Information security can be a noisy place.
I’ve been a “security guy” my entire career and have been lucky enough to have a wide range of experiences: software development, IT security in a very large enterprise, vulnerability research and exploitation, and now as an enterprise software vendor. Through these experiences, I have come to deeply understand the attacker, the typical enterprise, and software development.
For those of you frustrated with today’s noisy market, I understand and agree. I do not envy those of you making purchasing decisions without the benefit of a deep security background to dissect some marketing claims.
What follows are four principles I use to stay grounded in this market. Use these as your “true north,” and you will slice through the confusion, fear and uncertainty in our noisy market.
For each, I’ve included the natural corollaries that derive from the principle, as well as color to tie the principle to today’s market.
PRINCIPLE ONE: Compromise is Inevitable.
Enterprise networks are chaotic beasts of complexity. Even if you patch all the vulnerabilities, there are dozens of other attack vectors. Unpatchable 0-day vulnerabilities are very real. Users will always click the wrong thing. Vulnerabilities at your DNS provider or your ISP will give an attacker Man-In-The-Middle access. (and every free wifi your users attach to is a different provider) Use SSL certificates to mitigate that risk? You’re depending on the security of every root CA provider in the world; they get compromised too. The list goes on and on and the risks change daily.
NOTE ONE: In the U.S., this principle is generally accepted as true – but only recently. I think we hit an inflection point around 2014; prior to then I would spend half my briefing time convincing the audience of this truth. Today, that is wasted effort. European and Asian audiences are farther behind but slowly coming around. Many audiences may still need attention to this truth.
COROLLARY ONE: As a result, security in the enterprise is no longer a noun; it’s becoming a verb. It’s not a thing you buy, it’s a thing you do. This is new. Security has historically been the realm of IT and network architects. It was a solution purchased from a vendor, considered a box in the network-architecture diagram similar to a router, proxy or switch. However, when you recognize compromise is inevitable, you are forced to build operational procedures to manage it.
COROLLARY TWO: Not every organization can afford to operationalize security. Managed security services are going to grow significantly in the coming years as Corollary One becomes generally accepted. We are in the renaissance era of the managed SOC.
PRINCIPLE TWO: Default-Allow Endpoint Protection Products Will Fail.
The layman’s explanation is simple: when a system is allow-by-default, you must be able to detect bad things. In the case of malware, the bad things are controlled by the attacker and infinitely variable. It is impossible to build any system that detects all possible bad things from a set of infinite possibilities.
By contrast, when a system is deny-by-default, you must be able to detect good things. Good things are controlled by the system administrators and is a finite set of possibilities. It is possible to build a system that detects good from the finite set of expected possibilities. This is why the application control market exists and why Cb Protection has been successful – it provides the best possible protection available.
NOTE TWO: Information security has learned this lesson before. When the first firewalls were deployed at network perimeters, they were used to block known-bad traffic. We quickly learned the attackers could quickly move to new IPs and ports, leading to whack-a-mole games. As a result, best practices shifted to a policy of default-deny at the network. We are playing the same whack-a-mole game on our endpoints today that we played on the firewalls in the late-90s.
COROLLARY THREE: When your endpoint malware protection products fail, what happens next? What procedures do your operations team have to detect and respond to the malware that gets missed? The best practice is traditional forensics – memory or disk imaging – but those procedures take significant time (and cost) for both acquisition and analysis. Analysis of a single host takes at least hours, possibly days to weeks – too expensive for an enterprise SOC investigating new, real incidents every day. This is why the EDR segment exists and Cb Response has been successful.
Principle Three: Principle One, Principle Two and their Corollaries are Fundamental Truths.
These ideas are not marketing spin, they are not fear-mongering, they are not opinion. They are rooted in the simple realities of computing and networking. Further, the ideas are not new. They are not newly developed theories that have recently emerged. The U.S. Dept of Defense, led by the Air Force, recognized these principles 15 years ago and started investing heavily in operationalizing information security. Awareness was not limited to DoD.
Bruce Schneier’s book Secrets & Lies was published in 2000 and included these principles in the first edition. Kirk Bailey, now CISO at the University of Washington, was using the term “assumption of breach” in 2002 to describe his security management philosophy. These principles have been driving the transformation of information security since at least 2002. In 2014, I posted these words to the Carbon Black blog. They are still true today.
Principle Four: Collectively, We Are Still Learning Principles One and Two.
Security is undergoing a transformation worldwide. There is still a wide variety of opinions and perspectives, each colored by their own experiences. Many opinions will be in the traditional IT mindset of architecture, governance, compliance and controls – a security sub-culture that has dominated “information security” personnel for many years. The more advanced opinions will prioritize the threat and attacker behavior over compliance and governance.
The industry is seeking alternatives to traditional AV, but, in some cases, resisting the change required to operationalize their security programs. There is a market segment of solution-seekers that continues to cling to the false hope they can continue security as a noun, as a solution they buy, set and forget. This is the goal of Cb Defense: a platform easy-enough for today’s solution-seekers, but without compromising the security principles that will keep it durable as they grow to understand Principles One and Two.
Some of you may read this and disagree. I encourage you to reflect on yourself, your experiences and your industry’s risk tolerance. I believe operationalizing security is inevitable. I have been actively seeking counter opinions for many years and have not yet discovered any sufficiently supported to change my own position. Meanwhile, there is growing support of experts who similarly believe it is the only way we can improve security efficacy.
For those of you who read this and agree, I encourage you to share your perspective. The longer we continue to cling to the false hope we can fix security by simply deploying a magic product, the longer we will put off building the combination of products, people and processes required to address any complex problem. The industry needs your leadership to help shape our future.