Earlier this month, Kelly Jackson-Higgins interviewed me for a Dark Reading article, Damage Mitigation as the New Defense. Kelly also sought perspectives from Richard Bejtlich (Mandiant), Neal Creighton (CounterTack), Bruce Schneier (BT Counterpane), George Kurtz (CrowdStrike), and Tim Rains (Microsoft Trustworthy Computing). In the article, Kelly explores “security’s new reality”, which put simply is a growing fatalistic acceptance that trying to prevent attacks by well funded and determined attackers is futile and that security professionals should shift focus to early detection, rapid mitigation, and damage containment.
The interviewed parties frame out the problem space and identify security technologies that are likely to play prominent roles in the solution space, but all acknowledge that the solution space is, at the moment, incomplete and that its efficacy is unproven. The resulting column gives a good insight into how the security industry may change course or re-invent itself in “era” of the Advanced Persistent Threat.
Editors often collect far more during interviews than they use or quote. With Kelly’s permission, I’m sharing a transcript of our interview as a complement to her column:
Jackson Higgins: “First, I’d love to get your thoughts on the premise that there’s now a philosophy of accepting that ‘you’ve already been breached, so focus on minimizing the damage.’”
Piscitello: “Organizations that are only now coming to the realization that their network perimeters have been compromised are late to the game. Malware ceased being obvious and destructive years ago. The criminal application of collected/exfiltrated data is now such an enormous problem that it's impossible to avoid. The notion that our only recourse is to focus on minimizing the damage, however, troubles me. It's a concession of defeat. I think this is wrong thinking. Would we respond to oil spills by only focusing on minimizing the damage? I'd rather have us adopt a more aggressive strategy where we actively seek out, identify (and where we discover) contain threats, identify root causes, and take measures to eliminate or mitigate these.”
Jackson Higgins: “Where did the security industry/vendors go wrong that led us to this phase? Did we fail as an industry? Why or why not?”
Piscitello: “Given the evidence, it's hard to argue we haven't failed. Plenty of blame and directions to point fingers and most of that is of little benefit. Organizations have relied too long on traditional security architectures. Unified threat management, policy enforcement points, next generation firewalls are all incarnations of securing perimeters. They are relevant, necessary, but not sufficient primarily because they are mainly static defenses and most (especially the consumer, small business) largely rely on a knowledge based on what we've seen before. We need to be more proactive in looking for anomalous behavior.”
Jackson Higgins: “Where did organizations go wrong in how they deal with security?
Piscitello: “I think organizations have been too passive, placing too much trust in the security we've implemented to notify us when something's wrong with our network. We don't do enough active monitoring and analysis. Most organizations have little insight into what traffic is flowing across their network and through their firewalls. Most organizations don't really understand what the expected traffic mix looks like for their networks: they have no baseline to gauge "healthy and secure" We need this baseline to help us identify what is anomalous/suspicious and then we need to pursue these leads.
Jackson Higgins: “What is the next phase?
Piscitello: “Saying ‘the bad guy's in’ is marketing hype, not security practice. The solution involves more than re-packaging SIEM along with other or new monitoring, analysis and automated intervention tools. These play perhaps a bigger role in the future and it’s a good thing that we’re heightening awareness of how much they are needed. But we should also admit that we want too desperately to rely on automation. Adjustments to the human side – modifying user behavior, reducing administrative error, expanding the staff that defend networks and digital assets as well as their skill sets – are as desperately needed as new tech."