Search This Blog

Thursday, July 24, 2014

Proof our industry is broken

I just read the latest Ponemon survey "Exposing the Cyber Security Cracks: A Global Perspective" and I had to laugh. The email started out with "30% of organizations would overhaul their security solutions'. My first thought, just 30%? It should be 90%, because I think only around 10% of us are good enough to catch an APT attack the report covers within an hour or worst a day. The average detection of a breach being 200-400 days, depending on what report you read and in 90% of the cases told to you by a 3rd party.

If you can't detect and respond to a breach within 1-24 hours, you are doing it wrong.

So why is this funny? Well, in figure 2 of the report it lists "Advanced Persistent Threat" as the top concern at 40%... 24% say a "Data exfiltration attack". If a "complete overhaul of the system" sits at 29%, and 22% say no changes needed, we are awesome, and 13% say nothing because they can't stop it.. Our industry is seriously broken. No way 22% can detect an APT attack within 1-24 hours. No report I have ever read of companies that have been breached has ever stated 22% of the companies surveyed successfully detected their attack with 24 hours and we are just validating their findings...

The never ending list of breaches and the length of time these companies were infected should tell us two simple facts, 1. Companies suck at detecting and responding to breaches and 2. Many companies still don't know they have been or are breached or don't care and go many many months with the ne'er-do-wells crawling around the network. My credit card just got compromised, and I suspect another retailer will announce a breach that I shopped at, when someone tells them they have been breached...

APT cannot be prevented, you will get popped, it is just a matter of when you will detect it, or in 90%+ of the cases told by a 3rd party you have been breached... Even worse, you failed to detect it and some one had to tell you.

Detection is not hard, it's just a change in mindset. A BIG change in mindset since so much of our InfoSec industry and management believe a "Prevention solution will save me", plug in the latest appliance. What will save you is people. People that know how to use tools, know and understand the limitations of the tools, admit they are not effective and retire or replace them, evolve their programs to be detective and good at Incident Response and do things outside the box. And yes, don't spend so much time and effort on compliance. People that I wish would be trained at the 3 Con Vegas week and come back significantly better than they left... Maybe defense is not as sexy as exploitation, but it is our day to day job and if you want to keep that job, get better at defense or you will get burned out, canned or be the scapegoat.


Two of the best security tools I use and recommend are not marketed as Security tools at all, but are #1 and #2 on any list of things I would need and insist on to defend a network (Splunk and BigFix or equivalents). Then I would back fill with the necessary and focus on less costly versions of the typical tools we all use/need to be compliant, focusing on low staff impact so they can defend the network the way it needs to be defended. Stop being afraid of tossing a product that just doesn't help you and replace it with something or someone that can. 47% say they are dissatisfied with a product they implemented, 27% say not frequently dissatisfied, so some of the time they are. That is over 50% that don't like what they just implemented and are not tossing it out? Admit that your adversaries have evolved and what use to work can now be bypassed by the ne'er-do-wells and another solution, approach or methodology is needed. Anyone practice the "Malware Management Framework"? (dot Org).

And the two top reasons to replace a security product according to the report? Downtime 73% and difficult user interface 67%... How about the fact it doesn't help solve the 40% APT risk that is your top concern?

I will be attending BSides, BlackHat and Defcon in Las Vegas next month and have gone through the list of talks and discovered that the vast majority of talks are not about helping me defend against ne'er-do-wells. This is a major #FAIL in my opinion as we are not helping educate the masses, we are just WOWing them with what the bad guys could, can, might and are doing to something you may not even have or use.

Cons need to teach more defense, more detection and response. Stuff we can take back and actually do. Lessons learned from those of us that have been their, got burned or succeeded in defending our ASSets. 30% of the 3 Con week in Vegas needs, and I quote " a complete overhaul" to more defense and less offense.

29% in the Ponemon study of 4881 companies in 15 countries with 10 years average experience say they would overhaul! yet with what? how? Where can I learn what's working? I want to learn from those like myself that have lived through and successfully defended against the worst kind of APT attack. Those who have, have much to share, but alas the 3 Con week in Vegas is weak on defensive talks that 90% of us do day to day.

The report goes on to say 52% of companies don't invest in skilled staff... I say, find another gig, we have the lowest unemployment rate in the IT industry. Work for someone who gets it.

Seek out and demand Cons offer up more defensive tracks.

#InfoSec #HackerHurricane #VegasConFail