At this point, it should seem clear we are losing the cyber war. The gap between the ‘safe-and-secure’ Internet we envision and the one we actually have has become pretty big. With literally thousands of vendors touting the ‘real fix’ for malware, distributed denial of service (DDoS), and personally identifiable information (PII) protection... how can it be getting worse?
Digital security is getting worse because of lock-in.
Lock-in means that a particular technology or product is dominant, not because its inherent cost is low or performance is good, but because it enjoys the benefits of increasing returns to scale. As a result, decision-makers are greatly influenced by the dominance (large market share) of a product rather than by their preferences for its inherent properties. -Wikipedia
So how is this impacting our security posture?
We are locked in to products and paradigms that are no longer valid. In fact, they may never have been really useful in the first place, especially when tied to the realities of computer-based crime and cyber warfare. The evidence is all around us every day, the consensus reality for networks is that they are already compromised. Most market effort is placed on incident response; on after-the-fact measures. We, as a society of information security technology buyers have accepted that our border defenses, client agents, and other security tools, and even processes, have failed us.
Clearly the tools and methods we are using today to identify and act upon threats to our privacy and security – even our physical security, and health – are deeply flawed. Our foes are not just one step ahead - they are ten. Our opponents in the faceless Internet are not burdened with lock-in, they are not beholden to vetting vendors, having legal teams review their purchasing contracts, making sure their decisions fit their résumé, or having to deal with 20 years of sales-based security architecture. Rather, they use the tools and tactics best suited to task they are trying to accomplish. Period.
So how do we break free?
The first thing is admitting we are locked in, not just to products, but also processes and thinking. The world of computational security started with this notion of us vs. them, which lead us to a philosophy of separating the inside computers from the outside computers. Thus security meant perimeters, firewalls, intrusions. But, we already had the first problem. We assumed that threats in cyberspace were like embracing for fierce weather; build a nice wall and keep the rain out.
The us vs. them fallacy soon propagated to the desktop. Once we realized that, while physically stationed in a place, the programs on the computer – much like web browsers – access the Internet at will; thus exiting the firewall. The machines effectively live in the ephemeral cyberspace, not behind my fancy firewall. Connectivity and data are boundless and recognize no policy nor border.
Yet, again, we amplified this failed thinking. We built file scanners that hashed out applications and compared them to lists. The idea was to identify bad actors by the application signature. Yet, again, we apply a concept that is linked to the physical world, a finite list of identifiable bad actors to the ephemeral reality of cyberspace. Now we have all sorts of fancy sandboxes, and other solutions. Some good, some just snake oil. How can you tell which is which?
Yet we live in a reality where 70% of all breaches are discovered by a third party; an entity not operating within the organization. Furthermore, large companies are breached every day. Privacy, data protection and consumer safety all sit at all-time lows. Yes we caused a lot of it by adding webcams and smart lights. Our bad. Our protections have not gotten better with the tide.
While it might seem like I am professing total doom and gloom, or even pontificating that all the security tools in existence don't work, it's actually not the case. I think we are doing okay security-wise. But we can do better.
I think the tools we have are adequate for the task at hand. What I challenge is our thinking. Not just how we use the tools, but how we make the tools.
We need to consider cyberspace as a new medium with new realities.
Our foes are all around, they can and will use things (protocols and applications) that we cannot comprehend as weapons, communications methods, and intrusion vectors.
The notion of us vs. them is not applicable in this world. The old paradigm of protection based on being inside the network or outside the network has not been true since 1990; when the Internet was in its infancy. Today, devices connect via numerous mediums (ethernet, WiFi, RF, BlueTooth) via any number of hops (computers, laptops, phones, cars, watches) and all of them talk to each other over thousands (millions) of applications and protocols.
Where is the firewall in that? Where is signature based detection for this environment?
No, firewalls and signatures are old fossils that never worked – even if they are venerable and often referred to as important ‘layers’ of security. They were doomed by nature of this new metaphor, the ubiquitous and ephemeral Internet.
We need new thinking and innovation. We need to address security architecture build-outs to provide smarter, more secure networks and applications.
About Jamison Utter
Natural curiosity has taken Jamison beyond the technical hack into the workings of the criminal industry; how and why malware is written, how people make money at it (why do they keep doing it) and what are the motivations.