the idea of organizational security maturity. The less mature an organization is (from a security perspective), the more difficult it is for the organization to effectively use complex emerging technologies. Moreover, immature environments are rarely able to invest the effort to make them useful. This is synonymous to giving a sports car to a teenager. While it may get them to their part-time job at Subway quickly, they lack the maturity to handle such a powerful vehicle. Intrusion detection / prevention (IDS/IPS) systems suffered from this problem for a long time. Organizations has to invest a lot of time and effort to make them effective. It was not until recently, when these technologies matured and became easier to use that immature environments could handle them.
Big data security analytics, as well as many other emerging technologies, are great ideas that are simply not ready for mass adoption. There is too much effort required and expertise necessary to make these controls useful. Which is why basic defenses, like patch management, IPS, anti-virus, and other basic defenses are so important. These basics need to be in place and delivering a minimum level of protection to begin realizing the benefit of big data analytics.
Sending the Wrong Message
When the information security community marginalizes and dismisses basic security controls, it sends a message, the wrong message, to less experienced security practitioners. It gives them justification for avoiding these security basics. Worse, it is teaching a whole generation of up and coming practitioners the wrong skills for information security. This approach is suggesting that everybody can be a vulnerability researcher and live a life of glamor and drama catching global computer criminals.
Information security needs people on defense. In fact, we need more people on defense, and less on attack. RSA, BlackHat, Defcon, Security B-sides, and other shows keep spreading the wrong message that information security defense is for losers and the real superstars spend all day reverse engineering malware.
What is infuriating is that nobody cares about defense until it fails, then they overcompensate for their previous dismissal with manufactured outrage and indignation. What did you expect? Spending all day obsessing over APT and compliance language does nothing (or almost nothing) to improve defense. In what sounds like a scene straight out of Catch-22, the security industry is breeding their own weaknesses that justifies their own irrelevance.
Admittedly, defense is not exciting. It lacks drama and rarely grabs headlines (until there is a failure.) Which is why DefCon, BlackHat, RSA and such need to give defense some time on stage. Hacker rockstars need to share the limelight for real practitioners to discuss defensive strategies. And those strategies need to be real ideas, not a sales pitch for a product. These defense people exist, all over the industry. And while they do not get the press of the researchers, they do a lot more to protect businesses.
Honestly, I have low expectations this will ever happen. It would mean admitting that the decades of lionizing vulnerability researchers was a flawed effort. Moreover, the technology vendors, particularly the larger ones who sponsor these events, want to control the defense conversation and steer people into their “next-generation” batch of products. The idea of having non-affiliated practitioners talk about defensive strategies and technologies, means the vendors may have to compete on their merits alone, and not be able to control who says what.
The bright spot in this issue is at the local level. Local ISACA, ISSA, and ISC2 chapters routinely host real practitioners to define sound defensive strategies. Here is where real conversations happen. RSA, BlackHat and similar conferences have become spectacles and social gatherings with a diminishing value to community as a whole as long as defense, arguably the most important part of security, remains an after-thought confined to vendor expos.
Anitian – Intelligent Information Security. For more information please visit www.anitian.com