The industrialisation of cyberwar and cyberespionage using techniques developed in the last decade of massive expansion in cybercrime has presented a serious challenge to the security industry.
The myriad breaches, whether at the lulz end of the scale or at the national security end of the scale, has highlighted the fact that while we as an industry may have been doing the component parts of information security for a long time we haven’t done it very well.
The security industry-led focus on vulnerability-driven security created a great market for technology focused design, testing and remediation services and products. I don’t know anyone in security who is both competent and will claim that they can build a secure system avoiding all vulnerabilities using the techniques and tools currently available. There have been useful developments in asset-driven security if only to provide content to risk assessments and to prioritise investment decisions but ultimately the investments have been in managing the vulnerabilities associated with high value assets.
The really arresting aspect to cybersecurity is that vulnerability-driven or even asset-driven security has been shown as an insufficient answer. Some of the better players in this space have identified threat-driven security and good, really good, operational security as the basis of a defence in concert with vulnerability-driven and asset driven views.
- Threat-driven security means taking a hard look at the intelligence you have or can generate on the sources of the attacks both before they hit you out in the Internet and within your own organisations boundaries as they creep around your networks.
- Good operational security is about doing all those unsexy security management tasks, asset management, patch management, change management, log management, incident management, incident response and forensic readiness, only doing them better and doing them faster than you do now.
There is a necessary feedback loop from the security intelligence function where the intelligence product describing the threats and the vulnerabilities and the intelligence product on activity within the organisational borders is fed to the operational security team and results in changes to the environment or to the operational processes. This is complemented by a feedback loop from the operational security team reporting on the outcome of the changes and other management processes feeding more detail on the threats, their actions and the vulnerabilities they used back to the intelligence team to refine their information gathering and intelligence product creation processes.
Organisational security response to the cybersecurity threat is more likely to be modelled on national security with cybersecurity equivalents of intelligence and counter-intelligence agencies operating within the security team at large organisations and with shared managed cybersecurity intelligence services for the smaller organisations. That’s the ‘sexy’ side of cybersecurity, the other critical operational effectiveness aspects runs the risk of still being unsexy and unloved.
The challenge for the security industry is to wean its dependence off of purely technical vulnerability-driven solutions and not only accept the need for joined-up threat-driven solutions but also not to get caught up in the sexiness of being ‘cyber spooks’ and making sure the core operational security is delivered.
One problem with face is that IDS, AV and SIEM operator positions are like the McJob’s of security. They pay on average less than half of what a good consultant or pen-tester would get. All you need is some worthless vendor cert to do it, which tells you HOW to manage the product but not WHAT you should be using it for. Few if any of these guys can dissect a protocol or analyse a binary. They have limited knowledge of the attacks they face and their management couldn’t give a shit as long as they can tick the box marked “we have IDS/log analysis/av”.
I believe we have all the tools already to detect and stop attacks. We just don’t the right people sat in front of those tools – because they can earn a heck of a lot more doing something more valued.