The impact of recent cyber attacks will be felt for years to come, perhaps having risen to a new level of hurt with the Target and Sony attacks. With a Fortune 500 CEO ousted and a Hollywood movie held hostage, cyber-security is on the minds of chief executives and board members as they gather in their first meetings of 2015. How can a massive organization with complex systems and networks prevent itself from becoming the next Target or Sony? Is there any hope?
Yes, there is hope! However, we have to change the economics of cyber attacks.
Cyber-Security is an Economic Game
In The Art of War, Sun Tzu discusses the economic considerations of war, front and center. The business of cyber-security is also an economic game.
Cyber-crime is red-hot because it makes great economic sense to the adversary. The investment of time and money required for cyber criminals to breach a billion dollar organization is infinitesimally small compared to the payoff. A team of two or three hackers working together for a few weeks with a few thousand dollars of black market software is often enough to breach a Fortune 500.
This reality confounds CISOs who already spend tens of millions of dollars every year on IT security. Your IT security investments are not giving you any leverage!
Antiquated Defenses and Vast Attack Surfaces
Current security architectures were designed in a bygone era when there was a useful notion of an internal network inside the corporations’ buildings, and the Internet outside. The firewall was invented to create a narrow isolating choke point between internal networks and the Internet allowing only a few controlled interactions. All was well!
In today’s world of Mobile, Social and Cloud, the situation is quite different. Your systems routinely run computer programs written by persons unknown. While you may not realize it, each Internet web page is a computer program, as is every email attachment, and even web advertisements. Just about any Internet-connected “rectangle” that you see on an electronic screen is a program. All these external programs are potentially malicious, and can compromise you.
A single bug in over eighty million lines of computer software, in Windows or Mac OS, or in any app, e.g., Office, Java, Adobe, combined with an inevitable mis-click by an unsuspecting employee can compromise your enterprise. You have a massive attack surface, literally countless places for the bad guys to get in! The endpoint is your unguarded front door, where you are being attacked continuously as your employees click away in offices, homes, coffee shops, and hotel rooms.
The endpoint is the weakest economic link in your defenses. Once an endpoint is compromised, the adversary can remotely control the infected computer with the same privileges on your network as one of your legitimate users.
Backfire from Next-Gen Security Investments
Let’s consider the economics of the next-generation firewall. First, the next-gen firewall does absolutely nothing for your riskiest mobile users. Moreover, modern malware tries hard to avoid misbehaving while it is still within your network pipes before reaching an endpoint. The firewall, grasping at straws, generates a large daily stream of seemingly suspicious events. These notifications have to be analyzed and chased down by additional investments in event management systems, and security analysts. The overwhelming majority of these events turn out to be false positives, i.e., wasted money.
The bad guys also use this as a weapon, by cranking up the volume of spurious traffic known to generate false positives, while the real attack is carried out elsewhere. This is reverse leverage.
Ultimately, the next-gen firewall becomes a bottleneck, a choke point, unable to keep up with your growing traffic. You have to spend more money on additional hardware that generates even more false-positive events. Vicious cycle.
A New Hope
There is hope. Innovation will resolve this crisis.
You cannot afford to keep doing more of what you have done in the past, or more incremental versions of this stuff. You have to look beyond Security 1.0. In order to level the playing field, organizations must invest in a strategy that will directly impact the economic costs to malicious actors.
Close your eyes and visualize a heat map of risk for your enterprise. In this picture, every one of your endpoints, enterprise owned or employee owned, client or server, on-premise or cloud hosted, is a little red dot. The size and color intensity of the dot is proportional to the amount of information on the endpoint, and the nature and frequency of Internet interactions that each endpoint has. This is the battlefield!
You are looking for products that reduce your exposure. Your investments must protect your information from unknown Internet programs that run on your endpoints, while still supporting such programs seamlessly. This isolation technology must be simple and robust, like disposable gloves in a hospital. It must be designed such that it costs the adversary significant time and money to try to break through. Ideally, you must also be able to fool the adversary into thinking that they have succeeded, while gathering intelligence about the nature of the attack. Techniques like Bromium’s micro-virtualization let you do this.
You will also need new products that let you continuously visualize and monitor your risk at the Internet endpoint level, and provide end-to-end encryption and robust identity authentication. Your compliance, device management, and insider-threat monitoring systems must also work within this framework.
Plan Ahead or Fall Behind
A very senior executive, i.e., you, Mr. CEO, is going to have to micro-manage the plan to mitigate the risk of cyber-attacks. This is a time of great risk to our organizations, so leaders must follow their own business instincts.
How will you figure out the products that will make up your new security architecture? This is quite straightforward- just ask Marc Andreessen, the venture capitalist, or Phil Venables of Goldman Sachs for a list of 5-10 startup companies with innovative Security 2.0 products. Ignore any company that is not run by its founders. You must partner with people with long-term goals towards your economic victory against the cyber-adversary, and who are thinking beyond just a quick transaction.
Ask the startup leaders to come and pitch their solutions to you personally. Have them convince you of the efficacy of their approach. If you don’t understand what is being said, or if you don’t see how the proposed solution raises the economic costs to the adversary by orders of magnitude, it is not worth your while. Select what you truly believe in, and then help the startups help you!
Unless you have one already, hire a top-notch CISO as a partner for this project. For suggestions on whom to hire, ask any one of Jim Routh (Aetna), Tim Dawson (JP Morgan Chase), Roland Cloutier (ADP), John Zepper (US Department of Energy), Tim McKnight (GE), Sunil Seshadri (VISA), Mark Morrison (State Street), or Bob Bigman (former CISO of the CIA). These are some of the modern-day Knights of the Round Table in the realm of cyber-security, and understand the economic principles underlying this fight.
While you transform your security infrastructure to turn the economic odds back against the adversary, your company might look like an “Under Construction” zone. Some users will complain loudly, and you will have to make an effort to have the business running smoothly while the transformation is in play. Nothing worth doing is ever easy, and you must be prepared to see this through. The risk of inaction is worse.