IP Expo Hacking attacks are more or less inevitable, so organisations need to move on from the protection and detection of attacks towards managing their response to breaches so as to minimise harm, according to security guru Bruce Schneier.
Prevention and detection are necessary, but not sufficient, he said. Improving response means that organisations stay on their feet even after they are hit by a serious security breach or hacking attack.
“A sufficiently motivated, funded and skilled hacker will always get in,” Schneier told delegates during a keynote at the IP Expo conference in London. The security guru added that criminals and hackers are now using the sort of tools and techniques that were once the sole purview of intel agencies.
While the '90s were the era of protection (antivirus, firewall etc) this changed around 2000, when detection products (such as IDS/IPS) systems became more important, he said. This decade in the infosec biz belongs to response, according to Schneier. The security guru left BT last year to become CTO of incident response firm Co3 Systems.
Cloudy with a chance of pwnage
Security teams are incorporating incident response because of three trends in computing, according to Schneier. Firstly, we’ve lost control of our computing environment, much of which has been outsourced to the cloud. This makes response more complicated, because enterprises lack visibility into parts of their critical network infrastructures actually run by other companies. Users' control of computing devices is also on the wane, not just because of the increased use of less configurable smartphones and tablets but because even desktop systems are running more mobile-like operating systems, effectively turning them into tethered devices.
Secondly, attacks are becoming more sophisticated and targeted. Simple financial fraud is no longer the only threat businesses have to fight against. Enterprises can also get caught in the cross-fire of battles that have little to do with them directly.
As hacking becomes a more integral part of geopolitics, unrelated networks are increasingly collateral damage in nation-state fights, according to Schneier. Lastly, companies continue to underinvest in protection and detection – both of which are imperfect, anyway – obliging "response" to pick up the slack.
Security is a combination of people, process, and technology, Schneier explained during a keynote presentation. Protection systems are almost all technology. Detection requires more-or-less equal proportions of people, process, and technology. Response is mostly done by people, with assistance from process and technology. Incident response can’t be automated because everyone’s network is different. All attacks are different too.
Lemons for sale
For most of its life, the security industry has been plagued with the problems of a "lemons market", akin to the market for second-hand cars, Schneier maintained.
Economists have shown that because there’s no good way to test for quality, price becomes the most important differentiator and quality products that might be more effective get pushed out by cheaper products and services. Mediocre products flourish.
In these so-called lemons markets, consumers look for signallers and this explains the security biz’s obsession with otherwise meaningless certifications and industry awards, according to Schneier.
Many core security technologies - antivirus, firewalls, intrusion detection and more - have been lemons markets. Schneier argued that incident response step out of this mold because it’s “people-focused in ways protection and detection are not”.
“Better products will do better because buyers will quickly be able to determine that they’re better,” he said.
During IP Expo, Schneier's firm, Co3 Systems, announced enhancements to its incident response management system designed to improve its incident response orchestration capabilities.
The new features expand Co3’s threat intelligence and customisation options, for example by adding the ability to automatically geo-locates IP addresses and DNS names. This allows response teams to concentrate on closing an incident rather than tackling the chore of manually querying IP databases to determine the incident's origin.
The latest version of Co3’s technology also enables users to quickly create their own incident views by simply dragging and dropping the desired fields into place.
Streamlined analysis means response teams can more efficiently identify trends and uncover threat indicators by linking disparate incidents that are part of a broader attack. The ability to manage a multitude of tasks across various incident types has also been streamlined. ®