I ordinarily spend a lot of my time talking about the technical aspects of threat detection and examining the tools and strategies that the bad guys are employing to subvert corporate defenses and breach their objectives, so it was refreshing last week to speak with a large bunch of C-level folks from Fortune-250 companies and to get the opportunity to step-back a little.
Talking technical is easy. Distilling technical detail, complex threats and operation nuances down to something that can be consumed by people whose responsibility for dealing with cybercrime lays three levels below them in their organizational hierarchy is somewhat more difficult. Since so many readers here have strong technical backgrounds and often face the task of educating upwards within their own organizations, I figured I'd share 4 slides from my recent presentation that may be helpful in communicating how the world has changed.
The overall context of the hour long presentation was related to the paradigm change from protection back to detection — given the scope and capabilities of modern organized crime. The following slides came from the first quarter of the hour — setting the scene for how protection technologies have failed and what organizations need to do in light of that failure.
In essence, this slide talks about how that adversary has changed from old. Gone are the days of a single hacker looking to break in to an organization and toast all the systems. Sure, some of these guys still exist, but that's not where the threat lies today by any statistical analysis. Instead, what organizations are facing is a complex ecosystem where expertise is plentiful and available for relatively low prices. Most importantly, the adversary is now a professional in every sense of the word and needs to be respected for such. Failure to do so is at your peril.
While the adversary has changed for the worse, so too has the target. Consumerization of IT and BYOD, while buzzwords in every sense of the word, really are fundamentally changing the threat landscape and the ability of organizations to combat sophisticated threats. Speaking with lots of people charged with defending their corporations from within, they really do feel powerless to combat Mac threats, Android malware, etc. or enforce application and desktop policies (for whatever that means in the world of iPads and App stores).
Everything is playing in to the bad guys hands. The devices their targets are using are varied and widespread, they roam and bridge networks, they have hundreds of applications yet few are patched in a timely manner, and the threat of personal information being leached has ensured that encryption of communications is the norm — too bad that those nosey IT security guys can inspect traffic for malicious attacks.
In essence, the onus of securing the enterprise has slipped from the corporate IT folks and landed firmly in to the hands of their enabled workforce — who happen to be poorly suited to the task.
Oh, and then there's the "Cloud". Not the Cloud supplying cheap processing power and high availability mission-critical applications at a fraction of the cost of legacy systems. Rather the Cloud that is the 2nd millennium USB stick — the mechanism for transporting infected files between one device and the next.
IT security departments have invested millions of dollars in their defense in depth strategies. Multiple layers of "protection" (and expense), overlapping redundancies and a continuous stream of alerts have had debilitating effects on thinly-stretched security teams.
Even if those layers of defense had been working, the "solution" for the bad guys was (and is) to "attack in depth". The tools and techniques they now employ are multi-facetted and their complexity is hidden from the attacker. The hard work of innovation and coding was done by some expert far away, and their expertise (along with dozens of others) has been combined into a single campaign.
Last but not least, I talked about the "marginalization of protection". My objective in this part of the discussion was to point out that trying to protect everything has never worked, and will be even less successful going forward. The consumerization of IT and the diversity of devices out there have also forced organizations (including vendors) into an area in which it is simply uneconomical to try and secure.
While effort still needs to be applied to "protecting" the enterprise, my advice is to consolidate those expensive resources around the most valuable things of the organization and only grow outwards from there if you're successful.
In response, organizations need to assume that they are compromised and will continue to be compromised many times over, and often in many interesting ways. The onus shifts to how an organization can rapidly detect a compromise and how seamless the remediation needs to become.
I used to say that the most economical course of action was to simply reimage the computer when you were able to confirm the compromise. Nowadays that may not be quick enough, nor appropriate. Today you should reimage when your threshold of suspiciousness has been reached and, if you can't reimage (e.g. iPads, etc.), then remotely reset the device to factory defaults and wipe any stored content so it can't re-infect itself.
What about those critical devices — such as the CFO's laptop — which can't be reimaged without a lot of disruption? Let's be clear, just because you detected one piece of malware or remote control agent on the device doesn't mean that it's the only one installed. And if you're thinking you can safely remove everything related to the infection, then you're either ill-informed or it wasn't a threat to begin with.
Frankly, if you have critical devices that cannot be reimaged for any reason at the turn of a hat, then you've got bigger problems with your IT operations than mere breaches by professional criminals, and your organization needs to reevaluate its security operations at a fairly fundamental level. If a device is so critical that it cannot be recovered, it most certainly shouldn't be a roaming laptop, accessible via the Internet, and is operated by personnel with higher than average probabilities of being targeted.
By Gunter Ollmann, Chief Security Officer at Vectra
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services