Ethernet Summit Internet and network security is bad, and it's going to get worse before it gets better. To make it better, CIOs and IT admins need to rethink the way that they approach protecting their networks from hackers and other miscreants.
"We've got North Korea with ICBMs and we've got Iran developing an atomic bomb, but that's not our biggest problem," Brocade Communications chairman David House said at a future-forcasting panel during the Ethernet Innovation Summit this week in Mountain View, California. "Our biggest problem is cyber security."
When talking about security, House wasn't referring to privacy – that game has already been lost. "Give it up," he said, "it's over – everybody's going to know everything."
Every click you make on the web is already being tracked. "Right now, Amazon and Google know everything about everything you do, and the ads that pop up are all related to stuff that you have been looking at or you thought about," House said. "They already know about you."
But that's not the problem. "Guess what? Larry Page doesn't give a damn about you or any of that information," he said. "It's just a computer out there that knows about you." You're not that computer's target, your buying habits are. "This is just a bunch of data and big data and databases that's marketing to a market of one."
If not Page – or, rather, his all-seeing computer – then who should we be worried about regarding our privacy? According to House, it's hackers. "Everything is going to be known about you, and the guy who can hack into it is going to know everything about you," he said. "It's the hacker you need to worry about, not Google itself."
The way that we've architected our networks has exacerbated the privacy problem, House argues. "We've been spending the last 40 years abstracting up from the piece of wire to higher and higher levels," he said, "and virtualizatIon and software-defined networks are just another layer of abstraction that we're putting into the environment."
All that abstraction is providing more and more ways for hackers to break into networks. "Every one of these layers is a tunnel that people can go through to access things that they shouldn't have access to," he warned.
At another Summit session, a gaggle of security execs expressed equally pessimistic concerns. For example, Alan Kessler, CEO of data-security company Vormetric, has given up on traditional security measures. "Building a fortress around you network no longer works," he said. "The bad guys are already inside. They already have access to your network – in fact, you may have hired them."
Kessler also is of the opinion that the advent of cloud computing has brought with it another threat layer. "Even if you're confident that you're running your data center, you can trust your people, what if your data is in someone else's cloud? How do you know whether the systems administrator who's managing that server is someone you can trust?"
From Kessler's point of view – and remember, his company is in the data-security business, so he's paid to be paranoid – you can't. Merely protecting your network from intrusion isn't the way to ensure security. Instead, you should focus on locking down your data, and not just your network.
That data-lockdown point of view is shared by Jason Brvenik, VP for security strategy at SourceFire, a – surprise! – network security company. He also said that one glaring proof of the sorry state of network security is the unconscionably long time between when a network is compromised and when a company becomes aware of that fact – one Verizon study put the average time of that gap at over 100 days.
Brvenik said that companies need to use improved analytics to gather more detailed visibility into network activity, and to better share information about how they've been compromised. If they do, he said, "We can close that gap down. We can close it to weeks. We can close it to days. For some organizations we may even be able to close down it to hours or minutes."
Brian Smith, CTO and cofounder of security analytics software vendor Click Security, agreed with Brvenik about information-sharing. "People tend to be very secretive about their security threats," he said, "and we need as an industry to start sharing that knowledge more, because the attackers are essentially businesses – they've developed a piece of software and then they want to make a return on investment on it."
The attackers do that, Smith said, by attacking one company, then another, then another, and so on, profiting on each attack. "We want to collapse that economy," he said – and if a compromised company would share with other companies details about how it was compromised, it would make it more difficult for attackers to achieve their business goal of a healthy ROI.
But no security scheme will work unless a company has well-trained network-security techs on its payroll – and there aren't that many of them to go around.
Most organizations, Smith said, simply realize, "Oh, we should worry about security – and then they appoint one of the IT guys, and say, 'You're now head of security – and, oh, by the way, you haven't lost your day job'." That won't cut it, he said. Instead companies need to invest in training, education, and "professionalization" of network-security administrators.
Training users, however, is a lost cause. As Manish Gupta, SVP of products at "next-generation threat protection" developer FireEye put it, "You can't put restrictions on users. It has never worked in the past, and it'll never work in the future." Or as Kessler put it, if you have a user who wants to run down the hallway with scissors, a security professional's job is to help them do that as safely possible, because they're still going to run with scissors.
Smith also said that a more vigorous attack on hackers was needed. "I think that for the last 20 years or so we've taken the approach as an industry of trying to armor the sheep. I think we need to start hunting the wolves," he said.
"We have tried to make the devices more secure by putting anti-virus [software] on them, by putting controls in the network that prevent breaches," Smith said.
"And the fact is that the bad guys just figure out ways around them." Those preventative measure have been so ineffective that a Verizon breach report concluded that only 5 per cent of intrusions were uncovered by security processes.
"Of the sixty billion dollars that the industry spends on IT security," he said, "they detect one in twenty intrusions that compromise those devices."
So, more training, better data-lockdown, improved analytics, shortened intrusion-detection times – oh yes, and wolf-hunting. These measures all might help, but as for now the problem remains.
Until all those measures – and likely more – are accomplished, well, as Brocade's House put it, "Security is going to get worse." ®